StartCom & Qihoo Incidents

4381 views
Skip to first unread message

Ryan Sleevi

unread,
Oct 12, 2016, 3:12:08 PM10/12/16
to mozilla-dev-s...@lists.mozilla.org
As Gerv suggested this was the official call for incidents with respect to StartCom, it seems appropriate to start a new thread.

It would seem that, in evaluating the relationship with WoSign and Qihoo, we naturally reach three possible conclusions:
1) StartCom is treated as an independent entity
2) StartCom is treated as a subsidiary of Qihoo
3) StartCom is treated as a subsidiary of WoSign

We know there are serious incidents with WoSign that, collectively, encourage the community to distrust future certificates. However, there hasn't been a similar investigation into the trustworthiness of StartCom as an independent entity or as an entity operated by Qihoo. It would seem that germane to the discussion is how trustworthy the claims are - from either StartCom or Qihoo - and how that affects trust.

Incidents with StartCom:
A) Duplicate Serials. https://bugzilla.mozilla.org/show_bug.cgi?id=1029884
We know that StartCom had issues issuing duplicate serials, in violation of RFC 5280. We know that they did not prioritize resolution, and when attempting resolution, did so incompletely, as the issue still resurfaced.

C) Improper OCSP responder. https://bugzilla.mozilla.org/show_bug.cgi?id=1006479 / https://bugzilla.mozilla.org/show_bug.cgi?id=1151270
We know that StartCom continues to have issue with their OCSP responder after they issue certificates. Presumably, this is a CDN distribution delay, but we can't be sure, especially considering Incident A was with the underlying systems. As a consequence of this, users with StartCom certificates are disproportionately disadvantaged from enabling OCSP stapling, which many browser programs support (and is perhaps the only viable path towards a complete revocation solution).

E) Heartbleed. https://bugzilla.mozilla.org/show_bug.cgi?id=994033 / https://bugzilla.mozilla.org/show_bug.cgi?id=994478
We know StartCom had a notoriously poor response to HeartBleed. Eddy first dismissed the significance, and then when proven wrong, still continued to charge $25 USD for revocation. Ostensibly, this is a violation of the Baseline Requirements, in that CAs are required to revoke certificates suspected of Key Compromise. However, despite the BRs effective date of 2012, Mozilla was not aggressively imposing compliance then (... or now, to be fair).

G) StartCom BR violations - IV https://bugzilla.mozilla.org/show_bug.cgi?id=1266942
StartCom was materially violating its CP/CPS and the Baseline Requirements with respect to certain types of validation. No explanation for the root cause provided.

I) StartCom BR violations (2) - Key Sizes https://bugzilla.mozilla.org/show_bug.cgi?id=1015767
StartCom was issuing certificates less than 2048 bits.

K) StartCom impersonating mozilla.com. https://bugzilla.mozilla.org/show_bug.cgi?id=471702
StartCom's (former) CEO Eddy Nigg obtained a key and certificate for www.mozilla.com and placed it on an Internet-facing server.

M) StartCom BR violations (3) - Key exponents https://bugzilla.mozilla.org/show_bug.cgi?id=1212655
StartCom was not enforcing the BRs with respect to RSA public exponents.

O) StartCom BR violations (4) - Curve violations https://bug98304.bugzilla.mozilla.org/show_bug.cgi?id=1269183
StartCom was not enforcing the BRs with respect to EC curve algorithms.



In addition to discussion of StartCom issues, it seems relevant to future trust to evaluate issues with Qihoo. Many in the Mozilla community may not have direct interactions with Qihoo, but they have obtained some notoriety in security circles.

Q.A) Qihoo masking their browser as a critical Windows security update to IE users.
http://wmos.info/archives/7717 / http://www.theregister.co.uk/2013/02/01/qihoo_government_warning_fraud/
Qihoo displayed a misleading security update for Windows users that instead installed their browser.

Q.C) Qihoo browser actively enables insecure cryptography.
https://docs.google.com/document/d/1b7lenmn5XO06QohaJzVffnJxjXjY1rD70wg34gfuxRo/edit
Qihoo's browser is notably insecure with respect to SSL/TLS, with some of the insecure changes requiring active modification to the low-level source libraries that Chromium (of which they're based on) uses.

