
Startcom CA applies for inclusion in Mozilla - ridgewell
https://bugzilla.mozilla.org/show_bug.cgi?id=1311832#c12
======
ryenus
> a.- StartCom is now a 100% Qihoo360 owned subordinate Company. Management
> has also changed.

> b.- There´re no StartCom employees working at any Wosign premises. StartCom
> has subcontracted Qihoo 360 for all PKI and development management.

This made me laugh, LoL.

For those don't know much about Qihoo 360, it's an infamously unethical
company. Its flagship antivirus software behaved like a virus, which is very
difficult for non-pro computer users to remove. It sneakily "deployed" its so
called security guard software to many innocent users' computers meanwhile
actually behaving like a backdoor, leaking user data not like a sieve, but a
pipe. It's not uncommon to see a tip upon Windows startup telling things like
"Your computer boots faster than 90% users in the country", tricking the users
to take some "proudness" from it.

Don't just believe me, go check the Controversies section of its Wikipedia
page [0], and do yourself some research. Say the previous StartCom owner China
Unicom is an amateur hacker, then Qihoo 360 is a pro, but a much more evil
one.

[0]
[https://en.wikipedia.org/wiki/Qihoo_360#Controversies](https://en.wikipedia.org/wiki/Qihoo_360#Controversies)

------
mseebach
> a.- StartCom is now a 100% Qihoo360 owned subordinate Company. Management
> has also changed.

> b.- There´re no StartCom employees working at any Wosign premises. StartCom
> has subcontracted Qihoo 360 for all PKI and development management.

> c.- StartCom acquired EJBCA PKI software from Primekey (CA, VA and TSA).
> There´s no in-house development for PKI

> d.- All StartCom servers are under Qihoo 360 premises in different
> locations, in China and US.

> e.- StartCom has developed a new CMS system and website, using a new
> language, PHP, from scratch.

They go to great lengths to make sure everything has changed and nothing is
like it was before. Why not just take the final step and drop the (quite
tainted) name "StartCom" and apply as Qihoo360 CA or whatever?

~~~
shakna
Qihoo360 isn't a reputable name either. Might be trying to avoid anybody who
might recognise the name, and going for the "phoenix rises from the ashes" to
reinvigorate StartCOM, whilst avoiding Qihoo360 from further tainting it in
future.

------
maccard
For those of us who didn't know. Context [0] [1]

Personally, not sure how I feel about this, I'll continue to remove startcom
from FF if it's still included.

[0]
[https://bugzilla.mozilla.org/show_bug.cgi?id=994478](https://bugzilla.mozilla.org/show_bug.cgi?id=994478)
[1] [https://blog.mozilla.org/security/2016/10/24/distrusting-
new...](https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-
and-startcom-certificates/)

~~~
bjpbakker
> I'll continue to remove startcom from FF if it's still included

That's also my first reaction to startcom. Reading it however it seems they've
come a long way since the removal.

I'm not sure if I will again trust this CA again - time will learn if they're
still using sneaky practices. But they seem to be doing better now.

------
solatic
Is there an extension like Noscript, but for CA certificates? In the same way
which Noscript blocks JavaScript by default, but allows me to gradually build
a whitelist of domains which I agree to run JavaScript from, is there an
extension which doesn't trust any of the included CAs by default, and allows
me to gradually enable CA certificates over time, so that my trust store is
composed mainly of easy-to-trust CAs like Let's Encrypt and doesn't include
dodgy CAs operating out of China?

~~~
Ajedi32
Not sure about an extension, but you could always just remove all root certs
from your trust store and then add them back one-by-one manually.

~~~
cm2187
Keeping in mind it has all sorts of side effects (signed drivers, etc).

~~~
baby
Not if you remove certs from your browser trust store. If I understand
correctly a browser has no obligation to follow your OS trust store. If
someone here knows, what browser actually trust OS certificates in addition to
its own trust store?

~~~
cm2187
Chrome and IE on windows I believe.

------
tptacek
Off topic, but because this is becoming a hobbyhorse of mine, from the Cure53
report:

 _In conclusion, it is evident that the time between the two rounds of testing
and since the assessment concluded was well-spent by the StartCom maintainers.
The overall leap in the state of security is considerable and very much
praiseworthy. At present, the ultimate improvement stems from solid dedication
to fixing the reported problems appropriately and in a manner that prevents
recurrence. As two most important arguments, it can be noted that the numbers
of bugs decrease significantly and that the vast majority of the previously
spotted issues has been addressed correctly. The current tendency towards
improvement can be read as a good sign. With each passing month, dedication to
security appears to grow and positively affect the StartSSL compound._

This kind of language drives me crazy. I don't want to single out Cure53 here
because I think a lot of firms deliver this kind of stuff. I know iSEC and
Matasano did. But not only do I not believe that software security firms are
really qualified, after spending a few weeks looking at a project, to evaluate
the true quality standards of a dev team, but I also think it's an enormous
conflict of interest.

It's not the assessor's job to determine whether StartCom is "praiseworthy" or
whether their time was "well-spent" or even to provide a trend line. Their job
is to find bugs, recommend fixes, and verify those fixes.

I'll go even further and say, I don't think software security firms should be
writing these kinds of reports at all. Rather, they should authorize their
clients to publish their technical reports, which should keep the
editorializing dialed way down.

