Saturday, September 3, 2016

StartCom operated solely by WoSign in China - an analysis of the new StartCom website

I reported earlier that StartCom was secretly purchased by WoSign from the technical aspects and the business aspects. I'm now going to provide an analysis of the new StartCom website. The new StartCom website was launched in Dec 2015, one month after alleged WoSign's purchase.

Now I'm going to analyze the new Startcom website. The analysis further affirms the conclusion that StartCom was outright purchased by WoSign, rather than being in a partnership with WoSign.
As a native Chinese speaker, I can easily identify mistakes made in English caused by the influence of Chinese. The new StartCom webpage seems to completely designed and implemented in China.


 StartCom Transparency
All issued SSL certificate is logged in Google Log server and other third party logs
with embedded SCT data in the SSL certificate.
This message appears at the bottom of all StartCom products.
Chinese doesn't have plural form or Subject-Verb Agreement. Hence "All issued SSL certificate is logged"

This is the exact same slogan on the WoSign's website
WoSign Transparency 
All issued SSL certificate is logged in Google Log server and other third party logs with embedded SCT data in the SSL certificate.
A word by word copy. This affirms the conclusion that StartCom was purchased by WoSign.


It takes just one minute to
Register your account to
Get Free SSL certificate
And free Email certificate
Chinese doesn't have capitalization, hence this weird capitalization in every new line.
No article in Chinese, hence "Get Free SSL certificate"

the StartPKI page

It uses very poor English such as
Sign-up and Paid
Just tell us what you want
Give you a unbelievable price
Sign agreement online
Paid the setup fee
We do not have tense or article in Chinese and the errors on "paid" and "a unbelievable price" are probably due to that. 

If you are using StartSSL, the certificate and certificate path look like this way that the issued by is StartCom
Hmm, No!

StartResell  launched in May 2016

Start to sell, make big money!
Setup your own website, start to sell your brand SSL certificate to your customers. Post customer’s identity information to StartSSL, StartCom charge the validation cost only with 50% off discount, all certificates issued from your intermediate CA is FREE. StartCom don’t charge your certificate cost, you make big money!
StartResell is in the background, you focus your sales, we do everything for you including PKI system, CRL and OCSP distribution, identity validation etc., we will use your company name to call your customer for identity validation, no other contact to your customer
Chinese grammars allow complete sentences to be separated by comma. Those are all run-on sentences in English.
Chinese doesn't have Subject-Verb Agreement, hence "StartCom charge"
We are sometimes confused on what preposition to use for a specific word, hence "focus your sales" "contact to your customer"

No any prepay and deposit need, just need to pay the dedicated Intermediate CA setup fee and annual maintenance fee;
"No any prepay" is translated word by word from Chinese, "没有任何预先付款”, which is very typical in various Chinese advertisements.


StartEncrypt Pro
Need an account in StartSSL, get the API token and API certificate;
Install and run, no any coding, support Windows server and Linux server;
Not just get the SSL certificate automatically, but install it automatically;
Not just Encrypted, but also identity validated to display EV Green Bar;
Not just 90 days period, but up to 39 months, more than 1180 days;
Not just low assurance DV SSL certificate, but also High assurance OV SSL and EV SSL;
Not just for one domain, but up to 120 domains with wildcard support;
For OV SSL and EV SSL, just charge the validation cost annually, certificate is FREE!
Again, run on sentences, word by word translation of "no any coding", "not just... but..." .

About US
Mr. Nigg thought: CAs (Certification Authorities) main duties are authentication, the customer should be charged only for authentication labor costs, the certificate file is just the carrier of the authenticated data, it is a digital file that can be issued by the system automatically, at this case the cost is almost negligible, it can be completely free of charge! For comparison, why is a newspapers more expensive than toilet paper? Because of its valuable content! It's the same with digital certificate, the certificate subject information is the verified information, without it a certificate would be worthless.
This paragraph supposedly described Eddy Nigg's thoughts. This is obviously not written by Eddy Nigg but someone from China.
Again, plural form, run on sentences. "Mr. Nigg thought:" the colon usage here is correct in Chinese.
The overall phrasing, the comparison are very much Chinese too.

