On Sat, Oct 29, 2016 at 10:17:59PM -0700, Percy wrote:
> On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote:
> > On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote:
> > > Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of
> > > the
> > > entire company
On Wednesday, October 12, 2016 at 12:12:08 PM UTC-7, Ryan Sleevi wrote:
> As Gerv suggested this was the official call for incidents with respect to
> StartCom, it seems appropriate to start a new thread.
>
> It would seem that, in evaluating the relationship with WoSign and Qihoo, we
>
On October 30, 2016 8:39:55 PM GMT+08:00, "谭晓生" wrote:
>Nothing compelled by the gov to trust the self-issued certificates.
>
>It is because some very large website like 12306.cn(the only one online
>entry to buy rail way tickets in China) and some government websites,
>they
pefully to find a tradeoff between user experience and security.
>
> Thanks,
> Xiaosheng Tan
>
>
> 发件人: Percy <percyal...@gmail.com>
> 日期: 2016年10月30日 星期日 下午4:01
> 至: 晓生 谭 <tanxiaosh...@360.cn>
> 抄送: "mozilla-dev-security-pol...@lists.mozilla.org&q
On 30/10/16 12:39, 谭晓生 wrote:
> That’s the dilemma we have:
> Block the access to self-issued certificates, user will ignore and force
> trust the certificated, bad behavior training, user might change to
> competitor’s product.
> Do not block the access, there are possibility to do the MITM
星期日 下午4:01
至: 晓生 谭 <tanxiaosh...@360.cn>
抄送: "mozilla-dev-security-pol...@lists.mozilla.org"
<mozilla-dev-security-pol...@lists.mozilla.org>
主题: Re: StartCom & Qihoo Incidents
As we observed the large scale MITM against iCloud, Outlook, Google and Github
carried out
Percy writes:
>As we observed the large scale MITM against iCloud, Outlook, Google and
>Github carried out on the backbone router with self-signed certs, and that
>the browsers are explicitly loads self-signed certs, I think it's clear that
>browsers in China are compelled
As we observed the large scale MITM against iCloud, Outlook, Google and
Github carried out on the backbone router with self-signed certs, and that
the browsers are explicitly loads self-signed certs, I think it's clear
that browsers in China are compelled by the gov to enable insecure
cryptography
Is there anybody thought about why it happens in China? Why the local browser
did not block the self-issued certificates?
Thanks,
Xiaosheng Tan
在 2016/10/30 下午1:17,“Percy” 写入:
On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote:
> On Sat, Oct
On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote:
> On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote:
> > Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the
> > entire company into question. And such trust, in my view, should be
> > evaluated when
On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote:
> Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the
> entire company into question. And such trust, in my view, should be
> evaluated when WoSign/StartCom submit their re-inclusion requests in the
> future.
You can
Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the
entire company into question. And such trust, in my view, should be
evaluated when WoSign/StartCom submit their re-inclusion requests in the
future.
Percy Alpha(PGP
On Sat, Oct 29, 2016 at 2:29 PM, Percy wrote:
> So 400 million Chinese users[1] are left vulnerable to MITM by even a casual
> attacker and we cannot do anything about it!?
As stated previously, it is not for one browser to tell another how to
behave and the CA/Browser
So 400 million Chinese users[1] are left vulnerable to MITM by even a casual
attacker and we cannot do anything about it!?
[1]: http://se.360.cn/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
On Thursday, October 27, 2016 at 5:26:23 PM UTC-7, Erwann Abalea wrote:
> Le jeudi 27 octobre 2016 09:55:09 UTC+2, Percy a écrit :
> > So this is it? Qihoo can continue to get away with this MITM browser?
>
> I'm afraid that can't be solved by Mozilla. Qihoo is free to sell or freely
>
Le jeudi 27 octobre 2016 09:55:09 UTC+2, Percy a écrit :
> So this is it? Qihoo can continue to get away with this MITM browser?
I'm afraid that can't be solved by Mozilla. Qihoo is free to sell or freely
distribute their browser.
___
So this is it? Qihoo can continue to get away with this MITM browser?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On Sunday, October 23, 2016 at 7:56:16 AM UTC+3, Peter Bowen wrote:
> is a wholly owned subsidiary of Tianjim Qixin Tongda Technology Co.,
> Ltd.
> https://www.chinatechnews.com/2016/04/27/23475-qihoo-360s-privatization-approved-by-ndrc
>From the provided link, I am flabbergasted by the reason
Peter Bowen writes:
>I think you found the "wrong" True Thrive Limited.
Ah, thanks.
