Re: StartCom & Qihoo Incidents

On Sat, Oct 29, 2016 at 10:17:59PM -0700, Percy wrote: > On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote: > > On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote: > > > Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of > > > the > > > entire company

Re: StartCom & Qihoo Incidents

On Wednesday, October 12, 2016 at 12:12:08 PM UTC-7, Ryan Sleevi wrote: > As Gerv suggested this was the official call for incidents with respect to > StartCom, it seems appropriate to start a new thread. > > It would seem that, in evaluating the relationship with WoSign and Qihoo, we >

Re: StartCom & Qihoo Incidents

On October 30, 2016 8:39:55 PM GMT+08:00, "谭晓生" wrote: >Nothing compelled by the gov to trust the self-issued certificates. > >It is because some very large website like 12306.cn(the only one online >entry to buy rail way tickets in China) and some government websites, >they

Re: StartCom & Qihoo Incidents

pefully to find a tradeoff between user experience and security. > > Thanks， > Xiaosheng Tan > > > 发件人: Percy <percyal...@gmail.com> > 日期: 2016年10月30日 星期日 下午4:01 > 至: 晓生 谭 <tanxiaosh...@360.cn> > 抄送: "mozilla-dev-security-pol...@lists.mozilla.org&q

Re: StartCom & Qihoo Incidents

On 30/10/16 12:39, 谭晓生 wrote: > That’s the dilemma we have: > Block the access to self-issued certificates, user will ignore and force > trust the certificated, bad behavior training, user might change to > competitor’s product. > Do not block the access, there are possibility to do the MITM

Re: StartCom & Qihoo Incidents

星期日 下午4:01 至: 晓生 谭 <tanxiaosh...@360.cn> 抄送: "mozilla-dev-security-pol...@lists.mozilla.org" <mozilla-dev-security-pol...@lists.mozilla.org> 主题: Re: StartCom & Qihoo Incidents As we observed the large scale MITM against iCloud, Outlook, Google and Github carried out

Re: [FORGED] Re: StartCom & Qihoo Incidents

Percy writes: >As we observed the large scale MITM against iCloud, Outlook, Google and >Github carried out on the backbone router with self-signed certs, and that >the browsers are explicitly loads self-signed certs, I think it's clear that >browsers in China are compelled

Re: StartCom & Qihoo Incidents

As we observed the large scale MITM against iCloud, Outlook, Google and Github carried out on the backbone router with self-signed certs, and that the browsers are explicitly loads self-signed certs, I think it's clear that browsers in China are compelled by the gov to enable insecure cryptography

Re: StartCom & Qihoo Incidents

Is there anybody thought about why it happens in China? Why the local browser did not block the self-issued certificates? Thanks， Xiaosheng Tan 在 2016/10/30 下午1:17，“Percy” 写入: On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote: > On Sat, Oct

Re: StartCom & Qihoo Incidents

On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote: > On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote: > > Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the > > entire company into question. And such trust, in my view, should be > > evaluated when

Re: StartCom & Qihoo Incidents

On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote: > Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the > entire company into question. And such trust, in my view, should be > evaluated when WoSign/StartCom submit their re-inclusion requests in the > future. You can

Re: StartCom & Qihoo Incidents

Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the entire company into question. And such trust, in my view, should be evaluated when WoSign/StartCom submit their re-inclusion requests in the future. Percy Alpha(PGP

Re: StartCom & Qihoo Incidents

On Sat, Oct 29, 2016 at 2:29 PM, Percy wrote: > So 400 million Chinese users[1] are left vulnerable to MITM by even a casual > attacker and we cannot do anything about it!? As stated previously, it is not for one browser to tell another how to behave and the CA/Browser

Re: StartCom & Qihoo Incidents

So 400 million Chinese users[1] are left vulnerable to MITM by even a casual attacker and we cannot do anything about it!? [1]: http://se.360.cn/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: StartCom & Qihoo Incidents

On Thursday, October 27, 2016 at 5:26:23 PM UTC-7, Erwann Abalea wrote: > Le jeudi 27 octobre 2016 09:55:09 UTC+2, Percy a écrit : > > So this is it? Qihoo can continue to get away with this MITM browser? > > I'm afraid that can't be solved by Mozilla. Qihoo is free to sell or freely >

