> a.- StartCom is now a 100% Qihoo360 owned subordinate Company. Management has also changed.<p>> b.- There´re no StartCom employees working at any Wosign premises. StartCom has subcontracted Qihoo 360 for all PKI and development management.<p>This made me laugh, LoL.<p>For those don't know much about Qihoo 360, it's an infamously unethical company. Its flagship antivirus software behaved like a virus, which is very difficult for non-pro computer users to remove. It sneakily "deployed" its so called security guard software to many innocent users' computers meanwhile actually behaving like a backdoor, leaking user data not like a sieve, but a pipe. It's not uncommon to see a tip upon Windows startup telling things like "Your computer boots faster than 90% users in the country", tricking the users to take some "proudness" from it.<p>Don't just believe me, go check the Controversies section of its Wikipedia page [0], and do yourself some research. Say the previous StartCom owner China Unicom is an amateur hacker, then Qihoo 360 is a pro, but a much more evil one.<p>[0] <a href="https://en.wikipedia.org/wiki/Qihoo_360#Controversies" rel="nofollow">https://en.wikipedia.org/wiki/Qihoo_360#Controversies</a>
> a.- StartCom is now a 100% Qihoo360 owned subordinate Company. Management has also changed.<p>> b.- There´re no StartCom employees working at any Wosign premises. StartCom has subcontracted Qihoo 360 for all PKI and development management.<p>> c.- StartCom acquired EJBCA PKI software from Primekey (CA, VA and TSA). There´s no in-house development for PKI<p>> d.- All StartCom servers are under Qihoo 360 premises in different locations, in China and US.<p>> e.- StartCom has developed a new CMS system and website, using a new language, PHP, from scratch.<p>They go to great lengths to make sure everything has changed and nothing is like it was before. Why not just take the final step and drop the (quite tainted) name "StartCom" and apply as Qihoo360 CA or whatever?
For those of us who didn't know. Context [0] [1]<p>Personally, not sure how I feel about this, I'll continue to remove startcom from FF if it's still included.<p>[0] <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=994478" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=994478</a>
[1] <a href="https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/" rel="nofollow">https://blog.mozilla.org/security/2016/10/24/distrusting-new...</a>
Is there an extension like Noscript, but for CA certificates? In the same way which Noscript blocks JavaScript by default, but allows me to gradually build a whitelist of domains which I agree to run JavaScript from, is there an extension which doesn't trust any of the included CAs by default, and allows me to gradually enable CA certificates over time, so that my trust store is composed mainly of easy-to-trust CAs like Let's Encrypt and doesn't include dodgy CAs operating out of China?
Off topic, but because this is becoming a hobbyhorse of mine, from the Cure53 report:<p><i>In conclusion, it is evident that the time between the two rounds of testing and since the
assessment concluded was well-spent by the StartCom maintainers. The overall leap in the
state of security is considerable and very much praiseworthy. At present, the ultimate
improvement stems from solid dedication to fixing the reported problems appropriately and in a
manner that prevents recurrence. As two most important arguments, it can be noted that the
numbers of bugs decrease significantly and that the vast majority of the previously spotted
issues has been addressed correctly. The current tendency towards improvement can be read
as a good sign. With each passing month, dedication to security appears to grow and positively
affect the StartSSL compound.</i><p>This kind of language drives me crazy. I don't want to single out Cure53 here because I think a lot of firms deliver this kind of stuff. I know iSEC and Matasano did. But not only do I not believe that software security firms are really qualified, after spending a few weeks looking at a project, to evaluate the true quality standards of a dev team, but I also think it's an enormous conflict of interest.<p>It's not the assessor's job to determine whether StartCom is "praiseworthy" or whether their time was "well-spent" or even to provide a trend line. Their job is to find bugs, recommend fixes, and verify those fixes.<p>I'll go even further and say, I don't think software security firms should be writing these kinds of reports at all. Rather, they should authorize their clients to publish their technical reports, which should keep the editorializing dialed way down.<p>I did this kind of consulting work for over 10 years and I can confidently report that no matter what your standards and principles are, as an assessor you have <i>a lot</i> of wiggle room to report findings positively or negatively (or not at all). When the only audience for your report is your client, that doesn't matter so much, as long as you (1) found bugs and (2) they got fixed. But when the audience is the broader public, I think it matters a great deal how things are reported, and the safest way to do that is denuded of all subjectivity.
What's the benefit for Firefox users of including StartCom?<p>The way I feel about "trusted" certificate authorities that fell <i>way</i> short of the required standard: You had one job.
> StartCom hired PwC for doing a full webtrust audit.<p>Is PwC any good for real security audits?<p>> StartCom hired Cure53 as suggested by Mozilla<p>Does that mean the report will be public? That's what Cure53 tend to do.<p>> c.- StartCom acquired EJBCA PKI software from Primekey (CA, VA and TSA). There´s no in-house development for PKI<p>After acquisition it is now in-house...<p>> e.- StartCom has developed a new CMS system and website, using a new language, PHP, from scratch.<p>This sounds like they're in need of a real webapp audit<p>Another question: are there any real reasons why we don't have critical name constraints to countries' TLDs?
If I understand certificate transparency correctly, StartCom's actions will be fully and publicly auditable, in real time.<p>This means one vector of attack : Chinese government requesting google.com certificate from them, and MITMing it's citizen would not be possible. To any CT experts: is my assessment correct?
Startcom was a previously-independent and reputable company until it was acquired by WoSign, so I might be willing to give them another shot, assuming they can scrub themselves of any lingering effect of WoSign's scummy practices.