Q.E) Qihoo apps removed from app stores due to malware
https://www.techinasia.com/qihoo-committing-fraud-google-making-huge-mistake / https://www.techinasia.com/qihoo-apps-banned-apple-app-store
Qihoo Apps have repeatedly been banned from Apple's App Store due to issues

Q.G) Qihoo "security" apps repeatedly found as unfair competition
https://www.techinasia.com/qihoo-360-loses-chinas-courts-ordered-pay-sogou-82-million-unfair-competition



I hope the above show that the odds are if the original StartCom systems are restored, we're likely to continue to have significant BR violations - a pattern StartCom has repeatedly demonstrated over several years. Similarly, if we were to accept trust in Qihoo, then we would be ignoring the precedent Qihoo has set of choosing insecure and anti-user behaviours masked as "security".
Message has been deleted

Han Yuwei

unread,
Oct 12, 2016, 5:28:03 PM10/12/16
to mozilla-dev-s...@lists.mozilla.org
在 2016年10月13日星期四 UTC+8上午3:12:08,Ryan Sleevi写道:
As a Chinese Internet user, I would say that Qihoo has a very negative reputation on China online community for its precedent's malware(maybe not accurate) and some awful actions such as "3Q Battle", installing software sliently, misleading ads, suspiciously collecting data which is believed helping govnerment monitoring citizens and so on. But on the other hand, their product, "360安全卫士" (360 Total Security)(two names are not the same version but I can't find another english name),as I thought, has improved the total security level of China Internet. And it has changed the ecosystem of Chinese anti-malware software,which I don't know it is good or bad. And it's believed that Qihoo have a tight connection with the Great Fire Wall project.

Since "The Big Brother is Watching you" is not accepted in Mozilla, I thought Qihoo is not trustworthy in operating a CA.

P.S. Anyone who knows to change the font size of google group? As a non-english native speaker it is hard for me to read such a small size in the content.
Message has been deleted

Stefan Paletta

unread,
Oct 12, 2016, 9:11:30 PM10/12/16
to dev-secur...@lists.mozilla.org
> Similarly, if we were to accept trust in Qihoo, then we would be ignoring the precedent Qihoo has set of choosing insecure and anti-user behaviours masked as "security".

I dare say your cert store will end up as a pretty lonely place if you start investigating CAs –outside the realm of CA per se– and their parent companies for questionable security and shady business.

–Stefan

谭晓生

unread,
Oct 12, 2016, 10:58:34 PM10/12/16
to Han Yuwei, mozilla-dev-s...@lists.mozilla.org
Yuwei,
I don’t know who you are, but I can tell you and the community, Qihoo 360 never been involved in ***** Fire Wall project, if you did some investigation to the message that accused Qihoo 360 joined the project “Search Engine Content Security Management System”, you should know the project had been done on Feb 2005, before Qihoo 360 was founded on Aug 2005, and the project is neither part of the ***** fire wall project nor a project done by Qihoo 360, actually it is part of the efforts to help Yahoo’s search engine could work in China, I was the tech head of Yahoo!China ‘s tech team, director of engineering and soon the CTO of Yahoo!China, I know what happened at that time.

Thanks,
Xiaosheng Tan



在 2016/10/13 上午5:22,“dev-security-policy 代表 Han Yuwei”<dev-security-policy-bounces+tanxiaosheng=360...@lists.mozilla.org 代表 hanyu...@gmail.com> 写入:

在 2016年10月13日星期四 UTC+8上午3:12:08,Ryan Sleevi写道:
As a Chinese Internet user, I would say that Qihoo has a very negative reputation on China online community for its precedent's malware(maybe not accurate) and some awful actions such as "3Q Battle", installing software sliently, misleading ads, suspiciously collecting data which is believed helping govnerment monitoring citizens and so on. But on the other hand, their product, "360安全卫士" (360 Total Security)(two names are not the same version but I can't find another english name),as I thought, has improved the total security level of China Internet. And it has changed the ecosystem of Chinese anti-malware software,which I don't know it is good or bad. And it's believed that Qihoo have a tight connection with the Great Fire Wall project.

Since "The Big Brother is Watching you" is not accepted in Mozilla, I thought Qihoo is not trustworthy in operating a CA.

P.S. Anyone who knows to change the font size of google group? As a non-english native speaker it is hard for me to read such a small size in the content.
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


shan...@gmail.com

unread,
Oct 13, 2016, 2:01:18 AM10/13/16
to mozilla-dev-s...@lists.mozilla.org
在 2016年10月13日星期四 UTC+8上午6:24:50,Percy写道:
> The Chinese wikipedia has well documented controversies surrounding Qihoo 360. Unfortunately, it's not translated into the English Wikipedia. So please go to https://zh.wikipedia.org/wiki/%E5%A5%87%E8%99%8E360#.E5.95.86.E4.B8.9A.E7.9F.9B.E7.9B.BE.E4.B8.8E.E4.BA.89.E8.AE.AE.E4.BA.8B.E4.BB.B6 and use Google Translate.

金山公司发布“360涉嫌偷窃用户隐私”的文章,并通过金山电池医生的弹窗散布相关信息

This is true, Search upload.360safe.com.

yliv...@gmail.com

unread,
Oct 13, 2016, 2:01:19 AM10/13/16
to mozilla-dev-s...@lists.mozilla.org

yliv...@gmail.com

unread,
Oct 13, 2016, 2:01:19 AM10/13/16
to mozilla-dev-s...@lists.mozilla.org
Anywany, Qihoo is a SOB company in China.

