On Thursday, September 1, 2016 at 11:36:13 PM UTC-7, Richard Wang wrote: > Please remember this sentence: > Every re-distribution the wrong information will heavy his penalty (including > site cache or mirror site). > > You are harming him!
You stated that he was a former employee of StartCom in 2015. After he left the company, what he learnt from public sources in 2016 is not bound by NDA. I do not appreciate you holding him hostage to suppress public and crucial information on understanding the trust of CA. Since WoSign is trying so hard to suppress such critical information, it's especially important for us to understand the consequences of such info. The entire article is reproduced below. -------- Being a Certificate Authority is all about trust. Start Commercial LTD "is" an Israeli Certificate Authority, Their certificates are trusted by billion of devices (computers, mobile phones, routers, etc) and they claim to be "the 6th biggest CA in the world". StartCom launched it's activities as we know it today around 2006 with the brandname StartSSL. Their site didn't had much UI changes during those years. Until 2016... February 16th, 2016, Pierre Kim in his security blog wrote about why he stopped using StartSSL. The article was about how some of StartSSL's infrastructure is hosted in China/by Chinese companies. But he showed only small part of the whole picture, not going into who owns StartCom and the brandname StartSSL. Reviewing StartCom registry in the Israeli company directory reveal that on November 1st, 2015 all the shares of the private held company were transfered to a UK based company named "StartCom CA Limited". This company, "StartCom CA" is owned by Gaohua Wang, who is of Chinese nationality. But no news about it. 2016 is a major year for StartCom, new UI, new tools and new features, and yet, no news regarding the new ownership. The only news related to the matter was a minor post about expending their activities in China. In the previous part we saw that the ownership of the company has switched, from Israeli hands to Chinese hands (via a UK based company to operate as a front organization). Pierre Kim in his blog post showed that some of StartSSL infrastructure is hosted in China/by Chinese companies. In this part I will present that currently (June 2016) StartSSL is operating from China (their employees are located in China). During the first half year of 2016 I've contacted StartSSL several times. The first time was when I notified them about their SPF TXT records being incorrect [1], the reply was originated from 113.104.213.84 (China Telecom, CHINANET Guangdong province network) with the "Content-Language" equals to "zh-cn" and the localtime of the email was UTC+0800. The email is signed with "[email protected]" private key. The second time I've contacted StartSSL was in regard their OCSP replies for expired certificates [2], again the reply was originated in China 183.37.124.147 (China Telecom, CHINANET Guangdong province network) with China's localtime (UTC+0800). The third and last time I've contacted StartSSL was regarding their expired certificates on some of their hosts [3], this time the reply seem to be generated via some kind of a ticket system, but still from China. The ticket system itself (MX server at least) seem to be in China, 124.251.21.41 (21ViaNet(China),Inc), and the person who replied to my email was also from China, 14.153.60.139 (China Telecom, CHINANET Guangdong province network) with "Accept-Language:" set to "zh-cn". And what about StartSSL automated emails, old ones (during January) seem to originate in China, they came from 106.39.1.130 (China Telecom, CHINANET-BJ) [4]. But later ones, come from 104.192.108.9-10 (China Telecom (Americas) Corrporation (CTUC)) [5]. According the the whois, this is a Chinese company with an IP infrastructure in the US, but the localtime is still set to China's localtime. In part 1 I showed that all shares from Start Commercial LTD (company based in Israel) were transferred to a front organization in the UK, named "StartCom CA Limited", which their sole director is Gaohua Wang. In part 2 I showed that StartSSL is actually operating from China (last verified, June 2016). In this part I will disclose who actually owns StartCom and more specifically the "StartSSL" brandname. The key figure is Gaohua Wang (aka Richard Wang). It may not be so easy to connect him to the company in matter (searching for "Gaohua Wang certificate authority" will do the trick), but Gaohua Wang is also a director of another CA company based in China, named WoSign [1]. StartCom doesn't share this information with their customers, past, present and probably near future. I even tried to ask them directly via their Live Chat, but they haven't given me a straight answer ("not really", "close relationship" and "share infrastructure") [2] [3]. It seem StartCom is trying really hard not to disclose that StartCom was sold indirectly to a Chinese company. Lets break down the answers to the question "Did WoSign bought you?" "Not really" - WoSign didn't bought StartCom directly, Gaohua Wang (which also owns WoSign) used a front organization in the UK to buy StartCom. "Close Relationship" - StartCom in the past cross-signed some of WoSign's intermediate CA, you may consider it as "close relations". "Share Infrastructure" - This will explain Pierre Kim's post, but it doesn't explain why StartCom will require that, most StartSSL's customers are in Europe and in the US, not in China nor Asia [4]. But there are holes in the story. Why the operations (mail replies, core service like 'auth.startssl.com') is in China? When trying to dial the Israeli number (+972.8.634.4170) I got an unplugged number tone [5], is the office in Israel is unavailable? But some of StartCom infrastructure is still hosted in Israel. I will conclude with that, the same person (Gaohua Wang) owns WoSign and StartCom. I will leave connecting the dots for you... _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
