幹壞事是進步最大的原動力
AWS 開了 Stockholm 區 (eu-north-1):「Now Open – AWS Europe (Stockholm) Region」。
在「In the Works – AWS Region in Hong Kong」這邊宣佈香港區會在 2018 開放,現在只剩下兩個多禮拜的時間了。
可以看到 subdomain 已經準備好,但還沒上線 (查 ap-southeast-4 的 NS RR 是直接給 NXDOMAIN):
;; AUTHORITY SECTION: ap-southeast-3.amazonaws.com. 900 IN NS dns-01.amazonaws.com. ap-southeast-3.amazonaws.com. 900 IN NS dns-02.amazonaws.com.
只好繼續等了...
AWS 在寧夏的 Region 開張了:「Now Open – AWS China (Ningxia) Region」。一樣是走託管方式:
The AWS China (Ningxia) Region, operated by Ningxia Western Cloud Data Technology Co. Ltd. (NWCD), is generally available now and provides customers another option to run applications and store data on AWS in China.
代碼是 cn-northwest-1 (北京是 cn-north-1),都是使用 amazonaws.com.cn 網域。與北京區一樣都需要另外申請 AWS China 的帳號才能使用:
Customers already using the AWS China (Beijing) Region, operated by Sinnet, can select the AWS China (Ningxia) Region directly from the AWS Management Console, while new customers can request an account at www.amazonaws.cn to begin using both AWS China Regions.
不過在 AWS Regions and Endpoints 表上,寧夏區 (cn-northwest-1) 跟全球是放在一起的,但北京區 (cn-north-1) 是拆開的:
可能之後會再整理吧...
在 Top 500 公佈新的資料後,就有人發現 Linux 第一次完全佔領了超級電腦 Top 500 列表裡的作業系統:「Linux Now Powers 100% of the World’s Top 500 Supercomputers」。
另外在「China Pulls Ahead of U.S. in Latest TOP500 List」也列出了這次的前五名,可以看出來中國在這塊砸了不少錢:
看到 Stripe 的幾個大動作:「Stripe in Hong Kong + Alipay and WeChat Pay globally」。
一個是進入香港的消息:
Today, we’re excited to officially launch Stripe in Hong Kong.
另外一個是 Alipay (支付寶) 以及 WeChat Pay (微信支付) 可以透過 Stripe 在全球使用:
So, today we’re introducing global support for Alipay and WeChat Pay, connecting Stripe businesses in 25+ countries to the hundreds of millions of Chinese consumers that actively use these payment methods.
尤其是後面的消息,對於中國的使用者方便不少...
在「Mozilla 在考慮移除 WoSign 的 CA Root」這邊提到的事情,隨著時間的發展,大家發現事情愈來愈誇張。
在兩個小時前 Mozilla 的 Gervase Markham 提出了對 WoSign + StartCom 處置的草稿:「WoSign and StartCom」,草稿在 Google Docs 上的「WoSign and StartCom」這邊可以看到。另外 Mozilla 在 wiki 上「CA:WoSign Issues」將 WoSign + StartCom 的事情都整理了出來,也是重要的資料。
文章很長,先講結論:目前 Mozilla 打算把 WoSign 與 StartCom 所簽出的 certificate 都照當年 CNNIC 的方式拔掉。
從頭說明,事情發生於八月底的時候 Google 通知了 Mozilla 一連串 WoSign 出包卻沒有主動通報的事件,當時知道的大約有三或四件。而在 mozilla.dev.security.policy 不斷的討論的情況下,由於關注度變得超高,在搜尋大量的資料下發現更多問題,到現在 Mozilla 的 wiki 上已經列出了 13 個。
而這邊以 Mozilla 最後整理的草稿,將 13 個事件整合起來成幾件來說明:
在瀏覽器會對 2016 後所簽出直接跳 error 的情況下 (像是「An update on SHA-1 certificates in Chrome」),直接偽造是 2015 年簽出的 certificate。
Mozilla 的 CA program 要求當公司擁有權轉移時必須揭露:
[...], Mozilla’s program requirements say that a change of CA ownership must be disclosed. In this case, that was not done - and in fact, the change was directly denied a few months after it happened.
直到最近被抓到而揭露後,發現 WoSign 所揭露的也不正確,StartCom 已經開始使用 WoSign 的 infrastructure 了:
More recently, even after the evidence of total control was public, WoSign referred to their interest in StartCom in a press release as “an equity investment”, and maintain that the two businesses continue to be separate even today. They say “the original system ... of StartCom remains unchanged”.
However, there is technical evidence that around a month and a half after the acquisition, StartCom issuances switched to using WoSign’s infrastructure - either the same instance of it, or their own instance.
而 Mozilla 要求 WoSign 提供他們產生 serial number 的程式碼時:(在 WoSign 簽出重複的 serial number 問題時得到的)
Mozilla asked WoSign how they generated their serial numbers, and was told that they used the Java package java.crypto.SecureRandom. They supplied the following code snippet:
[...]
