Dear members. I have conducted a background check on HiCA administrator Xiaohui Lam and would like to share the following with you. These findings are for reference only, so please evaluate them for yourself.
First, in 2013, Xiaohui Lam hijacked AFF promotions by exploiting vulnerabilities in Aliyun forums, defrauded hostloc members by installing backdoors in Discuz forum plugins, and stole others' social accounts through leaked data from CSDN [^1]. Second, in 2015, Xiaohui Lam exploited a vulnerability in the GlobalSign system to sell a large number of 5-year wildcard certificates, but all certificates were revoked after they were discovered [^2]. I would like to emphasize that these are past actions of HiCA administrators and I do not think he will repeat the same mistakes again. However, these events show that he is not a developer who knows very little about security. In the past, he has been someone who knew how to mine vulnerabilities, exploit them and commit fraud and threats against customers. Based on the above findings, I believe we need to take the following steps: 1. Considering that he suggested users to execute his script RCE[^3] with root privileges on his official website, we should send a reminder email to all users who have applied for a certificate, asking them to evaluate whether there is unauthorized code on their machines. 2. the results of the query found that Mr. Lam has two CAs: HiCA and Quantum CA. the website for registration information about Quantum CA is acme.hi.cn. then we need to confirm whether they are using the same infrastructure and whether Quantum CA also uses RCE to issue certificates [^4]. Mr. Lam has shut down HiCA's infrastructure after he was found to be using RCE, but we still need to do a more detailed assessment. As a member of the community, I believe transparency and trust are vital to us. I hope Mr. Lam will provide the community with a more complete statement and evidence so that the community can evaluate this incident. [^1]: https://web.archive.org/web/20130816004143/http://bbs.aliyun.com/read.php?tid=144441 [^2]: https://v2ex.com/t/178503?p=1 [^3]: https://web.archive.org/web/20230325041716/http://www1.hi.cn/docs/getting-started/acme.sh-installation [^4]: https://www.tianyancha.com/company/5599034293 https://www.tianyancha.com/company/3435468365 在2023年6月16日星期五 UTC+8 06:00:39<John Liptak> 写道: > > First, the cryptography license license is mandatory only for CAs > (organizations who operate PKI facilities); > > You are operating a CRL & OCSP server in China, right? > > > Secondly, There are many sole proprietorship (self-employed people) are > also selling SSL digital certificates and running their own websites, which > is totally unable to enroll ICP Registration License. > > Just because someone else is doing the same thing doesn't mean it's not > illegal. > > > your post is completely weering off topic. > > I'm concerned with SSL.com CP/CPS 5.3.1. It claims "SSL.com verifies the > identity and trustworthiness of all personnel, whether as an employee, > agent, or an independent contractor, prior to the engagement of such > person(s)." > > If an independent contractor operates illegally in his/her country, how > can he/she be considered trustworthy? > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/e0906100-2556-4e93-b07d-7ef082bc67edn%40mozilla.org.