When I bought my Nokia 5320 in 2010, I installed 360 anti-virus on my Nokia, it got my contacts and made it a text as txt format, I am scared, i never use any of 360 since.

zjuni...@gmail.com

unread,
Oct 13, 2016, 2:01:23 AM10/13/16
to mozilla-dev-s...@lists.mozilla.org
The person who founded Qihoo 360, Hongwei Zhou(周鸿祎), is the creator of the malware named 3721. 3721 is the most widely spread malware in China before the company Qihoo 360 was founded. The reason that "360安全卫士" (360 Total Security), which is the most important product of Qihoo 360, became popular is that it was the best software to remove malwares, especially 3721. As the creator of the most widely spread malware, it is not surprising 360 Total Security works well at removing malwares. However, I will never trust a security software made by the one made a malware. Just like I will never hire a guard that was a thief.

As a Chinese Internet user, I strongly recommend removing the CAs related to Qihoo 360.

anklm

unread,
Oct 13, 2016, 2:01:23 AM10/13/16
to mozilla-dev-s...@lists.mozilla.org
You have mentioned "Qihoo masking their browser as a critical Windows security update to IE users. " , but their browser is fully insecure.

"Qihoo 360 Safe Browser" ignores ssl certificate error , open page directly with cookie.

First seen 2014: https://cabforum.org/pipermail/public/2014-October/004284.html

2015 again: https://cabforum.org/pipermail/public/2015-May/005579.html

Until now I downloaded their browser in my virtual machine, it's still open my website with self-signed certificate without warning.

谭晓生

unread,
Oct 13, 2016, 2:27:21 AM10/13/16
to yliv...@gmail.com, mozilla-dev-s...@lists.mozilla.org
Things went interesting, the webpage is about the 19 honored internet security researcher by China government, some of them are professors of university, like Professor Xiaoyun Wang who contributed a lot on cryptology(MD5 &SHA-1), Min Yang, Haixin Duan, Jianwei Liu, Xingshu Chen……, and the fellow of China Academy of Engineering, Mr.Changxiang Shen, there is also officers of the Administration of public security, are they treated as “Bad Guys” in this community?

Mr.Wenbin Zheng, the GM of Core Security BU of Qihoo 360, is one of the 19 honored peoples there, he is the top experienced engineer on Microsoft Windows Driver development, focus on DEFENDING the virus/Trojan attack for Microsoft Windows, the XP Shield made by his team provide additional protect to XP users, effectively.

Maybe we should consider technology, product/service and politics separately, somebody may not be funs of some government, but if we mixed the technology, product/service and politics together, it might make the world even worse.

Thanks,
Xiaosheng Tan


在 2016/10/13 下午12:42,“dev-security-policy 代表 yliv...@gmail.com”<dev-security-policy-bounces+tanxiaosheng=360...@lists.mozilla.org 代表 yliv...@gmail.com> 写入:

Would this be enough?
http://www.cac.gov.cn/2016-09/19/c_1119583763.htm

On Thursday, October 13, 2016 at 10:58:34 AM UTC+8, 谭晓生 wrote:

谭晓生

unread,
Oct 13, 2016, 3:22:00 AM10/13/16
to shan...@gmail.com, mozilla-dev-s...@lists.mozilla.org
There could be multiple books to tell the story of Qihoo 360 and Mr.Hongyi Zhou, Qihoo 360 fighted with Baidu, Alibaba & Tencent, the three largest internet companies of China in the past 10 years, there were a lot of law suits there, win and lose together, the ecosystem of China internet is a little bit special with others of the world, it is not my focus to discuss that here.
After 11 years, Qihoo 360 is the largest internet security company of China, the products are widely adopted by China internet users, it is not something could be instructed by the government, we must did something right.

Thanks,
Xiaosheng Tan

在 2016/10/13 上午10:35,“dev-security-policy 代表 shan...@gmail.com”<dev-security-policy-bounces+tanxiaosheng=360...@lists.mozilla.org 代表 shan...@gmail.com> 写入:

solar

unread,
Oct 13, 2016, 4:23:03 AM10/13/16
to mozilla-dev-s...@lists.mozilla.org
Mr. Xiaosheng Tan

According to the page of your personal details (http://baike.baidu.com/view/4571996.htm) in Baidu BaiKe. Currently you are the CTO and VP of Qihuoo. And you have a long recorder working and even studying with Hongyi Zhou, the CEO and the owner of Qihoo who was entitled as "the father of Chinese malware" by netizen.

So, do you represent your company to explain the issues? or Hongyi Zhou? or only yourself?

On Thursday, October 13, 2016 at 10:58:34 AM UTC+8, 谭晓生 wrote:

Eddy Nigg

unread,
Oct 13, 2016, 5:03:05 AM10/13/16
to mozilla-dev-s...@lists.mozilla.org
On 10/12/2016 10:11 PM, Ryan Sleevi wrote:
> As Gerv suggested this was the official call for incidents with respect to StartCom, it seems appropriate to start a new thread.

