<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
this is a re-worked report i prepared that some might find useful.<b><br>
<br>
CAUTION:</b> there are several seriously troubling events
surrounding WoSign <font color="#ff0000"><b><sup>1</sup></b></font>
(AKA startcom, AKA startssl, and AKA startencrypt) and any of their
affiliated/subsidiary businesses:<br>
<ol>
<li>wosign purchased startcom/startssl/startencrypt [DBA's of
'Start Commercial LTD' (an Israeli company); hereinafter '<b>startcom</b>']
last year. although obfuscation by the parties makes determining
the actual control-transfer date impossible, the change-over may
have begun in 2014. both companies long completely and publicly
denied any change of control even as late as 2016.JUL despite it
being a matter of public record that:</li>
<ol start="1" type="a">
<li> the entire stock issuance from 15 startcom shareholders
including founder Revital (AKA 'Eddy') Nigg's majority
ownership was transferred in 2015.NOV;</li>
<li> beneficiary of the stock deal was 'StartCom CA Limited' a
UK company (09744347);</li>
<li> the UK company is wholly-owned by 'StartCom CA Limited'
(yes, exactly the same name again) a Hong Kong company (CRN
2271553) with a sole director being Wang <font
color="#ff0000"><b><sup>1</sup></b></font>; and</li>
<li> the Hong Kong entity is then owned by wosign.<br>
</li>
</ol>
<li>in fact, to-date neither firm has actually admitted what has
happened re transfer of control, domiciling of operations, and
changes in management personnel. this reticence is despite some
aspects of the transactions becoming common knowledge in the
security community;<br>
</li>
<li>wosign attempted (rather poorly it turned out) to make it
appear that wosign was actually a subsidiary of startcom and
startcom's remnant personnel and former shareholders abetted
this <b><font color="#ff0000"><sup>2</sup></font></b>;</li>
<li>startcom is an Israeli company and -- as one would expect --
was subjected to strict auditing and monitoring by the Israeli
government to the benefit of all the recipients of their certs
... until the ownership change that is;</li>
<li>wosign is a mainland Chinese (PRC) company which completely
controls startcom operations in IL, UK, CN, and US;<br>
</li>
<li>earlier this year and last wosign -- amongst other deceptive
actions -- tried to circumvent certain mandated changes to
certificate authority (CA) practice by back-/forward-dating
certs and issuing certs with duplicate serial numbers while
their CA compliance auditors Ernst and Young (Hong Kong) were
complicit in covering up these and other forbidden practices <font
color="#ff0000"><b><sup>3</sup></b></font>;<br>
</li>
<li>in response to all these discoveries, mozilla's firefox
version 51 and all look-alikes using their gecko engine have
stopped accepting any new (issued on/after 2016.OCT.21) certs
that trace back to wosign/startcom/startssl/startencrypt
root/intermediate/cross-signed certs and have banned Hong Kong
Ernst and Young CPA's from certifying any CA audits;</li>
<li>unless wosign and its subsidiaries come up with new root
certificates and provide acceptable audit results for their
CP/CPS/operations by 2017.MAR, all of wosign-affiliated
root/intermediate/cross-signed certs will be removed from
mozilla's certificate store; and<br>
</li>
<li>mozilla has stated that if it detects any further fraud such
as exhibited in Item 6, <i>supra</i>, all security updates to
all its software versions will immediately remove wosign-based
"trusted" certs from the mozilla root certificate store on the
device being updated which will cause the universe of
wosign-issued certs to become un-trusted in the mozilla browser
family no matter when they were issued.<br>
</li>
</ol>
<p><b>OBVIOUS CONCLUSION: </b>do not just walk away from wosign,
startcom, qihoo, et alii but <b>RUN! </b>i can think of nothing
worse than trusting a PRC firm with my sites' security. OK, if
that hyperbole is not enough, try my personal idea of what should
be network no-go and it pretty much lies in the swath West of
Japan and East of Germany.<br>
</p>
<p><b>THE ALTERNATIVE: </b>the immediate free cert replacement
avenue is through letsencrypt.org that uses the cert
issuance/renewal protocol ACME. although letsencrypt will not be
found in most (if any) browser "trusted" root certificate stores,
they use cross-signed intermediate CA certs from a root that is.