Such common grammatical or semantical mistakes are littered across the entire website of StartCom. Besides, the overall way of phasing is very much Chinese. I'm hard pressed to find even one error-free paragraph in natural English on the StartCom site.


The above shows that the website was designed and implemented solely in China by WoSign without any English speaker involved. As even a casual inspector who is a native English speaker can immediately identify problems with the official site, we can only assume that StartCom currently has no non-Chinese staff or even staff who speak fluent English. This further affirms the conclusion that StartCom was outright purchased by WoSign, rather than being in a partnership with WoSign.

Friday, September 2, 2016

WoSign's secret purchase of StartCom; WoSign threatened legal actions over the disclosure

I called for WoSign's revocation earlier this week for its utter ignorance over security. However, WoSign is cross signed by StartCom. Meaning that as long as StartCom is trusted, even if WoSign is manually distrusted, all certificates from WoSign are still considered valid. What's more, now it looks like StartCom is actually purchased by WoSign.

A former StartCom employee broke the news that WoSign's secretly purchased StartCom in Nov 2015 without any notice to the public or StartCom users . He posted his finding on , all evidence from publicly available sources, and not bounded by NDA.
On Aug 30, Someone posted WoSign's secret purchase to the thread "Incidents involving the CA WoSign". On Sept 1st, the content was taken down from the website.

September 1, 2016:
I'm currently going under legal review of the site.
Content will not be available during this period.

If you want to see the original content, please go to mirror I also attached the full article at the end of this blog post.

As the content was removed in the original site and people are discussing the security of WoSign and StartCom and wondering about the missing article, I posted the mirror to the thread.

The CEO of WoSign Richard Wang, aka Gaohua Wang, the crucial person mentioned in letsphish, stated that
OK I try to say some that I wish I don't violate my company confidential policy.

1. Eddy told me that this guy is the former employee of StartCom, he violates the signed NDA that he must shutdown the site within the limit time. Every re-distribution the wrong information will heavy his penalty (including site cache or mirror site). I am sure every company don't like its former employee to expose company's confidential information.

2. WoSign invested in 5 companies worldwide including in North America, Europe and Asia (China), but my company is a private company that no any liability to expose everything that we don't like to expose. And Mozilla also don't have the policy that every CA must expose its shareholder and director.
3. Please don't bind WoSign incident problem with StartCom, it is two independent company that one registered in China and one located in Israel. StartCom and WoSign have maintained a business relationship for many years since 2011 when WoSign startup CA business. And WoSign root is cross signed by StartCom root due to the problem that root inclusion took long time.
Best Regards,
However, as you can read in the article, WoSign and StartCom currently share critical infrastructure, director and user trust. This purchase might also be able to explain the security nightmare of StartEncrypt, a StartCom copycat of LetsEncrypt, launched in 2016. A Google search of StartEncrypt will bring up a full page of results titled "StartEncrypt considered harmful today"