>This appears to just be a name collision. Naming is hard :(
Actually if you think that's tough, try figuring out who the real Midco is...
Peter.
On Sat, Oct 22, 2016 at 9:08 PM, Peter Gutmann
wrote:
> popcorn writes:
>
>>There were comments admonishing StartCom and WoSign for not reporting change
>>of ownership in a timely manner.
>>
>>I am not sure if this has been reported earlier,
popcorn writes:
>There were comments admonishing StartCom and WoSign for not reporting change
>of ownership in a timely manner.
>
>I am not sure if this has been reported earlier, but if not, then Qihoo 360
>change of ownership may be relevant to the current discussion:
On 18/10/2016 20:40, Eric Mill wrote:
The first thing that comes to mind is to define an intermediate
representation of per-root constraints, that Mozilla can distribute
alongside certdata.txt.
The simplest piece would be name constraints, but incorporating things like
CT constraints and
Peter Gutmann wrote:
> Ryan Sleevi writes:
>
>> What is the goal of the root program? Should there be a higher bar for
>> removing CAs than adding them? Does trust increase or decrease over time?
>
> Another thing I'd like to bring up is the absolute silence of the CAB forum
>
On Tuesday, October 18, 2016 at 11:42:17 AM UTC-7, Eric Mill wrote:
> I guess there's actually an RFC for something like this?
> https://tools.ietf.org/html/rfc5914 But I haven't looked at it in depth to
> see whether it's a good solution for this problem. I also don't think it
> requires an RFC
The first thing that comes to mind is to define an intermediate
representation of per-root constraints, that Mozilla can distribute
alongside certdata.txt.
The simplest piece would be name constraints, but incorporating things like
CT constraints and date-based constraints would clearly be
Tom,
On the topic of tooling I have a console tool, and library, that can be used to
parse and filter various certificate stores, you can find it here:
https://github.com/PeculiarVentures/tl-create
Ryan
___
dev-security-policy mailing list
On 18 October 2016 at 08:00, Jakob Bohm wrote:
> On 18/10/2016 14:35, Gervase Markham wrote:
>>
>> On 17/10/16 16:35, Jakob Bohm wrote:
>>>
>>> In the not so distant past, the Mozilla root program was much more
>>> useful due to different behavior:
>>>
>>> 1. Mozilla
On 18/10/16 06:00, Jakob Bohm wrote:
> Non-https TLS is not (and should not be) a separate trust bit from
> https, but sometimes the logic applicable to trust policies, BRs etc.
> will be slightly different if one doesn't ignore non-https use of TLS.
> I have encountered arguments and policies
Ryan, can you tell us something about Google's plans concerning WoSign and
StartCom?
cheers
Mathias
On Son, 2016-10-16 at 11:55 -0700, Ryan Sleevi wrote:
> On Saturday, October 15, 2016 at 3:18:22 PM UTC-7, Eric Mill wrote:
> >
> > On Sat, Oct 15, 2016 at 4:31 AM, Peter Gutmann
On 18/10/2016 14:35, Gervase Markham wrote:
On 17/10/16 16:35, Jakob Bohm wrote:
In the not so distant past, the Mozilla root program was much more
useful due to different behavior:
1. Mozilla managed the root program based on an assumption that relying
parties would use the common standard
On 18/10/2016 01:22, Kurt Roeckx wrote:
On Tue, Oct 18, 2016 at 12:39:42AM +0200, Kurt Roeckx wrote:
On Tue, Oct 18, 2016 at 12:22:21AM +0200, Jakob Bohm wrote:
Over the past few years, this has caused the Mozilla root list to
become less and less useful for the rest of the open source world,
On Tue, Oct 18, 2016 at 12:39:42AM +0200, Kurt Roeckx wrote:
> On Tue, Oct 18, 2016 at 12:22:21AM +0200, Jakob Bohm wrote:
> >
> > Over the past few years, this has caused the Mozilla root list to
> > become less and less useful for the rest of the open source world, a
> > fact which at least
On 18/10/2016 00:39, Kurt Roeckx wrote:
On Tue, Oct 18, 2016 at 12:22:21AM +0200, Jakob Bohm wrote:
Over the past few years, this has caused the Mozilla root list to
become less and less useful for the rest of the open source world, a
fact which at least some of the Mozilla-root-list-copying
On 15/10/16 00:32, Peter Gutmann wrote:
> I would have expected some sort of coordinating action to provide a unified
> response to the issue and corresponding unified, consistent behaviour among
> the browsers, rather than the current lottery as to what a particular browser
> (other than Apple
On Saturday, October 15, 2016 at 3:18:22 PM UTC-7, Eric Mill wrote:
> On Sat, Oct 15, 2016 at 4:31 AM, Peter Gutmann
> wrote:
>
> > The only one who's openly addressed this
> > seems to be Mozilla.
