在 2016年10月13日星期四 UTC+8上午10:58:34,谭晓生写道:
> Yuwei, 
> I don’t know who you are, but I can tell you and the community, Qihoo 360 
> never been involved in ***** Fire Wall project, if you did some investigation 
> to the message that accused Qihoo 360 joined the project “Search Engine 
> Content Security Management System”, you should know the project had been 
> done on Feb 2005, before Qihoo 360 was founded on Aug 2005, and the project 
> is neither part of the ***** fire wall project nor a project done by Qihoo 
> 360, actually it is part of the efforts to help Yahoo’s search engine could 
> work in China, I was the tech head of Yahoo!China ‘s tech team, director of 
> engineering and soon the CTO of Yahoo!China, I know what happened at that 
> time.
>  
> Thanks,
> Xiaosheng Tan
> 
> 
> 
> 在 2016/10/13 上午5:22,“dev-security-policy 代表 Han 
> Yuwei”<dev-security-policy-bounces+tanxiaosheng=360...@lists.mozilla.org 代表 
> hanyuwe...@gmail.com> 写入:
> 
>     在 2016年10月13日星期四 UTC+8上午3:12:08,Ryan Sleevi写道:
>     > As Gerv suggested this was the official call for incidents with respect 
> to StartCom, it seems appropriate to start a new thread.
>     > 
>     > It would seem that, in evaluating the relationship with WoSign and 
> Qihoo, we naturally reach three possible conclusions:
>     > 1) StartCom is treated as an independent entity
>     > 2) StartCom is treated as a subsidiary of Qihoo
>     > 3) StartCom is treated as a subsidiary of WoSign
>     > 
>     > We know there are serious incidents with WoSign that, collectively, 
> encourage the community to distrust future certificates. However, there 
> hasn't been a similar investigation into the trustworthiness of StartCom as 
> an independent entity or as an entity operated by Qihoo. It would seem that 
> germane to the discussion is how trustworthy the claims are - from either 
> StartCom or Qihoo - and how that affects trust.
>     > 
>     > Incidents with StartCom:
>     > A) Duplicate Serials. 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1029884
>     > We know that StartCom had issues issuing duplicate serials, in 
> violation of RFC 5280. We know that they did not prioritize resolution, and 
> when attempting resolution, did so incompletely, as the issue still 
> resurfaced.
>     > 
>     > C) Improper OCSP responder. 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1006479 / 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1151270
>     > We know that StartCom continues to have issue with their OCSP responder 
> after they issue certificates. Presumably, this is a CDN distribution delay, 
> but we can't be sure, especially considering Incident A was with the 
> underlying systems. As a consequence of this, users with StartCom 
> certificates are disproportionately disadvantaged from enabling OCSP 
> stapling, which many browser programs support (and is perhaps the only viable 
> path towards a complete revocation solution).
>     > 
>     > E) Heartbleed. https://bugzilla.mozilla.org/show_bug.cgi?id=994033 / 
> https://bugzilla.mozilla.org/show_bug.cgi?id=994478
>     > We know StartCom had a notoriously poor response to HeartBleed. Eddy 
> first dismissed the significance, and then when proven wrong, still continued 
> to charge $25 USD for revocation. Ostensibly, this is a violation of the 
> Baseline Requirements, in that CAs are required to revoke certificates 
> suspected of Key Compromise. However, despite the BRs effective date of 2012, 
> Mozilla was not aggressively imposing compliance then (... or now, to be 
> fair).
>     > 
>     > G) StartCom BR violations - IV 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1266942
>     > StartCom was materially violating its CP/CPS and the Baseline 
> Requirements with respect to certain types of validation. No explanation for 
> the root cause provided.
>     > 
>     > I) StartCom BR violations (2) - Key Sizes 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1015767
>     > StartCom was issuing certificates less than 2048 bits.
>     > 
>     > K) StartCom impersonating mozilla.com. 
> https://bugzilla.mozilla.org/show_bug.cgi?id=471702
>     > StartCom's (former) CEO Eddy Nigg obtained a key and certificate for 
> www.mozilla.com and placed it on an Internet-facing server.
