Hi Security team,
I have 2 questions which I would be grateful if you can help.
I have seen various posts mentioning that after 1 of January 2017, browsers
will stop support of SHA1 signed CAs. I am looking into a way to identify
which WEB sites will not work until new certificate is applied and
On 12/10/16 14:46, Konstantinos Tsimaris wrote:
> I have seen various posts mentioning that after 1 of January 2017, browsers
> will stop support of SHA1 signed CAs. I am looking into a way to identify
> which WEB sites will not work until new certificate is applied and
> demonstrate that after cha
On Wednesday, 12 October 2016 14:50:22 UTC+1, Gervase Markham wrote:
> However, we would counsel all sites to move
> away from SHA-1 as the user experience will be as bad as the security.
A message I've seen from some security vendors, that I don't want us
reinforcing, is the idea that the SHA-1
On 09/10/2016 15:54, 谭晓生 wrote:
Dear All,
This is the information that would be released by Inigo in the coming week,
Percy asked me to answer the question, so, it is here:
...
3. PKI – signing service
Code: Same code with WoSign’s one.
Server: Shared Server.
Location: The primary one
As Gerv suggested this was the official call for incidents with respect to
StartCom, it seems appropriate to start a new thread.
It would seem that, in evaluating the relationship with WoSign and Qihoo, we
naturally reach three possible conclusions:
1) StartCom is treated as an independent entit
I'd also like to point out the Qihoo 360 cheated in all anti-virus tests
http://www.computerworld.com/article/2917384/malware-vulnerabilities/antivirus-test-labs-call-out-chinese-security-company-as-cheat.html
When Qihoo was caught out, Qihoo turned it into a market campaign, calling
AV-C outdat
在 2016年10月13日星期四 UTC+8上午3:12:08,Ryan Sleevi写道:
> As Gerv suggested this was the official call for incidents with respect to
> StartCom, it seems appropriate to start a new thread.
>
> It would seem that, in evaluating the relationship with WoSign and Qihoo, we
> naturally reach three possible co
The Chinese wikipedia has well documented controversies surrounding Qihoo 360.
Unfortunately, it's not translated into the English Wikipedia. So please go to
https://zh.wikipedia.org/wiki/%E5%A5%87%E8%99%8E360#.E5.95.86.E4.B8.9A.E7.9F.9B.E7.9B.BE.E4.B8.8E.E4.BA.89.E8.AE.AE.E4.BA.8B.E4.BB.B6
and
On Monday, October 10, 2016 at 2:16:53 PM UTC-7, Matt Palmer wrote:
> On Mon, Oct 10, 2016 at 10:33:15AM -0700, Nick Lamb wrote:
> > Would anybody here _seriously_ be shocked to read next month that a black
> > hat group is auctioning some StartCom private keys ? On the evidence
> > available we h
> Similarly, if we were to accept trust in Qihoo, then we would be ignoring the
> precedent Qihoo has set of choosing insecure and anti-user behaviours masked
> as "security".
I dare say your cert store will end up as a pretty lonely place if you start
investigating CAs –outside the realm of CA
The HSM is stored offline, in the Vault of Qihoo 360’s head quarter, a little
bit surprised by this question, I don’t know if there other CAs put their Root
Certificates online?
If anybody have evident to say “Wosign have the private key of StartCom”,
please show us here.
Thanks,
Xiaosheng Tan
Yuwei,
I don’t know who you are, but I can tell you and the community, Qihoo 360 never
been involved in * Fire Wall project, if you did some investigation to the
message that accused Qihoo 360 joined the project “Search Engine Content
Security Management System”, you should know the project
(Hmm, my previous comment about two faced WoSign disappeared from Google group
probably due to anti-spam. Gerv, can you recover it for me?)
I also want to point out that WoSign is currently asking customers to go to
StartCom to get DV certs. If we continue to trust StartCom, then WoSign
basical
WoSign has so far announced nothing about those incidents or immediate distrust
(Apple and Mozilla) to its end users. On the contrary, WoSign had a press
release dated Oct 8th (https://www.wosign.com/news/netcraft-ssl-oct.htm) titled
"WoSign SSL certs reaches almost 50% market share in China". I
Would this be enough?
http://www.cac.gov.cn/2016-09/19/c_1119583763.htm
On Thursday, October 13, 2016 at 10:58:34 AM UTC+8, 谭晓生 wrote:
> Yuwei,
> I don’t know who you are, but I can tell you and the community, Qihoo 360
> never been involved in * Fire Wall project, if you did some investiga
You have mentioned "Qihoo masking their browser as a critical Windows security
update to IE users. " , but their browser is fully insecure.
"Qihoo 360 Safe Browser" ignores ssl certificate error , open page directly
with cookie.
First seen 2014: https://cabforum.org/pipermail/public/2014-Octob
Anywany, Qihoo is a SOB company in China.
When I bought my Nokia 5320 in 2010, I installed 360 anti-virus on my Nokia, it
got my contacts and made it a text as txt format, I am scared, i never use any
of 360 since.
___
dev-security-policy mailing list
在 2016年10月13日星期四 UTC+8上午6:24:50,Percy写道:
> The Chinese wikipedia has well documented controversies surrounding Qihoo
> 360. Unfortunately, it's not translated into the English Wikipedia. So please
> go to
> https://zh.wikipedia.org/wiki/%E5%A5%87%E8%99%8E360#.E5.95.86.E4.B8.9A.E7.9F.9B.E7.9B.BE.
The person who founded Qihoo 360, Hongwei Zhou(周鸿祎), is the creator of the
malware named 3721. 3721 is the most widely spread malware in China before the
company Qihoo 360 was founded. The reason that "360安全卫士" (360 Total Security),
which is the most important product of Qihoo 360, became popula
On 13/10/16 01:40, Percy wrote:
> (Hmm, my previous comment about two faced WoSign disappeared from
> Google group probably due to anti-spam. Gerv, can you recover it for
> me?)
I have that message via the news interface, so it did get posted. It's
not in the spam filter.
Gerv
___
Things went interesting, the webpage is about the 19 honored internet security
researcher by China government, some of them are professors of university, like
Professor Xiaoyun Wang who contributed a lot on cryptology(MD5 &SHA-1), Min
Yang, Haixin Duan, Jianwei Liu, Xingshu Chen……, and the fello
21 matches
Mail list logo