> >
>
> It would certainly be nice if Mozilla weren't the only openly
On Sat, Oct 15, 2016 at 4:31 AM, Peter Gutmann
wrote:
> The only one who's openly addressed this
> seems to be Mozilla.
>
It would certainly be nice if Mozilla weren't the only openly operated root
program. :)
It seems to put Mozilla in the situation of being the
Erwann Abalea writes:
>And that's not CABF's duty and responsibility. What the CABF can impose to
>CABF members is to follow the bylaws, the internal governance rules. By
>following them, all members write the guidelines and decide on what changes
>to adopt, and browsers then
On Fri, Oct 14, 2016 at 4:32 PM, Peter Gutmann
wrote:
> Peter Bowen writes:
>
>>The CA/Browser Forum is not a regulatory body. They publish guidelines but
>>do not set requirements nor regulate compliance.
>
> It's a bit hard to describe its actual
Peter Bowen writes:
>The CA/Browser Forum is not a regulatory body. They publish guidelines but
>do not set requirements nor regulate compliance.
It's a bit hard to describe its actual functioning, in theory they just
advise, but then so does ISO, IEEE, and others. They're
Ryan Sleevi writes:
>On Friday, October 14, 2016 at 3:44:50 PM UTC-7, Peter Gutmann wrote:
>> Another thing I'd like to bring up is the absolute silence of the CAB forum
>> over all this.
>
>It has not been.
I haven't heard anything from them. If they've made any statements,
On Friday, October 14, 2016 at 3:44:50 PM UTC-7, Peter Gutmann wrote:
> Another thing I'd like to bring up is the absolute silence of the CAB forum
> over all this.
It has not been.
> Apple have quietly unilaterally distrusted, Mozilla have
> debated at length (three months now) and are taking
Ryan Sleevi writes:
>What is the goal of the root program? Should there be a higher bar for
>removing CAs than adding them? Does trust increase or decrease over time?
Another thing I'd like to bring up is the absolute silence of the CAB forum
over all this. Apple have quietly
On 10/14/2016 01:00 PM, Gervase Markham wrote:
K) StartCom impersonating mozilla.com.
https://bugzilla.mozilla.org/show_bug.cgi?id=471702 StartCom's
(former) CEO Eddy Nigg obtained a key and certificate for
www.mozilla.com and placed it on an Internet-facing server.
I do consider it a
On Friday, October 14, 2016 at 3:01:16 AM UTC-7, Gervase Markham wrote:
> There are indeed more of these than I remember or knew about. Perhaps it
> would have been sensible to start a StartCom issues list earlier. In my
> defence, investigating one CA takes up a lot of time on its own, let
>
On 12/10/16 20:11, Ryan Sleevi wrote:
> As Gerv suggested this was the official call for incidents with
> respect to StartCom, it seems appropriate to start a new thread.
There are indeed more of these than I remember or knew about. Perhaps it
would have been sensible to start a StartCom issues
Indeed, Yahoo! has bad reputation on both spyware/malware[1] and censorship[2].
Ironically, Yahoo! Assistant, the successor of 3721 Internet Assistant (also
called 3721 helper) was identified as malware by 360Safe, which is a product of
Qihoo 360.[3]
In 2007, Eric Yang, the co-founder and CEO
On Thursday, October 13, 2016 at 7:51:11 PM UTC+3, Jakob Bohm wrote:
> I just skimmed it, and that just looks like Qihoo 360 acquired some
> other companies that I don't recognize and did so by technically
> merging the company while concentrating ownership with the existing
> Qihoo 360
Just add more info: WireLurker Virus on ios and OS X
https://beijingtoday.com.cn/2014/11/wirelurker-virus-cripples-qihoo-360s-credibility/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
360 和 周鸿祎 都是无耻的。
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Accroding to this newspaper, 360 do have join the GFW project at 2012-07-02.
http://web.archive.org/web/20120705031419/http://www.21cbh.com/HTML/2012-7-2/2NMDM2XzQ2NTU2Nw.html
However, the chief of 360, 周鸿祎, personally said it is not true in a local SNS
site.
On Thursday, October 13, 2016 at
Are there any words saying “award to Qihoo to recognize their long time support
for censorship”?
It is an official thanks letter from The Ministry of Public Security of the
People’s Republic of China, the equivalent organization with FBI of U.S, it
thanks for my team and myself to join the
在 2016年10月13日星期四 UTC+8下午2:01:19,yliv...@gmail.com写道:
> Would this be enough?