there are an ever-growing number of open-source scripts (bash,
perl, python, go, ...) available to automate the process which one
can even customize for your particular needs.<br>
</p>
<p>there are letsencrypt plug-ins/modules for apache to make your
set-up less painful. you can use the nginx process with a lua
module to <i>really </i>fully automate <u><i>everything!</i></u>
if you want to go <i>de luxe</i> there is the openresty bundle
that combines nginx with lua and adds a host of other nginx
"add-in" enhancements automatically and some more rarely required
that one specifies.<br>
</p>
<p>if you have looked at openresty or other bundles before and been
turned off because there was nothing for your favorite
distro/pkg-mgr and the thoughts of maintaining a 2kb configure
line immediately switched your focus over to happy hour, look
again! with openresty repo's are in, security patches are quick in
coming, development is on-going 24/7, the "community" is lively,
and the original/lead developer still has his hand firmly on the
tiller.<br>
</p>
<p>one very important plus with the nginx set-up is that tls cert
operation under lua will actually boot-strap the ACME cert process
for each domain and all of the permitted sub-domains you authorize
in the nginx config file. so, what did i just mean?<br>
</p>
<p>let us say that you have a new domain 'qwe.com' and want to use
the sub-domains www, billing, mail, sales, and support. obviously,
you have to get the DNS going as a separate project (3 minutes).
you have to create an on-disk directory tree that accommodates the
storage of the issued certs and a directory where the lua process
will operate with the letsencrypt server token process that
verifies domain control coming through DNS (2 minutes). then, you
have a small config block in the nginx 'http' section authorizing
the sub-directories (2 minutes), you drop in a 'server' section
for whatever should be done (2 minutes: assuming you have an
already-established server processing block), and you add to the
server block a 'location' section for the token process (1
minute). now, you re-start nginx <b>AND YOU ARE DONE (10 minutes
total)! </b>now that you have a template, adding on an
additional domain should probably run half or less of that time.<br>
</p>
<p>when the first request comes in for, say, '<a class="moz-txt-link-abbreviated" href="http://www.qwe.com">www.qwe.com</a>'; nginx
calls the lua module that completes the whole cert process for
getting the cert for that FQDN and then services the request ...
all without connection interruption. then 'qwe.com' comes in and
it adds that too. then 'support.qwe.com' and so forth until all
your configured sub-domains are covered. you probably see it now:
using this simple set-up you can segregate sub-domain access
between HTTP and HTTPS with that tiny lua sub-domain authorization
block. also, by authorizing (temporarily or otherwise) nginx to
answer for sub-domains for other servers such as SMTP[S], IMAP[S],
and so forth you will create your own customized server certs for
apps running any other service you might like on whatever
sub-domain you please by just making a single request for each
server's sub-domain.<br>
</p>
<p>cert renewal is also automatic. with no special config, nginx
will renew the cert when it falls within a remaining window of 30
days.<br>
</p>
<p><br>
</p>
<pre class="moz-signature" cols="80">Thank you,
Johann
<font color="#ff0000"><u><b>NOTES:</b></u></font>
</pre>
<ol>
<li>'<b>WoSign CA Limited</b>' (hereinafter '<b>wosign</b>') has
been around in a very minor way for, perhaps, as long as a
decade. its only known owner is Wang Gao Hua (AKA: Richard
Wang). it is a demonstrable fact that the PRC government is
intensely interested in expanding its scope of operation in the
international security venue and that its multi-faceted security
apparatus has both overtly and covertly been found to acquire
vested interests in technology ventures amenable to such an
expansion. therefore, it is quite imaginable that the PRC
government financially facilitated Wang's acquisition of
startcom for its own purposes. it is all the more conceivable
given that Wang was not known to be a very wealthy individual or
well connected with sources of institutional financing.<br>
</li>
<li>when i discovered the startling startcom Chinese connection in
2016.<span style="background-color: rgba(255, 255, 255, 0);">JAN
and asked startcom what was going on, after a long hiatus and
several info requests i received what was apparently a
"canned" response (in re: 'Qihoo" since i never made reference
to "hosting service" or other network security/service
offerings such as might come from Qihoo's stable of products).