Re: StartCom & Qihoo Incidents

Le jeudi 27 octobre 2016 09:55:09 UTC+2, Percy a écrit : > So this is it? Qihoo can continue to get away with this MITM browser? I'm afraid that can't be solved by Mozilla. Qihoo is free to sell or freely distribute their browser. ___

Re: StartCom & Qihoo Incidents

So this is it? Qihoo can continue to get away with this MITM browser? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: StartCom & Qihoo Incidents

On Sunday, October 23, 2016 at 7:56:16 AM UTC+3, Peter Bowen wrote: > is a wholly owned subsidiary of Tianjim Qixin Tongda Technology Co., > Ltd. > https://www.chinatechnews.com/2016/04/27/23475-qihoo-360s-privatization-approved-by-ndrc >From the provided link, I am flabbergasted by the reason

Re: StartCom & Qihoo Incidents

Peter Bowen writes: >I think you found the "wrong" True Thrive Limited. Ah, thanks. >This appears to just be a name collision. Naming is hard :( Actually if you think that's tough, try figuring out who the real Midco is... Peter.

Re: StartCom & Qihoo Incidents

On Sat, Oct 22, 2016 at 9:08 PM, Peter Gutmann wrote: > popcorn writes: > >>There were comments admonishing StartCom and WoSign for not reporting change >>of ownership in a timely manner. >> >>I am not sure if this has been reported earlier,

Re: StartCom & Qihoo Incidents

popcorn writes: >There were comments admonishing StartCom and WoSign for not reporting change >of ownership in a timely manner. > >I am not sure if this has been reported earlier, but if not, then Qihoo 360 >change of ownership may be relevant to the current discussion:

Re: Mozilla Root Store Elsewhere (Was Re: StartCom & Qihoo Incidents)

On 18/10/2016 20:40, Eric Mill wrote: The first thing that comes to mind is to define an intermediate representation of per-root constraints, that Mozilla can distribute alongside certdata.txt. The simplest piece would be name constraints, but incorporating things like CT constraints and

Re: StartCom & Qihoo Incidents

Peter Gutmann wrote: > Ryan Sleevi writes: > >> What is the goal of the root program? Should there be a higher bar for >> removing CAs than adding them? Does trust increase or decrease over time? > > Another thing I'd like to bring up is the absolute silence of the CAB forum >

Re: Mozilla Root Store Elsewhere (Was Re: StartCom & Qihoo Incidents)

On Tuesday, October 18, 2016 at 11:42:17 AM UTC-7, Eric Mill wrote: > I guess there's actually an RFC for something like this? > https://tools.ietf.org/html/rfc5914 But I haven't looked at it in depth to > see whether it's a good solution for this problem. I also don't think it > requires an RFC

Re: Mozilla Root Store Elsewhere (Was Re: StartCom & Qihoo Incidents)

The first thing that comes to mind is to define an intermediate representation of per-root constraints, that Mozilla can distribute alongside certdata.txt. The simplest piece would be name constraints, but incorporating things like CT constraints and date-based constraints would clearly be

Re: Mozilla Root Store Elsewhere (Was Re: StartCom & Qihoo Incidents)

Tom, On the topic of tooling I have a console tool, and library, that can be used to parse and filter various certificate stores, you can find it here: https://github.com/PeculiarVentures/tl-create Ryan ___ dev-security-policy mailing list

Mozilla Root Store Elsewhere (Was Re: StartCom & Qihoo Incidents)

On 18 October 2016 at 08:00, Jakob Bohm wrote: > On 18/10/2016 14:35, Gervase Markham wrote: >> >> On 17/10/16 16:35, Jakob Bohm wrote: >>> >>> In the not so distant past, the Mozilla root program was much more >>> useful due to different behavior: >>> >>> 1. Mozilla

Re: StartCom & Qihoo Incidents

On 18/10/16 06:00, Jakob Bohm wrote: > Non-https TLS is not (and should not be) a separate trust bit from > https, but sometimes the logic applicable to trust policies, BRs etc. > will be slightly different if one doesn't ignore non-https use of TLS. > I have encountered arguments and policies

