StartSSL and StartCom
As you probably already know, and as it has already been mentioned in the “Let’s Encrypt: public beta” article, StartSSL is a crappy (though not outstanding in that) certificate authority. The company behind it is Israel-based StartCom, and as the Wikipedia article points out, its root certificates have been shipped with all major browsers since 2010, though the startssl.com domain name was created on 2006-09-10.
Apparently “StartCom” stands for “start commerce”, and their slogan is “StartCom, the Start of eCommerce”. When they’ve just launched StartSSL (assuming it was after 2006-09-10), TLS 1.1 was already out, but “SSL” was a more widely known term among clueless potential customers. That was a subtle hint of what to expect. Since then it only went downhill.
In 2011, shortly after Comodo, it suffered a security breach, but apparently nothing of value has been stolen, so it wasn’t such big of a deal. It wasn’t considered a biggie even with Comodo, though it has potentially screwed a lot of users.
In 2016, StartCom launched StartEncrypt – a Let’s Encrypt clone, but vulnerable, issuing certificates without confirmation.
Opera
Opera was a proprietary web browser, perhaps not a particularly bad one, which began in 1994, and grew into a monster and pretty much died about 2013. The developers refused to open its source code even after that, managing to sell the poor thing to some Chinese corporation for a hefty bulk of money like a large shipment of old electronics.
WoSign and Qihoo 360
Qihoo 360 is a huge Chinese scam that brands its malware as security products, which is, alas, not that uncommon – there indeed seems to be a large overlap between commercial security (or commercial anything, perhaps) and outright fraud. As StartCom, they are not really trying to mimic a decent company: as the linked article mentions, their “security browser” logo is just that of IE, but green.
Assuming that people wouldn’t tell lies on the internet (1 and 2 by the same author, 3), and inferring it from the verifiable fact that WoSign is hosted by “QiHU 360 Inc.”, it seems that Qihoo owns WoSign, though Qihoo is not mentioned on the “About WoSign” page (warning: poor English).
The Mozilla wiki “CA:WoSign Issues” page currently outlines 14 pretty serious issues, occasionally linking bugzilla threads such as #1293366.
A pile formed
Recently WoSign invested into StartCom, and now hosts its servers. Meantime, Qihoo purchased Opera browser, forming a larger pile consisting mostly of scam, and of one corpse.
Mozilla, Apple, Microsoft, and the other one
One may think that operating system and web browser maintainers shouldn’t have included that crap into distributions at all, but it wasn’t that much worse than the alternatives at the time. One may also think that shipping X.509 certificates is not something a web browser should do in the first place, but it’s not the only thing they do in addition to rendering HTML.
But now Mozilla proposed to get rid of that, Apple does some half-assed job at that, while the other two major browser developers, Microsoft and Google/Alphabet/whatever, don’t seem to react. It’s going pretty slowly, and one of the explanations is that users would do really stupid things (such as disabling validation completely) if they won’t be able to access some websites because of CA blacklisting.
Update (2016-10-24)
Mozilla is finally going to distrust some of the WoSign certificates, starting with Firefox 51. WoSign made a regular corporate bullshit announcement about Mozilla action. Apart from surprisingly poor English for a large corporation, it’s somewhat interesting that they are not going to drop the affected root certificates, but planning to sell certificates signed with those with a 90% discount. Both Mozilla and WoSign keep calling X.509 “SSL”.
Lessons learned
None.