moreover, the somewhat fractured English was not up to the
standard always displayed by startcom in previous
correspondence: </span><span style="background-color:
rgba(255, 255, 255, 0);"></span><br>
<table border="1" cellpadding="2" cellspacing="2" height="192"
width="768">
<tbody>
<tr>
<td>v<span style="background-color: rgba(255, 255, 255,
0);"></span>ia:</td>
<td> 183.37.145.226 (no rDNS) registered as follows:</td>
</tr>
<tr>
<td>netname:</td>
<td> CHINANET-GD</td>
</tr>
<tr>
<td>descr:</td>
<td> CHINANET Guangdong province network</td>
</tr>
<tr>
<td>descr:</td>
<td> Data Communication Division</td>
</tr>
<tr>
<td>descr:</td>
<td> China Telecom</td>
</tr>
<tr>
<td><span style="background-color: rgba(255, 255, 255,
0);"></span>country:</td>
<td> CN</td>
</tr>
<tr>
</tr>
</tbody>
</table>
<font color="#996633"><i>L</i><i><span style="background-color:
rgba(255, 255, 255, 0);">ike every big company (IBM,
Cisco, Oracle, Microsoft etc.) that has set up branch
offices and R&D centers in China, StartCom is the No.
6 biggest CA in the world and today has also setup branch
office and R&D center in China</span></i></font><font
color="#996633"><i><span style="background-color: rgba(255,
255, 255, 0);"><font color="#996633"><i><span
style="background-color: rgba(255, 255, 255, 0);"> <sup><font
color="#ff0000"><b>1</b></font></sup></span></i></font>,
our Chinese R&D team chose Qihoo 360 <font
color="#ff0000"><sup><b>4</b></sup></font> to provide
secure hosting service since this company is the No.1
Antivirus and web security provider in China and in the
world that public listed in NYSE</span></i></font><font
color="#996633"><i><span style="background-color: rgba(255,
255, 255, 0);"><font color="#996633"><i><span
style="background-color: rgba(255, 255, 255, 0);"> <font
color="#ff0000"><sup><b>5</b></sup></font></span></i></font>.</span></i><i>
</i></font>
<div id="AppleMailSignature"><font color="#996633"><i><span
style="background-color: rgba(255, 255, 255, 0);"><br>
</span></i></font></div>
<font color="#996633"><i> </i></font>
<div id="AppleMailSignature"><font color="#996633"><i><span
style="background-color: rgba(255, 255, 255, 0);">We are
always trying to improve and try support continued
growth which isn't always easy to sustain. With that we
hope to provide you and all our customers a useful
service.</span></i><i><span style="background-color:
rgba(255, 255, 255, 0);"><br>
</span></i></font></div>
<font color="#996633"><i> </i></font>
<pre class="moz-signature" cols="72"><font color="#996633"><i>--
Best regards,
Ms. Yael Luft,CVO
StartCom Ltd.</i></font></pre>
<font color="#996633"><i>
</i></font></li>
<li>Certificate Authority (CA) auditors must certify to several
different standards (some of which are country-specific) and the
most prominent of such are:</li>
<ul>
<li>European Telecommunications Standards Institute (<b>ETSI; </b>most
specifically 'TS 102 042'; originally EU-centric and now
recognized in c. a third of all nations and all of the OECD);</li>
<li> Internet Engineering Task Force (<b>IETF</b>; most specific
policy-wise (CP/CPS) 'RFC 3647'; founded by the US and now an
independent voluntary standards setter);</li>
<li>Webtrust Organization (<b>WEBTRUST</b>; principally
'WebTrust Principles and Criteria for Certification
Authorities – SSL Baseline with Network Security – Version
2.0'; a network security consortium of commercial firms,
CPA's, engineers, other standards setters ...);</li>
<li>American Institute of Certified Public Accountants (<b>AICPA</b>;
