Dear All,
This is the information that would be released by Inigo in the coming week,
Percy asked me to answer the question, so, it is here:
Business Supporting Software:
There are 5 components of StartCom’s business supporting software:
1. Official Website + Ordering system
Code: Independent code, totally different with WoSign’s one.
Server: Dedicate server, no sharing.
Location: Hosted in Qihoo 360 Los Angeles, U.S China Telecom America IDC,
WoSign’s one is hosted in China.
Business Process/Logic: Different with WoSign’s business process/logic, keeping
the same business process/logic with the old system before the acquisition.
UI of Web: Different with WoSign’s, Revised version of StartCom’s original
version. Developed by WoSign RD team.
2. CMS (Certificate Management System)
Code: Independent code, totally different with WoSign’s one.
Server: Dedicate server, no sharing.
Location: The primary server is hosted in Qihoo 360 head quarter’s data center
in Beijing, there is a backup server in WoSign’s office in Shenzhen.
Business Process/Logic: Different with WoSign’s business process/logic, keeping
the same business process/logic with the old system before the acquisition.
3. PKI – signing service
Code: Same code with WoSign’s one.
Server: Shared Server.
Location: The primary one is hosted in Qihoo 360 head quarter’s data center
in Beijing since Dec 2015, there is a backup server in Wosign’s office in
Shenzhen.
Business Process: Same
4. CRL/OCSP
Code: Same code with WoSign’s one.
Server: Dedicate server, no sharing.
Location: StartCom and WoSign CRL/OCSP source server is located in Qihoo
360 USA IDC, the backup source server is hosted in Qihoo 360 head quarter’s
data center in Beijing.
Cache Service: by Akamai for oversea visitors, Qihoo 360 CDN for China
visitors
Business Process: Same
5. TSA
Code: Same code with Wosign’s one.
Server: Dedicate server, no sharing.
Location: StartCom TSA: http://tsa.startssl.com is located in Qihoo 360 Los
Angeles IDC, WoSign TSA: http://timestamp.wosign.com is hosted in Qihoo 360
China IDC.
Business Process: Same
So, For StartCom and WoSign’s infrastructure, only the PKI servers were/are
shared, the CRL/OCSP, TSA code were cloned but hosted in different IDC, nothing
were/are shared on Official Website, Ordering System and CMS.
Data Center:
For Qihoo 360 Los Angeles IDC, it is a co-location with China Telecom North
America company, located at 600 W 7TH ST Suite 570, LOS ANGELES CA 90017,
governed by U.S Law.
Employee:
For employees, the StartCom and WoSign shared the software development team
which paid by WoSign, but with independent validation team, customer care team
and tech support team which were/are paid by StartCom China, StartCom U.K and
StartCom IL, StartCom’s teams were/are English speaking employees, WoSign’s
were/are Chinese speaking employees.
More information will be available in the SC report which will be released by
Inigo soon.
Thanks,
Xiaosheng Tan, Chief Security Officer of Qihoo 360
在 2016/10/9 上午7:02,“dev-security-policy 代表
Percy”<dev-security-policy-bounces+tanxiaosheng=360...@lists.mozilla.org 代表
percyal...@gmail.com> 写入:
His writing style is very similar to StartCom's website which is produced
in China. As we're examining the infrastructure of the two companies, could
Mozilla ask Qihoo 360 to disclose the current personnel and technical
infrastructure shared between WoSign and StartCom.
WoSign has denied that they shared those infrastructures but we know WoSign
lied. So I want to ask Qihoo 360 the same question and see whether Qihoo has a
different answer.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