Re: StartCom & Qihoo Incidents

Ryan, can you tell us something about Google's plans concerning WoSign and StartCom? cheers Mathias On Son, 2016-10-16 at 11:55 -0700, Ryan Sleevi wrote: > On Saturday, October 15, 2016 at 3:18:22 PM UTC-7, Eric Mill wrote: > > > > On Sat, Oct 15, 2016 at 4:31 AM, Peter Gutmann

Re: StartCom & Qihoo Incidents

On 18/10/2016 14:35, Gervase Markham wrote: On 17/10/16 16:35, Jakob Bohm wrote: In the not so distant past, the Mozilla root program was much more useful due to different behavior: 1. Mozilla managed the root program based on an assumption that relying parties would use the common standard

Re: StartCom & Qihoo Incidents

On 18/10/2016 01:22, Kurt Roeckx wrote: On Tue, Oct 18, 2016 at 12:39:42AM +0200, Kurt Roeckx wrote: On Tue, Oct 18, 2016 at 12:22:21AM +0200, Jakob Bohm wrote: Over the past few years, this has caused the Mozilla root list to become less and less useful for the rest of the open source world,

Re: StartCom & Qihoo Incidents

On Tue, Oct 18, 2016 at 12:39:42AM +0200, Kurt Roeckx wrote: > On Tue, Oct 18, 2016 at 12:22:21AM +0200, Jakob Bohm wrote: > > > > Over the past few years, this has caused the Mozilla root list to > > become less and less useful for the rest of the open source world, a > > fact which at least

Re: StartCom & Qihoo Incidents

On 18/10/2016 00:39, Kurt Roeckx wrote: On Tue, Oct 18, 2016 at 12:22:21AM +0200, Jakob Bohm wrote: Over the past few years, this has caused the Mozilla root list to become less and less useful for the rest of the open source world, a fact which at least some of the Mozilla-root-list-copying

Re: StartCom & Qihoo Incidents

On 15/10/16 00:32, Peter Gutmann wrote: > I would have expected some sort of coordinating action to provide a unified > response to the issue and corresponding unified, consistent behaviour among > the browsers, rather than the current lottery as to what a particular browser > (other than Apple

Re: StartCom & Qihoo Incidents

On Saturday, October 15, 2016 at 3:18:22 PM UTC-7, Eric Mill wrote: > On Sat, Oct 15, 2016 at 4:31 AM, Peter Gutmann > wrote: > > > The only one who's openly addressed this > > seems to be Mozilla. > > > > It would certainly be nice if Mozilla weren't the only openly

Re: StartCom & Qihoo Incidents

On Sat, Oct 15, 2016 at 4:31 AM, Peter Gutmann wrote: > The only one who's openly addressed this > seems to be Mozilla. > It would certainly be nice if Mozilla weren't the only openly operated root program. :) It seems to put Mozilla in the situation of being the

Re: StartCom & Qihoo Incidents

Erwann Abalea writes: >And that's not CABF's duty and responsibility. What the CABF can impose to >CABF members is to follow the bylaws, the internal governance rules. By >following them, all members write the guidelines and decide on what changes >to adopt, and browsers then

Re: StartCom & Qihoo Incidents

On Fri, Oct 14, 2016 at 4:32 PM, Peter Gutmann wrote: > Peter Bowen writes: > >>The CA/Browser Forum is not a regulatory body. They publish guidelines but >>do not set requirements nor regulate compliance. > > It's a bit hard to describe its actual

Re: StartCom & Qihoo Incidents

Peter Bowen writes: >The CA/Browser Forum is not a regulatory body. They publish guidelines but >do not set requirements nor regulate compliance. It's a bit hard to describe its actual functioning, in theory they just advise, but then so does ISO, IEEE, and others. They're

Re: StartCom & Qihoo Incidents

Ryan Sleevi writes: >On Friday, October 14, 2016 at 3:44:50 PM UTC-7, Peter Gutmann wrote: >> Another thing I'd like to bring up is the absolute silence of the CAB forum >> over all this. > >It has not been. I haven't heard anything from them. If they've made any statements,