> http://www.cac.gov.cn/2016-09/19/c_1119583763.htm
>
> On Thursday, October 13, 2016 at 10:58:34 AM UTC+8, 谭晓生 wrote:
> > Yuwei,
> > I don’t know who you are, but I can tell you and the community, Qihoo 360
> > never
在 2016年10月13日星期四 UTC+8上午10:58:34,谭晓生写道:
> Yuwei,
> I don’t know who you are, but I can tell you and the community, Qihoo 360
> never been involved in * Fire Wall project, if you did some investigation
> to the message that accused Qihoo 360 joined the project “Search Engine
> Content
Some more information.
3721 helper, the most notorious malware in china was created by Hongyi zhou and
his company 3721 in 1998. According to Mr. Tan's bio, he was the development
director of 3721. So I believe he directly participated in and led the
development of the malware.
There is
The information on Baidu Baike is not correct, I tried to correct it, but
failed, I don’t know why.
I’m the Vice President of Qihoo 360 from end of 2009, installed as Chief
Privacy Officer from 15th March 2012 as well, titled as Chief Security Officer
of Qihoo 360 from Feb 2016, I never been
On 10/12/2016 10:11 PM, Ryan Sleevi wrote:
As Gerv suggested this was the official call for incidents with respect to
StartCom, it seems appropriate to start a new thread.
Ryan, it was probably easy to dig up any possible claimed or proven
issue ever surrounding StartCom during its ~ 10
Mr. Xiaosheng Tan
According to the page of your personal details
(http://baike.baidu.com/view/4571996.htm) in Baidu BaiKe. Currently you are the
CTO and VP of Qihuoo. And you have a long recorder working and even studying
with Hongyi Zhou, the CEO and the owner of Qihoo who was entitled as
There could be multiple books to tell the story of Qihoo 360 and Mr.Hongyi
Zhou, Qihoo 360 fighted with Baidu, Alibaba & Tencent, the three largest
internet companies of China in the past 10 years, there were a lot of law suits
there, win and lose together, the ecosystem of China internet is a
Things went interesting, the webpage is about the 19 honored internet security
researcher by China government, some of them are professors of university, like
Professor Xiaoyun Wang who contributed a lot on cryptology(MD5 ), Min
Yang, Haixin Duan, Jianwei Liu, Xingshu Chen……, and the fellow of
The person who founded Qihoo 360, Hongwei Zhou(周鸿祎), is the creator of the
malware named 3721. 3721 is the most widely spread malware in China before the
company Qihoo 360 was founded. The reason that "360安全卫士" (360 Total Security),
which is the most important product of Qihoo 360, became
You have mentioned "Qihoo masking their browser as a critical Windows security
update to IE users. " , but their browser is fully insecure.
"Qihoo 360 Safe Browser" ignores ssl certificate error , open page directly
with cookie.
First seen 2014:
Would this be enough?
http://www.cac.gov.cn/2016-09/19/c_1119583763.htm
On Thursday, October 13, 2016 at 10:58:34 AM UTC+8, 谭晓生 wrote:
> Yuwei,
> I don’t know who you are, but I can tell you and the community, Qihoo 360
> never been involved in * Fire Wall project, if you did some
Yuwei,
I don’t know who you are, but I can tell you and the community, Qihoo 360 never
been involved in * Fire Wall project, if you did some investigation to the
message that accused Qihoo 360 joined the project “Search Engine Content
Security Management System”, you should know the
The Chinese wikipedia has well documented controversies surrounding Qihoo 360.
Unfortunately, it's not translated into the English Wikipedia. So please go to
https://zh.wikipedia.org/wiki/%E5%A5%87%E8%99%8E360#.E5.95.86.E4.B8.9A.E7.9F.9B.E7.9B.BE.E4.B8.8E.E4.BA.89.E8.AE.AE.E4.BA.8B.E4.BB.B6
and
在 2016年10月13日星期四 UTC+8上午3:12:08,Ryan Sleevi写道:
> As Gerv suggested this was the official call for incidents with respect to
> StartCom, it seems appropriate to start a new thread.
>
> It would seem that, in evaluating the relationship with WoSign and Qihoo, we
> naturally reach three possible
I'd also like to point out the Qihoo 360 cheated in all anti-virus tests
http://www.computerworld.com/article/2917384/malware-vulnerabilities/antivirus-test-labs-call-out-chinese-security-company-as-cheat.html
When Qihoo was caught out, Qihoo turned it into a market campaign, calling
AV-C
66 matches
Mail list logo