Re: StartCom & Qihoo Incidents

360 和 周鸿祎 都是无耻的。 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: StartCom & Qihoo Incidents

Just add more info: WireLurker Virus on ios and OS X https://beijingtoday.com.cn/2014/11/wirelurker-virus-cripples-qihoo-360s-credibility/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: StartCom & Qihoo Incidents

Accroding to this newspaper, 360 do have join the GFW project at 2012-07-02. http://web.archive.org/web/20120705031419/http://www.21cbh.com/HTML/2012-7-2/2NMDM2XzQ2NTU2Nw.html However, the chief of 360, 周鸿祎, personally said it is not true in a local SNS site. On Thursday, October 13, 2016 at

List Content Policy

A note on accepted content for this list: Concrete information which may be important for security policy decisions Mozilla has to make is welcome. Wild and unsubstantiated accusations are not, nor are comments which attack a person or company based on their nationality. I have already rejected

Re: StartCom & Qihoo Incidents

Are there any words saying “award to Qihoo to recognize their long time support for censorship”? It is an official thanks letter from The Ministry of Public Security of the People’s Republic of China, the equivalent organization with FBI of U.S, it thanks for my team and myself to join the

Remediation Plan for WoSign and StartCom

All, Thanks again to all of you who have put in so much time and effort to determine what happened with WoSign and StartCom and discuss what to do about it. Based on the information that I have seen regarding WoSign, I believe that WoSign intentionally bent the rules in order to continue

Re: StartCom & Qihoo Incidents

On Thursday, October 13, 2016 at 7:51:11 PM UTC+3, Jakob Bohm wrote: > I just skimmed it, and that just looks like Qihoo 360 acquired some > other companies that I don't recognize and did so by technically > merging the company while concentrating ownership with the existing > Qihoo 360

Re: Remediation Plan for WoSign and StartCom

On Thursday, October 13, 2016 at 10:17:28 AM UTC-7, Jonathan Rudenberg wrote: > Can you clarify if the notBefore cutoff is October 1, 2016, and > not October 21, 2016? There are two conflicting dates in the listed actions. My thinking is that we would distrust certs issued after next week (Oct

Re: Remediation Plan for WoSign and StartCom

On Thursday, October 13, 2016 at 10:39:05 AM UTC-7, Han Yuwei wrote: > > Is this the final decision or still pending? Please consider this the draft of my decision. We are actively working on the Mozilla action items, but this plan is still open for discussion. Thanks, Kathleen

Re: WoSign: updated report and discussion

On 13/10/2016 04:36, 谭晓生 wrote: The HSM is stored offline, in the Vault of Qihoo 360’s head quarter, a little bit surprised by this question, I don’t know if there other CAs put their Root Certificates online? If anybody have evident to say “Wosign have the private key of StartCom”, please

Re: List Content Policy

在 2016年10月13日星期四 UTC+8下午11:58:54，Gervase Markham写道： > A note on accepted content for this list: > > Concrete information which may be important for security policy > decisions Mozilla has to make is welcome. Wild and unsubstantiated > accusations are not, nor are comments which attack a person or

Re: Remediation Plan for WoSign and StartCom

On Oct 13, 2016, at 12:49, Kathleen Wilson wrote: > > 1) Distrust certificates chaining up to Affected Roots with a notBefore date > after October 21, 2016. If additional back-dating is discovered (by any > means) to circumvent this control, then Mozilla will immediately

Re: Remediation Plan for WoSign and StartCom

在 2016年10月14日星期五 UTC+8上午12:50:02，Kathleen Wilson写道： > All, > > Thanks again to all of you who have put in so much time and effort to > determine what happened with WoSign and StartCom and discuss what to do about > it. > > Based on the information that I have seen regarding WoSign, I believe

Re: Remediation Plan for WoSign and StartCom

On 13/10/16 17:49, Kathleen Wilson wrote: > Thanks again to all of you who have put in so much time and effort to > determine what happened with WoSign and StartCom and discuss what to > do about it. You are welcome. As people will have read, the current decision at Mozilla is to treat the

Re: StartCom & Qihoo Incidents

Indeed, Yahoo! has bad reputation on both spyware/malware[1] and censorship[2]. Ironically, Yahoo! Assistant, the successor of 3721 Internet Assistant (also called 3721 helper) was identified as malware by 360Safe, which is a product of Qihoo 360.[3] In 2007, Eric Yang, the co-founder and CEO

Re: Remediation Plan for WoSign and StartCom

On Thursday, 13 October 2016 20:52:54 UTC+1, Gervase Markham wrote: > To be clear, this is a permanent ban, applicable worldwide, but only to > the Hong Kong branch of E (If further issues are found with E > audits elsewhere, then we might consider something with wider scope.) Please can Mozilla

Re: Remediation Plan for WoSign and StartCom

> Others have noted the mismatch here with an October 1 date elsewhere in > the document. I think we should pick a single date in the future, to > allow the CAs concerned to wind down operations without leaving > customers having just obtained certs which will stop working in a few > months.