Ryan, it was probably easy to dig up any possible claimed or proven
issue ever surrounding StartCom during its ~ 10 years of operation. But
if this is your level of measurement for remaining in a root store, than
you have probably some other and larger CAs that would require your
immediate attention more urgently....

> Incidents with StartCom:

As most issues have been discussed and explained at that time, I'm not
sure about it's usefulness to repeat the same arguments and explanations
again. Most issues you are listing were mostly minor (but makes your
list longer of course) and have been effectively and properly dealt with.

> K) StartCom impersonating mozilla.com. https://bugzilla.mozilla.org/show_bug.cgi?id=471702
> StartCom's (former) CEO Eddy Nigg obtained a key and certificate for www.mozilla.com and placed it on an Internet-facing server.

You make this appear as if StartCom used its capacity as a certificate
authority to somehow abuse somebody or something, but for the wider
audience:

I was able to obtain a certificate for mozilla.org from Comodo without
having the authority to validate said domain name - in fact I could have
obtained also wild cards and many more certificates for any domain name
would I have been willing to pay for it. I installed the certificate at
a local server as a proof in the same fashion millions of web sites
install theirs. The private key has never published to any third party
and was eventually destroyed.

Interesting that you are using it to shoot the messenger from back then
and list this as an item against StartCom :-)

> I hope the above show that the odds are if the original StartCom systems are restored, we're likely to continue to have significant BR violations - a pattern StartCom has repeatedly demonstrated over several years.

There is no plan to use software that doesn't comply to the various
requirements and it has never been. I'm not claiming that there have
been zero issues during the last ten years, but StartCom has had always
clear policies and practices in place about how to deal with an issue
reasonably according to its significance, seriousness and importance.

--
Regards
Signer: Eddy Nigg, Founder
StartCom Ltd. <http://www.startcom.org>
XMPP: star...@startcom.org <xmpp:star...@startcom.org>

谭晓生

unread,
Oct 13, 2016, 5:18:59 AM10/13/16
to solar, mozilla-dev-s...@lists.mozilla.org
The information on Baidu Baike is not correct, I tried to correct it, but failed, I don’t know why.
I’m the Vice President of Qihoo 360 from end of 2009, installed as Chief Privacy Officer from 15th March 2012 as well, titled as Chief Security Officer of Qihoo 360 from Feb 2016, I never been the CTO of Qihoo 360.
I’m the school mate of Mr.Hongyi Zhou, same grade, but not in the same class, both in Computer Science and Engineering Dept of Xi’an Jiaotong University from 1988 to 1992, I worked for Mr.Zhou from 2003 to 2005, then 2009 till now.
I’m here on behalf of myself, and answer some question about Qihoo 360 under the authority of my responsibility: Chief Security Officer, I should take care of the information security related issues.
Is there anybody think any information in the cyber space is truth? It is funny.

Thanks,
Xiaosheng Tan

在 2016/10/13 下午4:22,“dev-security-policy 代表 solar”<dev-security-policy-bounces+tanxiaosheng=360...@lists.mozilla.org 代表 sof...@gmail.com> 写入:

Mr. Xiaosheng Tan

According to the page of your personal details (http://baike.baidu.com/view/4571996.htm) in Baidu BaiKe. Currently you are the CTO and VP of Qihuoo. And you have a long recorder working and even studying with Hongyi Zhou, the CEO and the owner of Qihoo who was entitled as "the father of Chinese malware" by netizen.

So, do you represent your company to explain the issues? or Hongyi Zhou? or only yourself?

On Thursday, October 13, 2016 at 10:58:34 AM UTC+8, 谭晓生 wrote:

solar

unread,
Oct 13, 2016, 5:26:47 AM10/13/16
to mozilla-dev-s...@lists.mozilla.org
Some more information.

3721 helper, the most notorious malware in china was created by Hongyi zhou and his company 3721 in 1998. According to Mr. Tan's bio, he was the development director of 3721. So I believe he directly participated in and led the development of the malware.

There is another evidence of Qihoo cooperating with chinese government to censor the internet. Last year, the Ministry of Public Security (the stakeholder of GFW) give an award to Qihoo to recognize their long time support for censorship especially during the event of the 70th anniversary of the victory of World War II. The official paper of the award (http://www.canyu.org/n102771c6.aspx) was listed on Qihoo website. But it was soon removed before widely exposed in public. Moreover, the chinese name(谭晓生) of Mr. Tan Xiaosheng was mentioned in the official paper.

I do NOT trust the person who developed malware, and I also do NOT trust the CA involved in censorship.

