[openssl-users] free certs: bad idea wosign/startcom/startssl/startencrypt; good alt's

Jakob Bohm jb-openssl at wisemo.com
Fri Oct 28 08:21:45 UTC 2016

Please note that the below summary contains a few exaggerations.  For 
instance the duplicate serial numbers seem to have been a software bug 
that issued N certificates with the same serial on busy days, while the 
backdating seemed much less excusable.  The person posting this seems 
also to be extremely US centric in his thinking, for instance 
referencing local US standards NIST and AICPA, rather than their 
international or Asian counterparts.  There is much more balanced 
information at the URL posted by Mr. Salz.

On 26/10/2016 17:50, Johann v. Preußen wrote:
> this is a re-worked report i prepared that some might find useful.*
> CAUTION:* there are several seriously troubling events surrounding 
> WoSign *^1 * (AKA startcom, AKA startssl, and AKA startencrypt) and 
> any of their affiliated/subsidiary businesses:
>  1. wosign purchased startcom/startssl/startencrypt [DBA's of 'Start
>     Commercial LTD' (an Israeli company); hereinafter '*startcom*']
>     last year. although obfuscation by the parties makes determining
>     the actual control-transfer date impossible, the change-over may
>     have begun in 2014. both companies long completely and publicly
>     denied any change of control even as late as 2016.JUL despite it
>     being a matter of public record that:
>      1.  the entire stock issuance from 15 startcom shareholders
>         including founder Revital (AKA 'Eddy') Nigg's majority
>         ownership was transferred in 2015.NOV;
>      2.  beneficiary of the stock deal was 'StartCom CA Limited' a UK
>         company (09744347);
>      3.  the UK company is wholly-owned by 'StartCom CA Limited' (yes,
>         exactly the same name again) a Hong Kong company (CRN 2271553)
>         with a sole director being Wang *^1 *; and
>      4.  the Hong Kong entity is then owned by wosign.
>  2. in fact, to-date neither firm has actually admitted what has
>     happened re transfer of control, domiciling of operations, and
>     changes in management personnel. this reticence is despite some
>     aspects of the transactions becoming common knowledge in the
>     security community;
>  3. wosign attempted (rather poorly it turned out) to make it appear
>     that wosign was actually a subsidiary of startcom and startcom's
>     remnant personnel and former shareholders abetted this *^2 *;
>  4. startcom is an Israeli company and -- as one would expect -- was
>     subjected to strict auditing and monitoring by the Israeli
>     government to the benefit of all the recipients of their certs ...
>     until the ownership change that is;
>  5. wosign is a mainland Chinese (PRC) company which completely
>     controls startcom operations in IL, UK, CN, and US;
>  6. earlier this year and last wosign -- amongst other deceptive
>     actions --  tried to circumvent certain mandated changes to
>     certificate authority (CA) practice by back-/forward-dating certs
>     and issuing certs with duplicate serial numbers while their CA
>     compliance auditors Ernst and Young (Hong Kong) were complicit in
>     covering up these and other forbidden practices *^3 *;
>  7. in response to all these discoveries, mozilla's firefox version 51
>     and all look-alikes using their gecko engine have stopped
>     accepting any new (issued on/after 2016.OCT.21) certs that trace
>     back to wosign/startcom/startssl/startencrypt
>     root/intermediate/cross-signed certs and have banned Hong Kong
>     Ernst and Young CPA's from certifying any CA audits;
>  8. unless wosign and its subsidiaries come up with new root
>     certificates and provide acceptable audit results for their
>     CP/CPS/operations by 2017.MAR, all of wosign-affiliated
>     root/intermediate/cross-signed certs will be removed from
>     mozilla's certificate store; and
>  9. mozilla has stated that if it detects any further fraud such as
>     exhibited in Item 6, /supra/, all security updates to all its
>     software versions will immediately remove wosign-based "trusted"
>     certs from the mozilla root certificate store on the device being
>     updated which will cause the universe of wosign-issued certs to
>     become un-trusted in the mozilla browser family no matter when
>     they were issued.
> *OBVIOUS CONCLUSION: *do not just walk away from wosign, startcom, 
> qihoo, et alii but *RUN! *i can think of nothing worse than trusting a 
> PRC firm with my sites' security. OK, if that hyperbole is not enough, 
> try my personal idea of what should be network no-go and it pretty 
> much lies in the swath West of Japan and East of Germany.
