I called forWoSign's revocationearlier thisweek for its utter ignorance over security. However, WoSign is cross signed by StartCom. Meaning that as long as StartCom is trusted, even if WoSign is manually distrusted, all certificates from WoSign are still considered valid. What's more, now it looks like StartCom is actually purchased by WoSign.
A former StartCom employee broke the news that WoSign's secretly purchased StartCom in Nov 2015 without any notice to the public or StartCom users . He posted his finding on https://www.letsphish.org/ , all evidence from publicly available sources, and not bounded by NDA.
On Aug 30, Someone posted WoSign's secret purchase to the thread "Incidents involving the CA WoSign".On Sept 1st, the content was taken down from the website.
September 1, 2016:I'm currently going under legal review of the site. Content will not be available during this period.
If you want to see the original content, please go to mirrorhttps://archive.is/8bSp6 I also attached the full article at the end of this blog post.
As the content was removed in the original site and people are discussing the security of WoSign and StartCom and wondering about the missing article, I posted the mirror to the thread.
The CEO of WoSign Richard Wang, akaGaohua Wang, the crucial person mentioned in letsphish, stated that
OK I try to say some that I wish I don't violate my company confidential policy.
1. Eddy told me that this guy is the former employee of StartCom, he violates the signed NDA that he must shutdown the site within the limit time. Every re-distribution the wrong information will heavy his penalty (including site cache or mirror site). I am sure every company don't like its former employee to expose company's confidential information.
2. WoSign invested in 5 companies worldwide including in North America, Europe and Asia (China), but my company is a private company that no any liability to expose everything that we don't like to expose. And Mozilla also don't have the policy that every CA must expose its shareholder and director.
3. Please don't bind WoSign incident problem with StartCom, it is two independent company that one registered in China and one located in Israel. StartCom and WoSign have maintained a business relationship for many years since 2011 when WoSign startup CA business. And WoSign root is cross signed by StartCom root due to the problem that root inclusion took long time.
However, as you can read in the article, WoSign and StartCom currently share critical infrastructure, director and user trust. This purchase might also be able to explain the security nightmare ofStartEncrypt, a StartCom copycat of LetsEncrypt, launched in 2016. A Google search of StartEncrypt will bring up a full page of results titled " StartEncrypt considered harmful today "
After I posted the letphish mirror in the thread, he replied to me personally that
Please remember this sentence:
Every re-distribution the wrong information will heavy his penalty (including site cache or mirror site).
You are harming him!
I replied that
You stated that he was a former employee of StartCom in 2015. After he left the company, what he learnt from public sources in 2016 is not bound by NDA. I do not appreciate you holding him hostage to suppress public and crucial information on understanding the trust of CA. Since WoSign is trying so hard to suppress such critical information, it's especially important for us to understand the consequences of such info.
I call for a detailed investigation over WoSign's purchase of StartCom and the current status of StartCom. If StartCom is deemed untrusted in connection with WoSign, it should be revoked as well.
I further call for all current users of WoSign or StartCom to switch to Let's Encrypt as soon as possible.
Start Commercial LTD "is" an Israeli Certificate Authority, Their certificates are trusted by billion of devices (computers, mobile phones, routers, etc) and they claim to be "the 6th biggest CA in the world". StartCom launched it's activities as we know it today around 2006 with the brandname StartSSL .
Their site didn't had much UI changes during those years. Until 2016...
February 16th, 2016, Pierre Kim in his security blog wrote about why he stopped using StartSSL . The article was about how some of StartSSL's infrastructure is hosted in China/by Chinese companies. But he showed only small part of the whole picture, not going into who owns StartCom and the brandname StartSSL.
Reviewing StartCom registry in the Israeli company directory reveal that on November 1st, 2015 all the shares of the private held company were transfered to a UK based company named "StartCom CA Limited" . This company, "StartCom CA" is owned by Gaohua Wang, who is of Chinese nationality .
But no news about it. 2016 is a major year for StartCom, new UI, new tools and new features, and yet, no news regarding the new ownership. The only news related to the matter was a minor post about expending their activities in China .
In the previous part we saw that the ownership of the company has switched, from Israeli hands to Chinese hands (via a UK based company to operate as a front organization ). Pierre Kim in his blog post showed that some of StartSSL infrastructure is hosted in China/by Chinese companies. In this part I will present that currently (June 2016) StartSSL is operating from China (their employees are located in China).During the first half year of 2016 I've contacted StartSSL several times. The first time was when I notified them about their SPF TXT records being incorrect , the reply was originated from