various practice and audit guidelines for businesses,
non-profits, and governments promulgated through standards
boards and US Federal and State regulations; an US accountancy
professional standards-setting, certifier of individuals to
practice, and continuing education organization);</li>
<li>National Institute of Science and Technology (<b>NIST</b>;
issues various publications establishing acceptable modes of
operation of public and private entities; the lead US agency
for standards issuance in concordance and co-operation with
many other Departments and agencies of the US government);<br>
</li>
</ul>
<ol>
<br>
</ol>
<li>Qihoo 360 is -- like all PRC ISP's, hosting providers,
hard-/soft-ware vendors, ASN operators, et cetera -- permitted
to exist while being continuously monitored by the PRC National
Defense Council which is a second-tier security agency just
below the PRC military high command. Not only are these
permitted firms monitored, but their numbers are severely
restricted to make that monitoring more easily accomplished.
moreover, any products of such PRC businesses have to be suspect
given their government's penchant for intrusive and paramount
control of any internal business process. of course, the PRC's
raids on foreign business and government systems should make
anyone shrink from any security association with any company on
mainland china and that includes Hong Kong. Qihoo is addressed
herein solely because it seems as if there is a Wang business
relationship and concomitant risk exposure.<br>
</li>
<li>pursuant to a privatization agreement back in 2015, Qihoo 360
Technology Co. Ltd. ("Qihoo 360", a <span class="xn-location"
itemprop="contentLocation" itemscope=""
itemtype="http://schema.org/Place"><span itemprop="geo"
itemscope="" itemtype="http://schema.org/address"><span
itemprop="addressLocality">Cayman Islands company) went
out of existence and its NYSE QIHU ADR's (AKA: ADS's) were
permanently suspended from trading on 2016.JUL.15.
although the 2015 announcement mentioned some minority
financing of the transaction by PRC-controlled
subsidiaries of international (foreign) banks, the actual
finalized financing and even the actual ownership of the
privatized entity are still totally unknown. since Qihoo
was originally allowed to thrive within PRC through the
PRC military giving them a virtual monopoly on many
networking services (which they mostly still enjoy), it is
not a stretch to assume that the military now possesses a
directly vested interest together with the enhanced
control such an interest cloaked in secrecy would
represent.<br>
</span></span></span></li>
</ol>
<div class="moz-cite-prefix">On 2016.Oct.25 15:54, Salz, Rich wrote:<br>
</div>
<blockquote
cite="mid:8b83de9b584d4654946b8a960ecd121a@usma1ex-dag1mb1.msg.corp.akamai.com"
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">StartCom has directions on their website. I don't recall what the process is,
but I've used it in the past. You might want to review the instructions
StartCom provides.
</pre>
</blockquote>
<pre wrap="">
StartCom, owned by WoSign, has issues with firefox.
</pre>
<blockquote type="cite">
<pre wrap="">Let's Encrypt is new and has become very popular. I don't know the process
because I have never used them. They will likely suffer more "unable to get
local issuer certificate" problems than StartCom, especially on older mobile
devices.
</pre>
</blockquote>
<pre wrap="">
Should not be an issue, since LE has a cross-signed CA cert with someone that is in the trust stores.
</pre>
</blockquote>
<br>
</body>
</html>