I did this kind of consulting work for over 10 years and I can confidently
report that no matter what your standards and principles are, as an assessor
you have _a lot_ of wiggle room to report findings positively or negatively
(or not at all). When the only audience for your report is your client, that
doesn't matter so much, as long as you (1) found bugs and (2) they got fixed.
But when the audience is the broader public, I think it matters a great deal
how things are reported, and the safest way to do that is denuded of all
subjectivity.

------
michaelhoffman
What's the benefit for Firefox users of including StartCom?

The way I feel about "trusted" certificate authorities that fell _way_ short
of the required standard: You had one job.

~~~
Ajedi32
> What's the benefit for Firefox users of including StartCom?

I think there is some benefit to maintaining a healthy ecosystem of multiple
competing, independently operated CAs. The benefits of including StartCom are
no different from that of any other CA in that regard.

Aside from that though, not much. Although... wasn't StartCom pretty much the
only CA offering free DV certs prior to Let's Encrypt? If they're planning to
resume offering that or a similar service, that would certainly be a
significant benefit to overall security of the web.

~~~
tracker1
Yes, they were the first I was aware of. Though, not sure if I could/would
trust them again.

------
baby
> StartCom hired PwC for doing a full webtrust audit.

Is PwC any good for real security audits?

> StartCom hired Cure53 as suggested by Mozilla

Does that mean the report will be public? That's what Cure53 tend to do.

> c.- StartCom acquired EJBCA PKI software from Primekey (CA, VA and TSA).
> There´s no in-house development for PKI

After acquisition it is now in-house...

> e.- StartCom has developed a new CMS system and website, using a new
> language, PHP, from scratch.

This sounds like they're in need of a real webapp audit

Another question: are there any real reasons why we don't have critical name
constraints to countries' TLDs?

~~~
michaelt

      are there any real reasons why we don't have critical
      name constraints to countries' TLDs?
    

The reasoning I've heard is that .cn users' security requirements aren't any
lower than .com users' security requirements. i.e. if startcom/Qihoo360 aren't
good enough to issue .com, they're not good enough to issue .cn

~~~
ameliaquining
Yeah, but reducing the number of CAs that are trusted for any given domain is
likely positive.

I'm also curious as to how the Chinese government plays into all this. Do they
have a track record of making trusted CAs misissue certificates?

~~~
Ajedi32
> Do they have a track record of making trusted CAs misissue certificates?

Probably not. Any CA missisuing certs intentionally (whether by government
coercion or not) probably wouldn't remain trusted for long. So if the Chinese
government is doing something like that, the public is certainly not aware of
it, else there wouldn't be any Chinese CAs left that are still trusted.

~~~
baby
That's the beauty of the trust store. The PKI might be a fucked up solution to
our trust problem on the internet, but it puts enough pressure against
governments to throw them away.

------
anilgulecha
If I understand certificate transparency correctly, StartCom's actions will be
fully and publicly auditable, in real time.

This means one vector of attack : Chinese government requesting google.com
certificate from them, and MITMing it's citizen would not be possible. To any
CT experts: is my assessment correct?

~~~
geofft
One, it's notice of attack, not prevention of attack. StartCom (or an attacker
in possession of their private key) can issue a perfectly valid google.com
certificate, it's just going to be visible to the world that that's what
happened.

Two, while Google is presumably watching CT logs for google.com certificate
issuances, I'm certainly not watching my personal website. I suspect most
people aren't, so they could probably get away with issuing e.g. a
shadowsocks.org certificate and have a few days of successful attack before
anyone notices. This is probably not what you want for dragnet surveillance,
but it's great for an attack against an individual (whether conducted by a
government or just some private party).

So yes, the state of the world is quite a bit better than it was before CT,
but adding CAs remains a risk. They're only worth adding if there's a reason
to do it. (StartCom's free certificates used to be a really good reason.)

~~~
ameliaquining
There are various free services that will email you whenever a cert for one of
your domains shows up in the CT logs. It's a good idea to sign up for one. (It
would be an even better idea for domain registrars to automatically sign you
up for one.) Here's one that Facebook operates:
[https://developers.facebook.com/tools/ct/](https://developers.facebook.com/tools/ct/)

------
AdmiralAsshat
Startcom was a previously-independent and reputable company until it was
acquired by WoSign, so I might be willing to give them another shot, assuming
they can scrub themselves of any lingering effect of WoSign's scummy
practices.

~~~
majewsky
As if WoSign were any better:
[https://wiki.mozilla.org/CA:WoSign_Issues](https://wiki.mozilla.org/CA:WoSign_Issues)

~~~
AdmiralAsshat
You misunderstand me. I know that WoSign is crap. I would not ever trust
WoSign again.

My point is that Startcom seemed decent _until_ they were acquired by WoSign
and started adopting their shady practices. If they are completely
disentangled from WoSign, I might be willing to trust them again.

~~~
mynameisvlad
To be fair to the parent comment, your original comment as it is written says
the exact opposite; that you'd be willing to trust them _due to_ the
acquisition.

~~~
mi100hael
Made sense to me if you know that WoSign is crap and read the article
indicating they are no longer under WoSign control.

------
sigjuice
StartSSL also provides free S/MIME certificates. Any suggestion on what to use
instead?

~~~
diego_moita
Comodo also gives free email certificates: [https://www.instantssl.com/ssl-
certificate-products/free-ema...](https://www.instantssl.com/ssl-certificate-
products/free-email-certificate.html)

------
egberts1
Ummm, just simple and emphatically...no.