Re: StartCom & Qihoo Incidents

On Friday, October 14, 2016 at 3:44:50 PM UTC-7, Peter Gutmann wrote: > Another thing I'd like to bring up is the absolute silence of the CAB forum > over all this. It has not been. > Apple have quietly unilaterally distrusted, Mozilla have > debated at length (three months now) and are taking

Re: StartCom & Qihoo Incidents

Ryan Sleevi writes: >What is the goal of the root program? Should there be a higher bar for >removing CAs than adding them? Does trust increase or decrease over time? Another thing I'd like to bring up is the absolute silence of the CAB forum over all this. Apple have quietly

Re: StartCom & Qihoo Incidents

On 10/14/2016 01:00 PM, Gervase Markham wrote: K) StartCom impersonating mozilla.com. https://bugzilla.mozilla.org/show_bug.cgi?id=471702 StartCom's (former) CEO Eddy Nigg obtained a key and certificate for www.mozilla.com and placed it on an Internet-facing server. I do consider it a

Re: StartCom & Qihoo Incidents

On Friday, October 14, 2016 at 3:01:16 AM UTC-7, Gervase Markham wrote: > There are indeed more of these than I remember or knew about. Perhaps it > would have been sensible to start a StartCom issues list earlier. In my > defence, investigating one CA takes up a lot of time on its own, let >

Re: StartCom & Qihoo Incidents

On 12/10/16 20:11, Ryan Sleevi wrote: > As Gerv suggested this was the official call for incidents with > respect to StartCom, it seems appropriate to start a new thread. There are indeed more of these than I remember or knew about. Perhaps it would have been sensible to start a StartCom issues

Re: StartCom & Qihoo Incidents

Indeed, Yahoo! has bad reputation on both spyware/malware[1] and censorship[2]. Ironically, Yahoo! Assistant, the successor of 3721 Internet Assistant (also called 3721 helper) was identified as malware by 360Safe, which is a product of Qihoo 360.[3] In 2007, Eric Yang, the co-founder and CEO

Re: StartCom & Qihoo Incidents

On Thursday, October 13, 2016 at 7:51:11 PM UTC+3, Jakob Bohm wrote: > I just skimmed it, and that just looks like Qihoo 360 acquired some > other companies that I don't recognize and did so by technically > merging the company while concentrating ownership with the existing > Qihoo 360

Re: StartCom & Qihoo Incidents

Just add more info: WireLurker Virus on ios and OS X https://beijingtoday.com.cn/2014/11/wirelurker-virus-cripples-qihoo-360s-credibility/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: StartCom & Qihoo Incidents

360 和 周鸿祎 都是无耻的。 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: StartCom & Qihoo Incidents

Accroding to this newspaper, 360 do have join the GFW project at 2012-07-02. http://web.archive.org/web/20120705031419/http://www.21cbh.com/HTML/2012-7-2/2NMDM2XzQ2NTU2Nw.html However, the chief of 360, 周鸿祎, personally said it is not true in a local SNS site. On Thursday, October 13, 2016 at

Re: StartCom & Qihoo Incidents

Are there any words saying “award to Qihoo to recognize their long time support for censorship”? It is an official thanks letter from The Ministry of Public Security of the People’s Republic of China, the equivalent organization with FBI of U.S, it thanks for my team and myself to join the

Re: StartCom & Qihoo Incidents

在 2016年10月13日星期四 UTC+8下午2:01:19，yliv...@gmail.com写道： > Would this be enough? > http://www.cac.gov.cn/2016-09/19/c_1119583763.htm > > On Thursday, October 13, 2016 at 10:58:34 AM UTC+8, 谭晓生 wrote: > > Yuwei, > > I don’t know who you are, but I can tell you and the community, Qihoo 360 > > never

Re: StartCom & Qihoo Incidents

在 2016年10月13日星期四 UTC+8上午10:58:34，谭晓生写道： > Yuwei, > I don’t know who you are, but I can tell you and the community, Qihoo 360 > never been involved in * Fire Wall project, if you did some investigation > to the message that accused Qihoo 360 joined the project “Search Engine > Content

Re: StartCom & Qihoo Incidents

Some more information. 3721 helper, the most notorious malware in china was created by Hongyi zhou and his company 3721 in 1998. According to Mr. Tan's bio, he was the development director of 3721. So I believe he directly participated in and led the development of the malware. There is

