On Saturday, September 3, 2016 at 12:46:02 PM UTC-7, Ryan Sleevi wrote: > Hi Percy, > > This does not seem to be a useful or productive contribution to the community > discussion. Whether or not a given CA uses English as a first language, or > has translation issues, should not be part of the calculus of > trustworthiness. The actions, however, are far more relevant and important, > such as having actively misleading information, but it is not and should not > be an issue to have a poor translation. > > I would appreciate if you would stop trying to suggest otherwise.
I completely agree. Let's talk about actively misleading information. 1.WoSign actively mislead users in marketing emails. This is a typical marketing email they sent. https://pbs.twimg.com/media/CrXf7w3W8AA2zd7.jpg:large Translated below. ------- Dear friend: I'm *** from WoSign CA. WoSign is the first SSL cert company in China. Your website *****'s SSL cert is from Let's Encrypt, expiring at Oct, 2016. If you switch to WoSign before the expiration you can enjoy buy one year get one year free. The risks associated with foreign CA: 1. Cert revocation If foreign CA is influenced by politics and revoke certs for important Chinese organizations, the entire system will be paralyzed. 2. Information security risks If the website uses foreign certs, users need to send information to foreign servers in every visit. Time of the visit, the location of the visit, IP addresses, and the browser, frequency of the visits are all collected by foreign CA. This will leak commercial secrets and sensitive data, and is a very risky! 3. Server latency Foreign CA cannot provide 24*7 local support. Servers are overseas and affected by submarine cables, latency is 10X. If something happens to submarine cables, and cert revocation list is not accessible, important systems with foreign certs will be paralyzed. In 2012, there is a incident that submarine cables was broken. .... (contact info stuff) Best regards and thanks, WoSign CA Limited. 2. After my post about the above marketing email, WoSign CEO accused me publicly of working for Let's Encrypt to undermine WoSign, "From the screenshot, we know why Percy hate WoSign so deeply, we know he represent which CA, everything is clear now. " 3. WoSign CEO claimed on social media that "WoSign has been oppressed by large American companies over the years but has been growing steadily over the past 10 years and is now the 8th largest CA in the world"" https://pbs.twimg.com/media/CrZ1Oc6WIAABtrg.jpg:large 4. WoSign CEO also claimed on social media that (https://pbs.twimg.com/media/CrZ4GV7WgAESKyn.jpg:large) way back in 2014 that "If you deploy foreign certificates, you still will not have any security in online commerce". _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