> *THE ALTERNATIVE: *the immediate free cert replacement avenue is 
> through letsencrypt.org that uses the cert issuance/renewal protocol 
> ACME. although letsencrypt will not be found in most (if any) browser 
> "trusted" root certificate stores, they use cross-signed intermediate 
> CA certs from a root that is. there are an ever-growing number of 
> open-source scripts (bash, perl, python, go, ...) available to 
> automate the process which one can even customize for your particular 
> needs.
> there are letsencrypt plug-ins/modules for apache to make your set-up 
> less painful. you can use the nginx process with a lua module to 
> /really /fully automate _/everything!/_ if you want to go /de luxe/ 
> there is the openresty bundle that combines nginx with lua and adds a 
> host of other nginx "add-in" enhancements automatically and some more 
> rarely required that one specifies.
> if you have looked at openresty or other bundles before and been 
> turned off because there was nothing for your favorite distro/pkg-mgr 
> and the thoughts of maintaining a 2kb configure line immediately 
> switched your focus over to happy hour, look again! with openresty 
> repo's are in, security patches are quick in coming, development is 
> on-going 24/7, the "community" is lively, and the original/lead 
> developer still has his hand firmly on the tiller.
> one very important plus with the nginx set-up is that tls cert 
> operation under lua will actually boot-strap the ACME cert process for 
> each domain and all of the permitted sub-domains you authorize in the 
> nginx config file. so, what did i just mean?
> let us say that you have a new domain 'qwe.com' and want to use the 
> sub-domains www, billing, mail, sales, and support. obviously, you 
> have to get the DNS going as a separate project (3 minutes). you have 
> to create an on-disk directory tree that accommodates the storage of 
> the issued certs and a directory where the lua process will operate 
> with the letsencrypt server token process that verifies domain control 
> coming through DNS (2 minutes). then, you have a small config block in 
> the nginx 'http' section authorizing the sub-directories (2 minutes), 
> you drop in a 'server' section for whatever should be done (2 minutes: 
> assuming you have an already-established server processing block), and 
> you add to the server block a 'location' section for the token process 
> (1 minute). now, you re-start nginx *AND YOU ARE DONE (10 minutes 
> total)! *now that you have a template, adding on an additional domain 
> should probably run half or less of that time.
> when the first request comes in for, say, 'www.qwe.com'; nginx calls 
> the lua module that completes the whole cert process for getting the 
> cert for that FQDN and then services the request ... all without 
> connection interruption. then 'qwe.com' comes in and it adds that too. 
> then 'support.qwe.com' and so forth until all your configured 
> sub-domains are covered. you probably see it now: using this simple 
> set-up you can segregate sub-domain access between HTTP and HTTPS with 
> that tiny lua sub-domain authorization block. also, by authorizing 
> (temporarily or otherwise) nginx to answer for sub-domains for other 
> servers such as SMTP[S], IMAP[S], and so forth you will create your 
> own customized server certs for apps running any other service you 
> might like on whatever sub-domain you please by just making a single 
> request for each server's sub-domain.
> cert renewal is also automatic. with no special config, nginx will 
> renew the cert when it falls within a remaining window of 30 days.
> Thank you,
> Johann
> _*NOTES:*_
>  1. '*WoSign CA Limited*' (hereinafter '*wosign*') has been around in
>     a very minor way for, perhaps, as long as a decade. its only known
>     owner is Wang Gao Hua (AKA: Richard Wang). it is a demonstrable
>     fact that the PRC government is intensely interested in expanding
>     its scope of operation in the international security venue and
>     that its multi-faceted security apparatus has both overtly and
>     covertly been found to acquire vested interests in technology
>     ventures amenable to such an expansion. therefore, it is quite
>     imaginable that the PRC government financially facilitated Wang's
>     acquisition of startcom for its own purposes. it is all the more
>     conceivable given that Wang was not known to be a very wealthy
>     individual or well connected with sources of institutional financing.
>  2. when i discovered the startling startcom Chinese connection in
>     2016.JAN and asked startcom what was going on, after a long hiatus
>     and several info requests i received what was apparently a
>     "canned" response (in re: 'Qihoo" since i never made reference to
>     "hosting service" or other network security/service offerings such
>     as might come from Qihoo's stable of products). moreover, the
>     somewhat fractured English was not up to the standard always
>     displayed by startcom in previous correspondence:
>     via: (no rDNS) registered as follows:
>     netname: 	CHINANET-GD
>     descr: 	CHINANET Guangdong province network
>     descr: 	Data Communication Division
>     descr: 	China Telecom
>     country: 	CN
>     /L//ike every big company (IBM, Cisco, Oracle, Microsoft etc.)