Re: Remediation Plan for WoSign and StartCom

On Thu, Oct 13, 2016 at 09:49:50AM -0700, Kathleen Wilson wrote: > 5. 100% embedded CT for all issued certificates, with embedded SCTs from > at least one Google and one non-Google log not controlled by the CA. Will there be any requirements around the qualification status of the logs, or could

Re: WoSign: updated report and discussion

On 10/11/2016 11:57 AM, Gervase Markham wrote: There is also the case of StartEncrypt. While no known cert-to-wrong-person misissuance occurred because the researchers in question used domains they already controlled to prove their point, but there seemed to be multiple holes by which this

Re: StartCom & Qihoo Incidents

Some more information. 3721 helper, the most notorious malware in china was created by Hongyi zhou and his company 3721 in 1998. According to Mr. Tan's bio, he was the development director of 3721. So I believe he directly participated in and led the development of the malware. There is

Re: StartCom & Qihoo Incidents

Mr. Xiaosheng Tan According to the page of your personal details (http://baike.baidu.com/view/4571996.htm) in Baidu BaiKe. Currently you are the CTO and VP of Qihuoo. And you have a long recorder working and even studying with Hongyi Zhou, the CEO and the owner of Qihoo who was entitled as

Re: StartCom & Qihoo Incidents

There could be multiple books to tell the story of Qihoo 360 and Mr.Hongyi Zhou, Qihoo 360 fighted with Baidu, Alibaba & Tencent, the three largest internet companies of China in the past 10 years, there were a lot of law suits there, win and lose together, the ecosystem of China internet is a

Re: StartCom & Qihoo Incidents

On 10/12/2016 10:11 PM, Ryan Sleevi wrote: As Gerv suggested this was the official call for incidents with respect to StartCom, it seems appropriate to start a new thread. Ryan, it was probably easy to dig up any possible claimed or proven issue ever surrounding StartCom during its ~ 10

Re: StartCom & Qihoo Incidents

The information on Baidu Baike is not correct, I tried to correct it, but failed, I don’t know why. I’m the Vice President of Qihoo 360 from end of 2009, installed as Chief Privacy Officer from 15th March 2012 as well, titled as Chief Security Officer of Qihoo 360 from Feb 2016, I never been

Re: WoSign: updated report and discussion

在 2016年10月13日星期四 UTC+8下午9:09:11，uri...@gmail.com写道： > >WoSign will resell other trusted CA's SSL certificate to our customers to > >provide best product and best service to our customers. > > Is the plan to resell StartCom certificates? > > On Thursday, October 13, 2016 at 4:18:54 AM UTC-4,

Re: StartCom & Qihoo Incidents

在 2016年10月13日星期四 UTC+8上午10:58:34，谭晓生写道： > Yuwei, > I don’t know who you are, but I can tell you and the community, Qihoo 360 > never been involved in * Fire Wall project, if you did some investigation > to the message that accused Qihoo 360 joined the project “Search Engine > Content

Re: StartCom & Qihoo Incidents

在 2016年10月13日星期四 UTC+8下午2:01:19，yliv...@gmail.com写道： > Would this be enough? > http://www.cac.gov.cn/2016-09/19/c_1119583763.htm > > On Thursday, October 13, 2016 at 10:58:34 AM UTC+8, 谭晓生 wrote: > > Yuwei, > > I don’t know who you are, but I can tell you and the community, Qihoo 360 > > never

Re: WoSign: updated report and discussion

>WoSign will resell other trusted CA's SSL certificate to our customers to >provide best product and best service to our customers. Is the plan to resell StartCom certificates? On Thursday, October 13, 2016 at 4:18:54 AM UTC-4, Richard Wang wrote: > Percy, > > I think your English is too bad!

Re: StartCom & Qihoo Incidents

Would this be enough? http://www.cac.gov.cn/2016-09/19/c_1119583763.htm On Thursday, October 13, 2016 at 10:58:34 AM UTC+8, 谭晓生 wrote: > Yuwei, > I don’t know who you are, but I can tell you and the community, Qihoo 360 > never been involved in * Fire Wall project, if you did some

Re: StartCom & Qihoo Incidents

You have mentioned "Qihoo masking their browser as a critical Windows security update to IE users. " , but their browser is fully insecure. "Qihoo 360 Safe Browser" ignores ssl certificate error , open page directly with cookie. First seen 2014:

Re: StartCom & Qihoo Incidents

The person who founded Qihoo 360， Hongwei Zhou（周鸿祎）, is the creator of the malware named 3721. 3721 is the most widely spread malware in China before the company Qihoo 360 was founded. The reason that "360安全卫士" (360 Total Security), which is the most important product of Qihoo 360, became

Re: WoSign: updated report and discussion

On 13/10/16 01:40, Percy wrote: > (Hmm, my previous comment about two faced WoSign disappeared from > Google group probably due to anti-spam. Gerv, can you recover it for > me?) I have that message via the news interface, so it did get posted. It's not in the spam filter. Gerv

Re: StartCom & Qihoo Incidents

Things went interesting, the webpage is about the 19 honored internet security researcher by China government, some of them are professors of university, like Professor Xiaoyun Wang who contributed a lot on cryptology(MD5 ), Min Yang, Haixin Duan, Jianwei Liu, Xingshu Chen……, and the fellow of