On Sunday, December 18, 2016 at 5:45:16 PM UTC-8, Richard Wang wrote: > I wish everyone can talk about this case friendly and equally. > > It is very common that everyone can register any domain based on the first > come and first service rule. > > We know Let's Encrypt is released after the public announcement, but two day > later, its .cn domain is still not registered, I think maybe it is caused by > the strict registration rule in China, so I registered it for protection that > not registered by Cornbug. > > We don’t use those domains for any WoSign's services that we provide similar > service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt) > > Now, if Mozilla or Let’s Encrypt contact me officially and request to > transfer the two domains to them, no any problem, we can transfer to them for > FREE! > > But please notice that this arrangement is for friendship, not for others > ...... > > > Best Regards, > > Richard > > -----Original Message----- > From: dev-security-policy > [mailto:[email protected]] On > Behalf Of [email protected] > Sent: Saturday, December 17, 2016 1:34 AM > To: [email protected] > Subject: wosign and letsencrypt.cn / letsencrypt.com.cn > > It seams that wosign has registered the domains letsencrypt.cn and > letsencrypt.com.cn in 2014 after the public announce of Let's Encrypt : > > whois letsencrypt.cn > Domain Name: letsencrypt.cn > ROID: 20141120s10001s72911711-cn > Domain Status: clientTransferProhibited > Registrant ID: k35-n2041486_00 > Registrant: 深圳市沃通电子商务服务有限公司 > Registrant Contact Email: [email protected] Sponsoring Registrar: 厦门三五互联科技股份有限公司 > Name Server: ns3.dns-diy.com > Name Server: ns4.dns-diy.com > Registration Time: 2014-11-20 09:57:27 > Expiration Time: 2017-11-20 09:57:27 > DNSSEC: unsigned > > whois letsencrypt.com.cn > Domain Name: letsencrypt.com.cn > ROID: 20141120s10011s84227837-cn > Domain Status: clientTransferProhibited > Registrant ID: k35-n2041486_00 > Registrant: 深圳市沃通电子商务服务有限公司 > Registrant Contact Email: [email protected] Sponsoring Registrar: 厦门三五互联科技股份有限公司 > Name Server: ns3.dns-diy.com > Name Server: ns4.dns-diy.com > Registration Time: 2014-11-20 09:57:28 > Expiration Time: 2017-11-20 09:57:28 > > Let's Encrypt was announced publicly on November 18, 2014 ( > http://www.crn.com/news/cloud/300074840/lets-encrypt-a-free-and-automated-certificate-authority-comes-out-of-stealth-mode.htm > ). That domain appear to be registered two days after. > > Certificate authorities are about trust. I don't feel comfortable about a CA > registering a domain matching the name of another CA. What is the position of > Mozilla about that? > Maybe Let's Encrypt or wosign have more information about these domains? > > https://community.letsencrypt.org/t/letsencrypt-cn-and-letsencrypt-com-cn-was-registered-by-wosign/23786 > > Other relevant thread: Comodo Legal Phishing attack against ISRG? > https://groups.google.com/d/msg/mozilla.dev.security.policy/n-8kcrSuhjg/WKj-PAI2BgAJ > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
I found WoSign's explanation completely incredulous. WoSign has been sending **unsolicited** marketing emails to websites that use Let's Encrypt cert essentially saying Let's Encrypt might revoke cert at will and ask users to switch to WoSign (Email attached). After I posted on the forum about this, WoSign stated "From the screenshot, we know why Percy hate WoSign so deeply, we know he represent which CA[Let's Encrypt], everything[about all those incidents surrounding WoSign that led to its distrust] is clear now. " (https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/IxnAbfFGDQAJ) I find it hard to believe that if WoSign thought Let's Encrypt is a company that will send troll to undermine WoSign, WoSign would register Let's Encrypt's domain to protect Let's Encrypt's trademark. (Admittedly, WoSign's accusation of me came later but I'm assuming his attitudes towards Let's Encrypt is the same over the years). ----- This is a typical unsolicited marketing email they sent to Let's Encrypt users. https://pbs.twimg.com/media/CrXf7w3W8AA2zd7.jpg:large Translated below. ------- Dear friend: I'm *** from WoSign CA. WoSign is the first SSL cert company in China. Your website *****'s SSL cert is from Let's Encrypt, expiring at Oct, 2016. If you switch to WoSign before the expiration you can enjoy buy one year get one year free. The risks associated with foreign CA: 1. Cert revocation If foreign CA is influenced by politics and revoke certs for important Chinese organizations, the entire system will be paralyzed. 2. Information security risks If the website uses foreign certs, users need to send information to foreign servers in every visit. Time of the visit, the location of the visit, IP addresses, and the browser, frequency of the visits are all collected by foreign CA. This will leak commercial secrets and sensitive data, and is a very risky! 3. Server latency Foreign CA cannot provide 24*7 local support. Servers are overseas and affected by submarine cables, latency is 10X. If something happens to submarine cables, and cert revocation list is not accessible, important systems with foreign certs will be paralyzed. In 2012, there is a incident that submarine cables was broken. .... (contact info stuff) Best regards and thanks, WoSign CA Limited. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