>     that has set up branch offices and R&D centers in China, StartCom
>     is the No. 6 biggest CA in the world and today has also setup
>     branch office and R&D center in China///^*1* /, our Chinese R&D
>     team chose Qihoo 360 ^*4*   to provide secure hosting service
>     since this company is the No.1 Antivirus and web security provider
>     in China and in the world that public listed in NYSE///^*5* /.///
>     /
>     /
>     //
>     /We are always trying to improve and try support continued growth
>     which isn't always easy to sustain. With that we hope to provide
>     you and all our customers a useful service.//
>     /
>     //
>     /-- Best regards, Ms. Yael Luft,CVO StartCom Ltd./
>     //
>  3. Certificate Authority (CA) auditors must certify to several
>     different standards (some of which are country-specific) and the
>     most prominent of such are:
>       * European Telecommunications Standards Institute (*ETSI; *most
>         specifically 'TS 102 042'; originally EU-centric and now
>         recognized in c. a third of all nations and all of the OECD);
>       * Internet Engineering Task Force (*IETF*; most specific
>         policy-wise (CP/CPS) 'RFC 3647'; founded by the US and now an
>         independent voluntary standards setter);
>       * Webtrust Organization (*WEBTRUST*; principally 'WebTrust
>         Principles and Criteria for Certification Authorities – SSL
>         Baseline with Network Security – Version 2.0'; a network
>         security consortium of commercial firms, CPA's, engineers,
>         other standards setters ...);
>       * American Institute of Certified Public Accountants (*AICPA*;
>         various practice and audit guidelines for businesses,
>         non-profits, and governments promulgated through standards
>         boards and US Federal and State regulations; an US accountancy
>         professional standards-setting, certifier of individuals to
>         practice, and continuing education organization);
>       * National Institute of Science and Technology (*NIST*; issues
>         various publications establishing acceptable modes of
>         operation of public and private entities; the lead US agency
>         for standards issuance in concordance and co-operation with
>         many other Departments and agencies of the US government);
>  4. Qihoo 360 is -- like all PRC ISP's, hosting providers,
>     hard-/soft-ware vendors, ASN operators, et cetera -- permitted to
>     exist while being continuously monitored by the PRC National
>     Defense Council which is a second-tier security agency just below
>     the PRC military high command. Not only are these permitted firms
>     monitored, but their numbers are severely restricted to make that
>     monitoring more easily accomplished. moreover, any products of
>     such PRC businesses have to be suspect given their government's
>     penchant for intrusive and paramount control of any internal
>     business process. of course, the PRC's raids on foreign business
>     and government systems should make anyone shrink from any security
>     association with any company on mainland china and that includes
>     Hong Kong. Qihoo is addressed herein solely because it seems as if
>     there is a Wang business relationship and concomitant risk exposure.
>  5. pursuant to a privatization agreement back in 2015,  Qihoo 360
>     Technology Co. Ltd. ("Qihoo 360",  a Cayman Islands company) went
>     out of existence and its NYSE QIHU ADR's (AKA: ADS's) were
>     permanently suspended from trading on 2016.JUL.15. although the
>     2015 announcement mentioned some minority financing of the
>     transaction by PRC-controlled subsidiaries of international
>     (foreign) banks, the actual finalized financing and even the
>     actual ownership of the privatized entity are still totally
>     unknown. since Qihoo was originally allowed to thrive within PRC
>     through the PRC military giving them a virtual monopoly on many
>     networking services (which they mostly still enjoy), it is not a
>     stretch to assume that the military now possesses a directly
>     vested interest together with the enhanced control such an
>     interest cloaked in secrecy would represent.
> On 2016.Oct.25 15:54, Salz, Rich wrote:
>>> StartCom has directions on their website. I don't recall what the process is,
>>> but I've used it in the past. You might want to review the instructions
>>> StartCom provides.
>> StartCom, owned by WoSign, has issues with firefox.
>>> Let's Encrypt is new and has become very popular. I don't know the process
>>> because I have never used them. They will likely suffer more "unable to get
>>> local issuer certificate" problems than StartCom, especially on older mobile
>>> devices.
>> Should not be an issue, since LE has a cross-signed CA cert with someone that is in the trust stores.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list