>     > 
>     > M) StartCom BR violations (3) - Key exponents 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1212655
>     > StartCom was not enforcing the BRs with respect to RSA public exponents.
>     > 
>     > O) StartCom BR violations (4) - Curve violations 
> https://bug98304.bugzilla.mozilla.org/show_bug.cgi?id=1269183
>     > StartCom was not enforcing the BRs with respect to EC curve algorithms.
>     > 
>     > 
>     > 
>     > In addition to discussion of StartCom issues, it seems relevant to 
> future trust to evaluate issues with Qihoo. Many in the Mozilla community may 
> not have direct interactions with Qihoo, but they have obtained some 
> notoriety in security circles.
>     > 
>     > Q.A) Qihoo masking their browser as a critical Windows security update 
> to IE users.
>     > http://wmos.info/archives/7717 / 
> http://www.theregister.co.uk/2013/02/01/qihoo_government_warning_fraud/
>     > Qihoo displayed a misleading security update for Windows users that 
> instead installed their browser.
>     > 
>     > Q.C) Qihoo browser actively enables insecure cryptography.
>     > 
> https://docs.google.com/document/d/1b7lenmn5XO06QohaJzVffnJxjXjY1rD70wg34gfuxRo/edit
>     > Qihoo's browser is notably insecure with respect to SSL/TLS, with some 
> of the insecure changes requiring active modification to the low-level source 
> libraries that Chromium (of which they're based on) uses.
>     > 
>     > Q.E) Qihoo apps removed from app stores due to malware
>     > 
> https://www.techinasia.com/qihoo-committing-fraud-google-making-huge-mistake 
> / https://www.techinasia.com/qihoo-apps-banned-apple-app-store
>     > Qihoo Apps have repeatedly been banned from Apple's App Store due to 
> issues
>     > 
>     > Q.G) Qihoo "security" apps repeatedly found as unfair competition
>     > 
> https://www.techinasia.com/qihoo-360-loses-chinas-courts-ordered-pay-sogou-82-million-unfair-competition
>     > 
>     > 
>     > 
>     > I hope the above show that the odds are if the original StartCom 
> systems are restored, we're likely to continue to have significant BR 
> violations - a pattern StartCom has repeatedly demonstrated over several 
> years. Similarly, if we were to accept trust in Qihoo, then we would be 
> ignoring the precedent Qihoo has set of choosing insecure and anti-user 
> behaviours masked as "security".
>     
>     As a Chinese Internet user, I would say that Qihoo has a very negative 
> reputation on China online community for its precedent's malware(maybe not 
> accurate) and some awful actions such as "3Q Battle", installing software 
> sliently, misleading ads, suspiciously collecting data which is believed 
> helping govnerment monitoring citizens and so on. But on the other hand, 
> their product, "360安全卫士" (360 Total Security)(two names are not the same 
> version but I can't find another english name),as I thought, has improved the 
> total security level of China Internet. And it has changed the ecosystem of 
> Chinese anti-malware software,which I don't know it is good or bad. And it's 
> believed that Qihoo have a tight connection with the Great Fire Wall project.
>     
>     Since "The Big Brother is Watching you" is not accepted in Mozilla, I 
> thought Qihoo is not trustworthy in operating a CA.
>     
>     P.S. Anyone who knows to change the font size of google group? As a 
> non-english native speaker it is hard for me to read such a small size in the 
> content.
>     _______________________________________________
>     dev-security-policy mailing list
>     dev-security-policy@lists.mozilla.org
>     https://lists.mozilla.org/listinfo/dev-security-policy

Maybe my English is not good enough so you may mistaken my meaning. What I said 
is pointing out there may be a connection between Qihoo and GFW project. 
There's a lot of reports saying that 360 has reported their Shadowsocks/VPN 
server IP address and their server got banned. I am not supporting these 
reports and just tell everyone there are something about this. I do appericate 
what you and your team done to the security of China Internet. And personlly I 
am supporting survillance over Internet for public security. But when it comes 
to CA, I think Qihoo is not enough to operate a CA due to the security flaws 
and attitude shown at 360 Secure Browser and Greb may remember that.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to