Stripe 香港開台,以及 Alipay 與 WeChat Pay 的支援

看到 Stripe 的幾個大動作:「Stripe in Hong Kong + Alipay and WeChat Pay globally」。

一個是進入香港的消息:

Today, we’re excited to officially launch Stripe in Hong Kong.

另外一個是 Alipay (支付寶) 以及 WeChat Pay (微信支付) 可以透過 Stripe 在全球使用:

So, today we’re introducing global support for Alipay and WeChat Pay, connecting Stripe businesses in 25+ countries to the hundreds of millions of Chinese consumers that actively use these payment methods.

尤其是後面的消息,對於中國的使用者方便不少...

AWS 香港區 2018 開台

業界這幾個月也傳的頗盛的消息總算也公開了。AWS 預定在 2018 年開香港區:「In the Works – AWS Region in Hong Kong」。

Today, I am happy to be able to tell you that we are planning to open up an AWS Region in Hong Kong, in 2018.

不過 HiNet 對香港的頻寬一直是個痛 (塞翻了),反倒是到日本的頻寬還比較順。明年上線後可以觀察看看 XDDD

另外日本有稅的問題,單價比起亞洲其他點高不少 (與新加坡比起來蠻明顯的)。香港的價錢不知道會怎麼算,雖然稅可能比較低 (maybe),但畢竟是一個沒什麼土地的地區,會不會在機器成本上其實也補回來不少...

然後再來是代碼,應該會是 ap-southeast-3

CloudFront 持續擴建:香港

Amazon CloudFront 在香港又增加機房了,這樣就是香港的第三個機房... 畢竟還是亞洲區頻寬成本相較起來比較低的地方 (也是很多東南亞國家會交換的地區),有對應的需求就可以擴充:「Announcing Third Edge Location in Hong Kong for Amazon CloudFront」。

不過話說回來,台灣 PoP 其實主要還是卡中華的頻寬,像這樣三個圖可以理解為那個瞬間 HiNet 與 CloudFront 之間的頻寬滿了 (分別是從 HiNet、TFNFET 去 ping AWS 官網自己用的 d36cz9buwru1tt.cloudfront.net,取自 smokeping.kkbox.com.tw 這邊):

不過還是有時候可以看到全部導走,是 capacity 突然滿掉嗎?這就有點奇怪了...

Mozilla 對於 WoSign + StartCom 根憑證的新發展:拔除

Okay,在 Mozilla 的人跟 WoSign + StartCom + 360 的人談過後有了新的進展。

幾個小時前 Mozilla 提了新版的草案出來 (對,還是草案):「Remediation Plan for WoSign and StartCom」。但由於 Kathleen Wilson 跟 Gervase Markham 都沒有太多意見,我猜這應該會接近定案了。

這次的處分草案由 Kathleen Wilson 發出來,會包括這些 root certificate,可以看到包括了所有 WoSign 與 StartCom 的 CA:

1) Subject: CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
2) Subject: CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
3) Subject: CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN
4) Subject: CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN
5) Subject: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
6) Subject: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
7) Subject: CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL

首先是認定這一連串的事件是惡意行為:

Based on the information that I have seen regarding WoSign, I believe that WoSign intentionally bent the rules in order to continue issuing SHA-1 SSL certs, when they knew full well that was no longer allowed. I also believe that the deception continued even after Mozilla directly asked WoSign about this. WoSign has lost my confidence in their ability and intention to follow Mozilla's policies.

所以打算採取與 CNNIC 類似的處分方法,但很不幸的由於規模不一樣,所以被迫採用另外的方式來處理:

Therefore, I think we should respond similarly to WoSign as we did to CNNIC [1][2]. Unfortunately, the number of certificates and the timescales involved are such that we prefer not to create a list of the domains for which previously-issued certs that chain up to the Affected Roots may continue to be trusted, so our approach will be a little different, as Gerv previously described[3].

這次處分的過程會包括四個項目,第一個是在 Firefox 51 會用黑名單的方式將這些 root certificate 擋下,但會信任 2016/10/21 前所發出的憑證以降低對目前網站的衝擊:

1) Distrust certificates chaining up to Affected Roots with a notBefore date after October 21, 2016. If additional back-dating is discovered (by any means) to circumvent this control, then Mozilla will immediately and permanently revoke trust in the Affected Roots.
-- This change will go into the Firefox 51 release train [4].
-- The code will use the subject key id (hash of public key) to identify the Affected Roots, so that the control will also apply to cross-certs of the Affected Roots.

然後將之前簽出來的 SHA-1 憑證列入 OneCRL:

2) Add the previously identified backdated SHA-1 certs chaining up to the Affected Roots to OneCRL.

另外一個非常大的事情是,Mozilla 將永久不信任安永香港的稽核報告:

3) No longer accept audits carried out by Ernst & Young Hong Kong.

Gervase Markham 做了補充「永久」的部份:

To be clear, this is a permanent ban, applicable worldwide, but only to the Hong Kong branch of E&Y. (If further issues are found with E&Y audits elsewhere, then we might consider something with wider scope.)

最後一個是移除 NSS 裡包的憑證:

4) Remove the Affected Roots from NSS after the SSL certificates issued before October 1, 2016, have expired or have been replaced.

在討論裡有提到 Firefox 與 NSS 的處置日期不太一樣的問題 (一個是 10/21,一個是 10/01),應該會在正式的定案時修正。

另外在「StartCom & Qihoo Incidents」這邊,Google 家的 Ryan Sleevi 也寫了一串,也許是他目前個人的看法 (但畢竟他是 Google 家主事的人之一),基本上的立場與 Mozilla 相同 (將 WoSign 與 StartCom 視為同一個單位,而且是刻意違反 Baseline Requirement),所以後續應該也會有動作了...

Rackspace 的雲端服務...

很久前有註冊 Rackspace 帳號,剛剛無意間登入進去發現其實還蠻有競爭力?

有香港伺服器,開了一台起來測試發現從台灣過去的速度都不錯... 而且反應速度比 AWSWeb Console 好太多。

一開起來有 IPv4 與 IPv6 對外,可以另外自己建立 private network (類似 AWS 的 VPC),一樣有 block stoage (類似 AWS 的 EBS)。

不過透過 Web Console 開機器是給隨機的 root password,而不是 ssh key 登入,這就有點不太一樣了。

雖然是第二大,但整個順暢度很好啊... 還是頗值得玩看看到底如何 :o