Re: StartCom & Qihoo Incidents

The information on Baidu Baike is not correct, I tried to correct it, but failed, I don’t know why. I’m the Vice President of Qihoo 360 from end of 2009, installed as Chief Privacy Officer from 15th March 2012 as well, titled as Chief Security Officer of Qihoo 360 from Feb 2016, I never been

Re: StartCom & Qihoo Incidents

On 10/12/2016 10:11 PM, Ryan Sleevi wrote: As Gerv suggested this was the official call for incidents with respect to StartCom, it seems appropriate to start a new thread. Ryan, it was probably easy to dig up any possible claimed or proven issue ever surrounding StartCom during its ~ 10

Re: StartCom & Qihoo Incidents

Mr. Xiaosheng Tan According to the page of your personal details (http://baike.baidu.com/view/4571996.htm) in Baidu BaiKe. Currently you are the CTO and VP of Qihuoo. And you have a long recorder working and even studying with Hongyi Zhou, the CEO and the owner of Qihoo who was entitled as

Re: StartCom & Qihoo Incidents

There could be multiple books to tell the story of Qihoo 360 and Mr.Hongyi Zhou, Qihoo 360 fighted with Baidu, Alibaba & Tencent, the three largest internet companies of China in the past 10 years, there were a lot of law suits there, win and lose together, the ecosystem of China internet is a

Re: StartCom & Qihoo Incidents

Things went interesting, the webpage is about the 19 honored internet security researcher by China government, some of them are professors of university, like Professor Xiaoyun Wang who contributed a lot on cryptology(MD5 ), Min Yang, Haixin Duan, Jianwei Liu, Xingshu Chen……, and the fellow of

Re: StartCom & Qihoo Incidents

The person who founded Qihoo 360， Hongwei Zhou（周鸿祎）, is the creator of the malware named 3721. 3721 is the most widely spread malware in China before the company Qihoo 360 was founded. The reason that "360安全卫士" (360 Total Security), which is the most important product of Qihoo 360, became

Re: StartCom & Qihoo Incidents

You have mentioned "Qihoo masking their browser as a critical Windows security update to IE users. " , but their browser is fully insecure. "Qihoo 360 Safe Browser" ignores ssl certificate error , open page directly with cookie. First seen 2014:

Re: StartCom & Qihoo Incidents

Would this be enough? http://www.cac.gov.cn/2016-09/19/c_1119583763.htm On Thursday, October 13, 2016 at 10:58:34 AM UTC+8, 谭晓生 wrote: > Yuwei, > I don’t know who you are, but I can tell you and the community, Qihoo 360 > never been involved in * Fire Wall project, if you did some

Re: StartCom & Qihoo Incidents

Yuwei, I don’t know who you are, but I can tell you and the community, Qihoo 360 never been involved in * Fire Wall project, if you did some investigation to the message that accused Qihoo 360 joined the project “Search Engine Content Security Management System”, you should know the

Re: StartCom & Qihoo Incidents

The Chinese wikipedia has well documented controversies surrounding Qihoo 360. Unfortunately, it's not translated into the English Wikipedia. So please go to https://zh.wikipedia.org/wiki/%E5%A5%87%E8%99%8E360#.E5.95.86.E4.B8.9A.E7.9F.9B.E7.9B.BE.E4.B8.8E.E4.BA.89.E8.AE.AE.E4.BA.8B.E4.BB.B6 and

Re: StartCom & Qihoo Incidents

在 2016年10月13日星期四 UTC+8上午3:12:08，Ryan Sleevi写道： > As Gerv suggested this was the official call for incidents with respect to > StartCom, it seems appropriate to start a new thread. > > It would seem that, in evaluating the relationship with WoSign and Qihoo, we > naturally reach three possible

Re: StartCom & Qihoo Incidents

I'd also like to point out the Qihoo 360 cheated in all anti-virus tests http://www.computerworld.com/article/2917384/malware-vulnerabilities/antivirus-test-labs-call-out-chinese-security-company-as-cheat.html When Qihoo was caught out, Qihoo turned it into a market campaign, calling AV-C