Han Yuwei

unread,
Oct 13, 2016, 9:28:21 AM10/13/16
to mozilla-dev-s...@lists.mozilla.org
在 2016年10月13日星期四 UTC+8上午10:58:34,谭晓生写道:
Maybe my English is not good enough so you may mistaken my meaning. What I said is pointing out there may be a connection between Qihoo and GFW project. There's a lot of reports saying that 360 has reported their Shadowsocks/VPN server IP address and their server got banned. I am not supporting these reports and just tell everyone there are something about this. I do appericate what you and your team done to the security of China Internet. And personlly I am supporting survillance over Internet for public security. But when it comes to CA, I think Qihoo is not enough to operate a CA due to the security flaws and attitude shown at 360 Secure Browser and Greb may remember that.

Han Yuwei

unread,
Oct 13, 2016, 9:33:24 AM10/13/16
to mozilla-dev-s...@lists.mozilla.org
在 2016年10月13日星期四 UTC+8下午2:01:19,yliv...@gmail.com写道:
They have improved the security of China Internet, OK? It seems like somebody regard offical security staffs as devils who help government to restrict China Internet. This kind of discrimination will DESTORY the China Internet.

谭晓生

unread,
Oct 13, 2016, 11:01:22 AM10/13/16
to solar, mozilla-dev-s...@lists.mozilla.org
Are there any words saying “award to Qihoo to recognize their long time support for censorship”?
It is an official thanks letter from The Ministry of Public Security of the People’s Republic of China, the equivalent organization with FBI of U.S, it thanks for my team and myself to join the information security work the 3rd Sept military review affair! I can tell you that my team and myself joined the information security work for G20 meeting just finished last month, I might got a thanks letter soon, is there anything wrong to do that?

If anybody care about this, please ask somebody to translate this letter for you, I do not have time to waste here on somebody lied.

For the malware accuses, Yahoo acquired 3721 in 2003, do you think Yahoo acquired a malware company? Is there any anti-virus software killed 3721’s software?

Thanks,
Xiaosheng Tan



在 2016/10/13 下午5:26,“dev-security-policy 代表 solar”<dev-security-policy-bounces+tanxiaosheng=360...@lists.mozilla.org 代表 sof...@gmail.com> 写入:

hand...@gmail.com

unread,
Oct 13, 2016, 11:10:10 AM10/13/16
to mozilla-dev-s...@lists.mozilla.org
360 和 周鸿祎 都是无耻的。

gala...@gmail.com

unread,
Oct 13, 2016, 11:10:11 AM10/13/16
to mozilla-dev-s...@lists.mozilla.org
Accroding to this newspaper, 360 do have join the GFW project at 2012-07-02.
http://web.archive.org/web/20120705031419/http://www.21cbh.com/HTML/2012-7-2/2NMDM2XzQ2NTU2Nw.html

However, the chief of 360, 周鸿祎, personally said it is not true in a local SNS site.

On Thursday, October 13, 2016 at 10:58:34 AM UTC+8, 谭晓生 wrote:
Message has been deleted

amelyee

unread,
Oct 13, 2016, 12:16:58 PM10/13/16
to mozilla-dev-s...@lists.mozilla.org
Qihoo was considered the one behind the malware wirelurker on ios and OS X.
https://www.zhihu.com/question/26544641

popcorn

unread,
Oct 13, 2016, 12:16:58 PM10/13/16
to mozilla-dev-s...@lists.mozilla.org
There were comments admonishing StartCom and WoSign for not reporting change of ownership in a timely manner.

I am not sure if this has been reported earlier, but if not, then Qihoo 360 change of ownership may be relevant to the current discussion:

http://www.prnewswire.com/news-releases/qihoo-360-announces-completion-of-merger-300299435.html

Jakob Bohm

unread,
Oct 13, 2016, 12:51:11 PM10/13/16
to mozilla-dev-s...@lists.mozilla.org
I just skimmed it, and that just looks like Qihoo 360 acquired some
other companies that I don't recognize and did so by technically
merging the company while concentrating ownership with the existing
Qihoo 360 shareholders.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

nessun...@gmail.com

unread,
Oct 13, 2016, 1:08:13 PM10/13/16
to mozilla-dev-s...@lists.mozilla.org
On Thursday, October 13, 2016 at 7:51:11 PM UTC+3, Jakob Bohm wrote:

> I just skimmed it, and that just looks like Qihoo 360 acquired some
> other companies that I don't recognize and did so by technically
> merging the company while concentrating ownership with the existing
> Qihoo 360 shareholders.

"the Company (namely, Qihoo 360) became a wholly owned subsidiary of Midco"

Ryan Sleevi

unread,
Oct 13, 2016, 2:23:26 PM10/13/16
to mozilla-dev-s...@lists.mozilla.org
On Thursday, October 13, 2016 at 2:03:05 AM UTC-7, Eddy Nigg wrote:
> Ryan, it was probably easy to dig up any possible claimed or proven
> issue ever surrounding StartCom during its ~ 10 years of operation. But
> if this is your level of measurement for remaining in a root store, than
> you have probably some other and larger CAs that would require your
> immediate attention more urgently....

As usual, you seem to be dismissive of any concerns about StartCom's compliance.