After I posted the letphish mirror in the thread, he replied to me personally that
Please remember this sentence:
Every re-distribution the wrong information will heavy his penalty (including site cache or mirror site).
You are harming him!
I replied that
You stated that he was a former employee of StartCom in 2015. After he left the company, what he learnt from public sources in 2016 is not bound by NDA. I do not appreciate you holding him hostage to suppress public and crucial information on understanding the trust of CA. Since WoSign is trying so hard to suppress such critical information, it's especially important for us to understand the consequences of such info.
I call for a detailed investigation over WoSign's purchase of StartCom and the current status of StartCom. If StartCom is deemed untrusted in connection with WoSign, it should be revoked as well.
I further call for all current users of WoSign or StartCom to switch to Let's Encrypt as soon as possible.
Start Commercial LTD "is" an Israeli Certificate Authority, Their certificates are trusted by billion of devices (computers, mobile phones, routers, etc) and they claim to be "the 6th biggest CA in the world". StartCom launched it's activities as we know it today around 2006 with the brandname StartSSL.
Their site didn't had much UI changes during those years. Until 2016...
February 16th, 2016, Pierre Kim in his security blog wrote about why he stopped using StartSSL. The article was about how some of StartSSL's infrastructure is hosted in China/by Chinese companies. But he showed only small part of the whole picture, not going into who owns StartCom and the brandname StartSSL.
Reviewing StartCom registry in the Israeli company directory reveal that on November 1st, 2015 all the shares of the private held company were transfered to a UK based company named "StartCom CA Limited". This company, "StartCom CA" is owned by Gaohua Wang, who is of Chinese nationality.
But no news about it. 2016 is a major year for StartCom, new UI, new tools and new features, and yet, no news regarding the new ownership. The only news related to the matter was a minor post about expending their activities in China.
In the previous part we saw that the ownership of the company has switched, from Israeli hands to Chinese hands (via a UK based company to operate as a front organization). Pierre Kim in his blog post showed that some of StartSSL infrastructure is hosted in China/by Chinese companies. In this part I will present that currently (June 2016) StartSSL is operating from China (their employees are located in China).
During the first half year of 2016 I've contacted StartSSL several times. The first time was when I notified them about their SPF TXT records being incorrect [1], the reply was originated from (China Telecom, CHINANET Guangdong province network) with the "Content-Language" equals to "zh-cn" and the localtime of the email was UTC+0800. The email is signed with "" private key.
The second time I've contacted StartSSL was in regard their OCSP replies for expired certificates [2], again the reply was originated in China (China Telecom, CHINANET Guangdong province network) with China's localtime (UTC+0800).
The third and last time I've contacted StartSSL was regarding their expired certificates on some of their hosts [3], this time the reply seem to be generated via some kind of a ticket system, but still from China. The ticket system itself (MX server at least) seem to be in China, (21ViaNet(China),Inc), and the person who replied to my email was also from China, (China Telecom, CHINANET Guangdong province network) with "Accept-Language:" set to "zh-cn".
And what about StartSSL automated emails, old ones (during January) seem to originate in China, they came from (China Telecom, CHINANET-BJ) [4]. But later ones, come from (China Telecom (Americas) Corrporation (CTUC)) [5]. According the the whois, this is a Chinese company with an IP infrastructure in the US, but the localtime is still set to China's localtime.
In part 1 I showed that all shares from Start Commercial LTD (company based in Israel) were transferred to a front organization in the UK, named "StartCom CA Limited", which their sole director is Gaohua Wang. In part 2 I showed that StartSSL is actually operating from China (last verified, June 2016). In this part I will disclose who actually owns StartCom and more specifically the "StartSSL" brandname.
The key figure is Gaohua Wang (aka Richard Wang). It may not be so easy to connect him to the company in matter (searching for "Gaohua Wang certificate authority" will do the trick), but Gaohua Wang is also a director of another CA company based in China, named WoSign [1].
StartCom doesn't share this information with their customers, past, present and probably near future. I even tried to ask them directly via their Live Chat, but they haven't given me a straight answer ("not really", "close relationship" and "share infrastructure") [2] [3]. It seem StartCom is trying really hard not to disclose that StartCom was sold indirectly to a Chinese company.
Lets break down the answers to the question "Did WoSign bought you?"
"Not really" - WoSign didn't bought StartCom directly, Gaohua Wang (which also owns WoSign) used a front organization in the UK to buy StartCom.
"Close Relationship" - StartCom in the past cross-signed some of WoSign's intermediate CA, you may consider it as "close relations".
"Share Infrastructure" - This will explain Pierre Kim's post, but it doesn't explain why StartCom will require that, most StartSSL's customers are in Europe and in the US, not in China nor Asia [4].
But there are holes in the story. Why the operations (mail replies, core service like '') is in China? When trying to dial the Israeli number (+972.8.634.4170) I got an unplugged number tone [5], is the office in Israel is unavailable? But some of StartCom infrastructure is still hosted in Israel.
I will conclude with that, the same person (Gaohua Wang) owns WoSign and StartCom. I will leave connecting the dots for you...

[1] Hong Kong Compaies Registry - WoSign Director Index - IMG
[2] Live Chat with Danny - Part 1 - IMG *
[3] Live Chat with Danny - Part 2 - IMG *
[4] According to BuiltWith - IMG
[5] Trying to dial the Israeli extension - AMR
About the author 
My name is Itzhak Daniel, during 2015 I was an employee of StartCom. I don't speak on behalf of StartCom. I believe companies that are responsible for securing our internet should be transparent regarding their activities and who stands behind them.
Comments, requests, etc can be sent using this contact page or by any other means mentioned on it.