However, as can be seen from this simple test harness, this code snippet does not produce serial numbers matching WoSign’s idiosyncratic pattern.
再度發現 WoSign 給的程式碼對不上。(hey)
然後再多方面分析後發現 WoSign 宣稱跟 StartCom 只共用 CRL/OCSP (revoke 機制) 是假的。Mozilla 由多方面判斷發現,至少程式碼是共用的 (i.e. clone),甚至猜測整個系統都是共用的 (在更後面提到):
We believe that, taken together, all this shows that StartCom’s certificates are now being issued using either WoSign’s existing infrastructure or a clone of it, and that WoSign’s operational control of StartCom began straight after the November 1st 2015 sale date. This evidence should be compared against WoSign’s recent assertion that “Even now, it still independent in the system, in the validation team and management team, we share the CRL/OCSP distribution resource only.”
再來是講一些背景。因為金流產業到了 2016 年還是有系統不支援 SHA-256 certificate,而 CA/Browser Forum 已經禁止簽發 SHA-1 憑證了,所以 2016 年二月的時候 WorldPay 跑上來尋求例外:
This became clear in February of 2016, where a payment processor called WorldPay applied to the CAB Forum for an exception so they could acquire 8 SHA-1 certificates to keep SSL working for their legacy payment terminals. Their CA was unable to help them because of the ban in the CAB Forum Baseline Requirements, and to issue in violation of the ban would lead to a “qualified” (not clean) audit, which might lead to browsers no longer accepting their audit as valid to keep them trusted.
而在亞利桑那的 face-to-face meeting 中剛好就討論了這點,允許 Symantec 簽發,而要提出來的是,WoSign 的 Richard Wang 也在場:
This issue was discussed at length in the CAB Forum face-to-face meeting from 16th-18th February 2016 in Scottsdale, Arizona (where Richard Wang of WoSign was present). Mozilla then had a public discussion about it in our policy forum starting on 23rd of February. In the end, the browsers reluctantly agreed to let Symantec issue these certificates for Worldpay - or rather, they agreed to accept that Symantec’s next audit would be qualified in this way.
所以 Mozilla 再次強調,當下大家的結論是特別許可,簽發被禁止的 SHA-1 certificate 是很嚴重違反規定的事情:
Even at this point, in February 2016, it was (or should have been) clear to all CAs, including WoSign, that issuing SHA-1 certificates in violation of the ban was a Very Big Deal, and that permission had to be sought from the browsers in order for the CA not to face difficulty.
接下來是 Tyro,這是一家澳洲金流廠商,直接複製草稿上的時間表:
| Feb 3rd 2010 | GeoTrust issues a SHA-1 certificate for *.tyro.com from their Equifax root, valid until May 6th 2013. |
| Apr 6th 2013 | A month before their old cert expires, GeoTrust issues a replacement SHA-1 certificate for *.tyro.com from a GeoTrust root, valid until June 7th 2016. A simple roll-over replacement. |
| Jan 1st 2016 | SHA-1 issuance ban comes into effect. |
| May 24th 2016 | A month before their old cert expires, GeoTrust issues a SHA-256 certificate for *.tyro.com from a GeoTrust root, valid until June 23rd 2019. |
但 Tyro 在 2016 年五月拿到的 SHA-256 憑證很明顯不合用,於是試著找 SHA-1 憑證... 結果不管怎樣,後來拿到了 StartCom 所簽出來的 SHA-1 憑證,而藉由技術上的 pattern 可以發現這是 back-dated (偽造日期簽發):
But the strong evidence is that this SHA-256 certificate did not meet Tyro’s needs. We can see a SHA-1 certificate for *.tyro.com which was logged in CT on June 8th 2016, a day after their previous SHA-1 certificate expired. This certificate is not issued by GeoTrust (who still provide the cert for their main website) or Comodo, tyro.com’s usual providers, but by StartCom. And the notBefore date is that magic date of 20th December, 2015 - a date on which, as noted above, StartSSL.com was closed for upgrading, and on which we have seen many Macau certificates issued by WoSign, which we believe are back-dated.
也可以很清楚的確認到現在還在使用:
The SHA-1 certificate in question is still in use today on https://iclient.tyro.com/.
最後 Mozilla 得到的結論:
同時他們認為最後一點是最嚴重的一點,你必須將 StartCom 視為與 WoSign 完全同樣的公司,所有對 WoSign 的檢查與處置都必須相同對應到 StartCom 上:
This last point is important; the practices at WoSign are now being seen at StartCom. Therefore, we conclude that all of ownership, infrastructure and control are sufficiently common between the two companies that it would therefore be reasonable for any action Mozilla chooses to take against WoSign to also be taken against StartCom and vice versa.