At core issue is whether StartCom is a trustworthy organization, if operated independently. Key to that is the ability of StartCom to abide by the Baseline Requirements and to treat the incidents as serious and warranting attention. Your reply, though unclear in what capacity you continue to represent StartCom, highlights the traditional dismissiveness - both of the message and the messenger - and the attempt to reply to incidents with "Somebody else did this".

If we are to accept that WoSign's past actions are not predictive of StartCom's future, then we must accept that Startcom's past actions are - and the past actions show a pattern of disregard. Whether or not others show that similar disregard is, to some extent, immaterial to the question as to whether StartCom was competently operated, is competently operated, and will be competently operated.

> As most issues have been discussed and explained at that time, I'm not
> sure about it's usefulness to repeat the same arguments and explanations
> again. Most issues you are listing were mostly minor (but makes your
> list longer of course) and have been effectively and properly dealt with.

Isn't this the same response WoSign made? Isn't the fact that there is a pattern of misissuances - and dismissiveness - material to the claim as to whether StartCom ever was, or is, trustworthy?

> You make this appear as if StartCom used its capacity as a certificate
> authority to somehow abuse somebody or something,

I didn't - and the linked bug doesn't suggest that either.

> Interesting that you are using it to shoot the messenger from back then
> and list this as an item against StartCom :-)

The ability to responsibly handle security incidents in the past is relevant to the ability to responsibly handle security incidents in the future.

> I'm not claiming that there have
> been zero issues during the last ten years, but StartCom has had always
> clear policies and practices in place about how to deal with an issue
> reasonably according to its significance, seriousness and importance.

For those that do investigate into the linked bugs, I suspect they will likely reach a conclusion that you and StartCom have routinely underestimated significance, downplayed seriousness, and not always acted reasonably. Similarly, with respect to elements such as duplicate serial numbers or OCSP responders, patterns of behaviour which have short- and long-term negative effects on the WebPKI are routinely missed for deadlines and remediation.

This naturally argues for a conclusion that, for the set of outstanding issues to be remediated in response to the WoSign acquisition of StartCom, that StartCom may miss deadlines for remediation.

To some extent, this may be moot due to Kathleen's proposal, but I don't think your assertions should remain unchallenged while people mull and evaluate whether or not it's appropriate to treat StartCom as the WoSign subsidiary that it was and currently is.

solar

unread,
Oct 13, 2016, 2:46:07 PM10/13/16
to mozilla-dev-s...@lists.mozilla.org
Indeed, Yahoo! has bad reputation on both spyware/malware[1] and censorship[2].

Ironically, Yahoo! Assistant, the successor of 3721 Internet Assistant (also called 3721 helper) was identified as malware by 360Safe, which is a product of Qihoo 360.[3]

In 2007, Eric Yang, the co-founder and CEO of Yahoo! faced questions from a Congressional committee with respect to the company role in the arrests of journalists in China.[4]

Recentlly, It was exposed that Yahoo! secretly built a custom software program to search all of its customers' incoming emails for specific information.[5]

[1] https://en.wikipedia.org/wiki/Criticism_of_Yahoo!#Adware_and_spyware
[2] https://en.wikipedia.org/wiki/Criticism_of_Yahoo!#Work_in_the_People.27s_Republic_of_China
[3] https://en.wikipedia.org/wiki/Yahoo!_Assistant
[4] https://en.wikipedia.org/wiki/Jerry_Yang#Chinese_government_collaboration_controversies
[5] http://www.reuters.com/article/us-yahoo-nsa-exclusive-idUSKCN1241YT

Gervase Markham

unread,
Oct 14, 2016, 6:01:16 AM10/14/16
to Ryan Sleevi
On 12/10/16 20:11, Ryan Sleevi wrote:
> As Gerv suggested this was the official call for incidents with
> respect to StartCom, it seems appropriate to start a new thread.

There are indeed more of these than I remember or knew about. Perhaps it
would have been sensible to start a StartCom issues list earlier. In my
defence, investigating one CA takes up a lot of time on its own, let
alone two :-)

> K) StartCom impersonating mozilla.com.
> https://bugzilla.mozilla.org/show_bug.cgi?id=471702 StartCom's
> (former) CEO Eddy Nigg obtained a key and certificate for
> www.mozilla.com and placed it on an Internet-facing server.

I do consider it a significant error of judgement for Eddy to have
chosen www.mozilla.com, rather than a site owned and controlled by him
or by a third party with whom he had an agreement, for his demonstration.

On the other hand, this happened 8 years ago. I'd be interested in your
comments, Ryan, on whether you think it's appropriate for us to have
some sort of informal "statute of limitations". That is to say, in
earlier messages you were worried about favouring incumbents. But if
there is no such statute, doesn't that disadvantage incumbents? No code
is bug-free, and so a large CA with many products is going to have
occasional troubles over the years. If they then have a larger issue, is
it reasonable to go trawling back 10 years through the archives and pull
out every problem there's ever been? This is a genuine question, not a
rhetorical one.

