Wed 07 September 2016

While listening to the Security Now podcast, I have listened first with amusement then with horror to Steve reading email from Mozilla about the security problems with WoSign CA.

Their list of woes is long, read the linked email for details, but one thing turned up during the email which I was not aware of: StartCom (owner of the StartSSL certificate authority) was apparently recently bought by WoSign CA! Apparently one of the security bugs StartSSL has (had?) was that with properly modified POST request (yes, I guess you can do it in the Developer Tools of your Firefox) you can get certificate linked to the root ceritificate “CA 沃通根证书” (or “WoSign CA Free SSL Certificate G2” with another value of the parameter). Awesome!

What’s even more interesting is that I am a paying customer of StartSSL CA and I have never been made aware of the change of ownership. The only other mention of the possible change of ownership I found was on the Wikipedia page, which linked to the blogpost, which is now unavailable due to “legal review of the site” […]. Even better! (update later: fortunately the page has been cached).

You know, the term “trusted third party” (which is another term for CA) indicates that they are in business of selling trust. I was willing to trust a happy Jewish hacker in Eliat, Israel. But I am not willing to trust him anymore after doing this change without letting me know, and even less I am willing to trust mysterious Chinese corporation with disasterous security track record.

It is time to move.

Category: computer Tagged: SSL

Comments

Please enable JavaScript to view the comments powered by Disqus.