另外一個很嚴肅的問題,CA 架構是建立在稽核機制上,而 WoSign 所選擇的稽核單位無法稽核出應有的「多個問題」:
WoSign’s auditors, Ernst & Young (Hong Kong), have failed to detect multiple issues they should have detected. (Issue J, Issue X)
提案的處理方式類似於 CNNIC 當時被拔掉的方式,針對某個日期之後的都不信任。這同時包括了 WoSign 與 StartCom 的 certificate。這真是可喜可賀啊...
Bitcoin.org 發出了有點摸不著頭緒的警告:「0.13.0 Binary Safety Warning」。
Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre.
而且直接是點名可能是針對中國區的用戶:
We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.
由於 Bitcoin.org 全站走 HTTPS,這是在暗示會出現「不小心發出 Bitcoin.org 的 SSL certificate」的事情?另外官方也建議使用 PGP public key 驗證:
We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers.
來拿板凳蹲著看,順便拉一張目前 certificate 看到的資訊,目前是從 RapidSSL SHA256 CA - G3 簽出來:
如同標題講的,CIA 老大 John Brennan 告訴參議員,因為實務上不存在「Non-US encryption」,所以強制任何要進入美國的企業使用美版帶有後門的加密系統是可行的:「Non-US encryption is 'theoretical,' claims CIA chief in backdoor debate」。
CIA director John Brennan told US senators they shouldn't worry about mandatory encryption backdoors hurting American businesses.
And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use US-based technology because it's been forced to use weakened cryptography, they'll be out of luck because non-American solutions are simply "theoretical."
這位腦袋已經壞掉了啊,你知道有個叫做 China,拼做 C-h-i-n-a 的經濟體系嗎... 然後中美共用同一套有後門的加密系統瞬間就會被一堆人打槍,如果真的發生,還有個歐盟... 而且這些事情只是促進以色列的安全系統加速脫離美國掌控啊?以色列才是目前資安的超級強國啊...
這世界上有太多已經不是掌握在美國的東西了啊...
在 Bloomberg 上看到「China Fakes 488 Million Social Media Posts a Year: Study」這篇在討論中國五毛黨在網路上洗言論的數字。原始論文在「How the Chinese Government Fabricates Social Media Posts for Strategic Distraction, not Engaged Argument」這邊。
這篇論文估算大約有 200 萬人產生了 4.88 億的評論:
The Chinese government has long been suspected of hiring as many as 2,000,000 people to surreptitiously insert huge numbers of pseudonymous and other deceptivewritings into the stream of real social media posts,
We estimate that the government fabricates and posts about 488 million social media comments a year.
這個估算頗有趣的... XD
最近 CDN 產業裡有不少蕭期,其中一個新聞是 Google CDN 進入 beta,Google 藉由在全球佈署的機房來服務。
不過雖然進入了 Beta,但仍然有很嚴重的技術限制,只能透過 GCE 當 origin server,這使得實用性低很多:
Origins
Delivers HTTP/HTTPS content originating from Compute Engine VM instances. External origin servers are not supported.
有些特點是跟一般 CDN 不同的,一個是 Google 對 HTTPS 的口號,所以 HTTP 與 HTTPS 的價錢相同。其實你就當做他把 HTTP 的費用收的跟 HTTPS 一樣就好:
SSL Shouldn't Cost Extra
The web is moving to HTTPS, and your cacheable content should, too. With Cloud CDN, you can secure your content using SSL/TLS for no additional charge.
另外一個特點是從技術上就宣稱完全使用 Anycast,而不是見到的 DNS + Anycast:
Anycast
Serve all your content from a single IP address with low latency worldwide.
另外,計價的方式與其他的 CDN 有不少地方不一樣,另外也有針對中國地區另外處理。
首先是他把 Cache Egress (從 CDN 給使用者) 與 Cache Fill (從 CDN 到 Origin 取得資源) 分開收,一的般 CDN 都只收 Cache Egress 這塊。
再來是中國大陸地區的價錢另外標示,有特地標明不是從中國大陸地區直接提供服務:
Traffic destined for mainland China is served from Google locations outside of mainland China. Performance and reliability may be lower than for traffic served from in-country locations.
言下之意就是另外買 optimized 的頻寬來服務,但還是不會像在中國大陸地區有機房的效果這麼好,不過好處是不需要 ICP 之類的證照。
不過不得不說價錢其實還蠻便宜的,無論是歐美還是亞洲區。
中國因為一年只讓國民帶五萬美金出國,於是中國的富豪就想到各種方法搬移財產,其中 Boing Boing 介紹的這個方法真的頗棒的 XDDD:「Chinese millionaire sues himself through an offshore shell company to beat currency export controls」。
先成立一家空殼公司,然後再用空殼公司告自己的公司,藉由法院的賠償程序,避開了個人財產的轉移限制:
But there's a better way: for a small sum, you can just set up an offshore shell company, direct it to sue a Chinese company you own, throw the lawsuit, and then, oh well, I guess there's nothing for it but to send a bunch of cash to your shell company, exempted from export controls, in the form of court-ordered damages.
這方法 XDDD