All the WoSign issues I documented where the past two years. Many of the
StartCom issues you list are 2.5 - 3.5 years old. That may not be long
enough, but how long is?

Gerv

Ryan Sleevi

unread,
Oct 14, 2016, 1:44:01 PM10/14/16
to mozilla-dev-s...@lists.mozilla.org
On Friday, October 14, 2016 at 3:01:16 AM UTC-7, Gervase Markham wrote:
> There are indeed more of these than I remember or knew about. Perhaps it
> would have been sensible to start a StartCom issues list earlier. In my
> defence, investigating one CA takes up a lot of time on its own, let
> alone two :-)

10 minutes with "site:bugzilla.mozilla.org StartCom"

Which was only possible due to the many Mozilla contributors who, when they saw something improper, filed bugs. I just want to make sure to thank all of the contributors who have done so, and hopefully continue to do so.

> On the other hand, this happened 8 years ago. I'd be interested in your
> comments, Ryan, on whether you think it's appropriate for us to have
> some sort of informal "statute of limitations". That is to say, in
> earlier messages you were worried about favouring incumbents. But if
> there is no such statute, doesn't that disadvantage incumbents? No code
> is bug-free, and so a large CA with many products is going to have
> occasional troubles over the years. If they then have a larger issue, is
> it reasonable to go trawling back 10 years through the archives and pull
> out every problem there's ever been? This is a genuine question, not a
> rhetorical one.

Right, I had the same question when investigating. We know Eddy's position on it ('It was in the past, get over it' - if I may so aggressively strawman). I suppose a core question is: What is the goal of the root program? Should there be a higher bar for removing CAs than adding them? Does trust increase or decrease over time?

That is, I can totally see the argument that frequently adding new CAs is bad, because new CAs may not have the organizational or operational experience to meet the high bar expected of CAs. We frequently see this with addition requests - CAs well below what the community standard might be. In this model, the more time passes, the more institutional knowledge and expertise the organization develops, the better users are protected by keeping CAs in longer (and allowing them to remediate).

Another view is that we want a consistent bar, and that means CAs that fall short of that should be culled, regardless of age of the CA. This model suggests that a longitudinal analysis of a CA's operation is necessary - that we must never forget past mistakes when evaluating current mistakes or in predicting future mistakes.

We can hopefully assume that CA are rare, at least for an individual CA, and so we may never get sufficient samples to accurately predict future behaviour. Analyzing a longer period of time gives us data to establish a pattern and trend, but also disadvantages those who go through 'growing pains' on their way to becoming a mature CA.

I don't have a good answer for your question in the general case, for reasons hopefully explained, but I think towards the question of predicting responsiveness to incidents, and how they'll be treated, I think the longer analysis of StartCom is useful for the discussion. My own gut is that the ecosystem is better served if we look at the whole of a CA's operation. My view is that the theory that experience is developed over time is one not borne out by practice - what we see instead is the same players from existing CAs shifting around to different organizations.

> All the WoSign issues I documented where the past two years. Many of the
> StartCom issues you list are 2.5 - 3.5 years old. That may not be long
> enough, but how long is?

Well, the past year it's been run by WoSign, so 2.5 - 3.5 years really reflects the past 1.5 to 2.5 years of independent operation, right?

Eddy Nigg

unread,
Oct 14, 2016, 4:03:30 PM10/14/16
to mozilla-dev-s...@lists.mozilla.org
On 10/14/2016 01:00 PM, Gervase Markham wrote:
>> K) StartCom impersonating mozilla.com.
>> https://bugzilla.mozilla.org/show_bug.cgi?id=471702 StartCom's
>> (former) CEO Eddy Nigg obtained a key and certificate for
>> www.mozilla.com and placed it on an Internet-facing server.
> I do consider it a significant error of judgement for Eddy to have
> chosen www.mozilla.com, rather than a site owned and controlled by him
> or by a third party with whom he had an agreement, for his demonstration.

Well, at time I didn't think that much - I noticed it when requesting a
certificate for startcom.org in order to investigate a completely
different issue and later got one for mozilla.org (note it wasn't .com).
Initially I thought about some really high-profile name, but then I
tried with mozilla.org since I assumed that A) Mozilla will forgive me
and B) I was frequently involved here at that time. :-)

Surprisingly it worked and I got my certificate for mozilla.org....

> On the other hand, this happened 8 years ago. I'd be interested in your
> comments, Ryan, on whether you think it's appropriate for us to have
> some sort of informal "statute of limitations". That is to say, in
> earlier messages you were worried about favouring incumbents. But if
> there is no such statute, doesn't that disadvantage incumbents? No code
> is bug-free, and so a large CA with many products is going to have
> occasional troubles over the years. If they then have a larger issue, is
> it reasonable to go trawling back 10 years through the archives and pull
> out every problem there's ever been? This is a genuine question, not a
> rhetorical one.

I believe there is also something called "reasonability " - I believe
during my tenure StartCom tried to reduce risks first and foremost
through its policies, honestly and earnest. And then unintentional
mistakes and issues can happen....

Of course every CA wants to issue hundreds of thousands of certificates,
but it usually doesn't start like this. I admit that some of the issues
were due to growth pain, scalability or simply doesn't happen below a
certain number of users/certificates. Any programmer working on larger
scale projects and long enough in the profession can tell some stories
about bugs that happen only every 50K or 50M time.

I don't want to offer cheap excuses, but reality has it that things do
happen and this is also part of that "reasonability". CAs must however
have policies and procedures in order to evaluate issues that do happen,
make the correct assessment and deliver a reasonable solution based
thereof. This is the logic of a correctly functioning CA (or other
businesses for that matter), this is what auditors verify and what
software vendors should expect.

There is no business, no software and no certificate authority without
fault - realistically and reasonably.

Peter Gutmann

unread,
Oct 14, 2016, 6:44:50 PM10/14/16
to Ryan Sleevi, mozilla-dev-s...@lists.mozilla.org
Ryan Sleevi <ry...@sleevi.com> writes:

>What is the goal of the root program? Should there be a higher bar for
>removing CAs than adding them? Does trust increase or decrease over time?

Another thing I'd like to bring up is the absolute silence of the CAB forum
over all this. Apple have quietly unilaterally distrusted, Mozilla have
debated at length (three months now) and are taking action, but the regulatory
body that should be taking charge, the CAB forum, has (apparently) taken
absolutely no action.

Does anyone know the position among other browser vendors, Chrome, IE, Opera,
Konqueror, Chromium, Midori, the dozen or more forks of various bigger
browsers, the dozens(?) of mobile browsers, and so on.

Peter.

Peter Bowen

unread,
Oct 14, 2016, 7:11:00 PM10/14/16
to Peter Gutmann, Ryan Sleevi, mozilla-dev-s...@lists.mozilla.org
On Fri, Oct 14, 2016 at 3:44 PM, Peter Gutmann
<pgu...@cs.auckland.ac.nz> wrote:
> Ryan Sleevi <ry...@sleevi.com> writes:
>
>>What is the goal of the root program? Should there be a higher bar for
>>removing CAs than adding them? Does trust increase or decrease over time?
>
> Another thing I'd like to bring up is the absolute silence of the CAB forum
> over all this. Apple have quietly unilaterally distrusted, Mozilla have
> debated at length (three months now) and are taking action, but the regulatory
> body that should be taking charge, the CAB forum, has (apparently) taken
> absolutely no action.

The CA/Browser Forum is not a regulatory body. They publish
guidelines but do not set requirements nor regulate compliance. The
Forum does not require that members follow the Forum guidelines; it
only requires that they are either a browser or CA operator following
the basic WebTrust requirements or ETSI requirements.

What action would you expect the Forum to be taking?

Thanks,
Peter

Ryan Sleevi

unread,
Oct 14, 2016, 7:12:07 PM10/14/16
to mozilla-dev-s...@lists.mozilla.org
On Friday, October 14, 2016 at 3:44:50 PM UTC-7, Peter Gutmann wrote:
> Another thing I'd like to bring up is the absolute silence of the CAB forum
> over all this.

It has not been.

> Apple have quietly unilaterally distrusted, Mozilla have
> debated at length (three months now) and are taking action,

mid-August to mid-October is not three months.

> but the regulatory body that should be taking charge, the CAB forum,

The CA/B Forum is not a regulatory body.

> has (apparently) taken absolutely no action.

What action is there for the Forum to take, if your description (though inaccurate) was accepted?

> Does anyone know the position among other browser vendors, Chrome, IE,

IE > Edge

> Opera, Konqueror, Chromium, Midori,

You treated three Chromium-based browsers (Opera, Chrome, Chromium) as distinct, and referenced two others (Konqueror, Midori) which have yet to manage their own root store or policies.

Peter Gutmann

unread,
Oct 14, 2016, 7:20:13 PM10/14/16
to Ryan Sleevi, mozilla-dev-s...@lists.mozilla.org
Ryan Sleevi <ry...@sleevi.com> writes:
>On Friday, October 14, 2016 at 3:44:50 PM UTC-7, Peter Gutmann wrote:
>> Another thing I'd like to bring up is the absolute silence of the CAB forum
>> over all this.
>
>It has not been.

I haven't heard anything from them. If they've made any statements, they've
been very quiet about it.

>> Apple have quietly unilaterally distrusted, Mozilla have
>> debated at length (three months now) and are taking action,
>

>mid-August to mid-October is not three months.

August, September, October, seems like three to me.

>[blah blah blah nitpick nitpick nitpick]

Response, response, response, boring boring boring.

Any chance of answering my question? What's the CAB forum doing? What are
other browser vendors doing?

Peter.

Peter Gutmann

unread,
Oct 14, 2016, 7:33:05 PM10/14/16