Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security The Internet

StartCom Will Stop Issuing Certificates, Revoking Them All in 2020 (startcomca.com) 42

thegarbz writes: Startcom, a certificate authority which as we covered previously has been distrusted by Mozilla, by Google, and recently also by Microsoft, has announced that it will cease trading as a Certificate Authority. While their website currently shows no indication that their certificates have any problems, a news posting has announced their intentions to stop providing certificates as of January 2018, and to revoke all remaining certificates in 2020.
The original submission also says StartCom sent an email to all their former customers -- including customers of their free StartSSL certificates -- announcing their intentions. As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.

The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcoms website.

StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years. StartCom would like to thank you for your support during this difficult time.

StartCom Will Stop Issuing Certificates, Revoking Them All in 2020

Comments Filter:
  • Really? (Score:5, Funny)

    by nospam007 ( 722110 ) * on Sunday December 03, 2017 @02:35PM (#55668781)

    So Startcom will rename to Stopcom? Cute.

  • by Anonymous Coward on Sunday December 03, 2017 @03:48PM (#55669027)
    The article does not quote all of the message sent to customers:

    Dear customer,

    As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.

    The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcoms website.

    StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years.

    StartCom would like to thank you for your support during this difficult time.

    StartCom is contacting some other CAs to provide you with the certificates needed. In case you dont want us to provide you an alternative, please, contact us at certmaster@startcomca.com

    Please let us know if you need any further assistance with the transition process. We deeply apologize for any inconveniences that this may cause.

    Best regards,

    StartCom Certification Authority

    I don't think their existing customers expect their details to be passed on to the CA's so they can offer their services. Sounds like another way for a dying business to monetise their remaining assets.

    • Can confirm, I got the same thing. And I haven't used a startcom cert in several years now.

    • That's actually a great and very relevant observation that I glossed over during the submission. Thanks for pointing it out.

  • by Anonymous Coward

    Is it just me who is concerned that browser makers now rule like kings over the internet? They now have the power to make or break any company in the world by putting pressure onto certificate authorities, and/or simply unrecognising whoever they want. If ever there was a case for government regulation this is surely it. Maybe startcom deserved to get smacked down, I have no idea. But it's the principle of the thing.

    • In theory a browser could easily stop supporting websites or script or whatever. Just like with Adobe and Java right?

  • by rriven ( 737681 ) <slashdot@rriven.com> on Sunday December 03, 2017 @10:35PM (#55670469) Homepage

    StartCom was the best option for multiple certificates. Their price model was vastly better and I wonder if they are having a hard time getting re-certified because the other CAs didn’t like their model.

    You paid for validation not per cert.
    Tier 1 was free and the certs were good for a year. Domain/Email control is all that was validated.
    Tier 2 was your name, and it was $50 a year, but your certs were valid for 2 years. This allowed you to have your name in your email cert and basic checks were performed for domain certs. You were also allowed one Code Cert.
    Tier 3 was more for Organizations or EV certs. Another $50 and the certs were good for 3 years. You could also have code cert with your organization name in it.

    $100 every 3 years could get you UNLIMITED Domain, Email, and two Code certs. One in your name and one in your organization name. The best deal if you ask me. I had 5 email certs and 10 domain certs for $25/year as I only needed to verify once two years.

    The problem started when they were bought by Wosign

    https://www.wosign.com/english... [wosign.com]

    Then the shady things that got them revoked started happening and now they are closing shop. My same needs will cost close to a thousand dollars a year.

    • by jez9999 ( 618189 )

      Yeah. Fuck WoSign with a bargepole, they ruined everything. :-(

      • Not quite. There were a few problems with Startcom themselves. But they were more along the lines of lack of disclosure and bugs in the certificate issuance process than major policy issues.

        Startcom deserved to get slapped on the face even without Wosign but without Wosign they'd probably still be in business.

    • It is far more likely that Startcom are having problems being accepted by browser manufacturers because:

      Wosign owns Startcom.
      Wosign is known to issue certificates outside the CA/Browser forum rules.
      Startcom has also been seen to issue certificates outside the CA/Browser forum rules since they were purchased by Wosign.
      Wosign still owns Startcom and therefore still controls Startcom.

      Startcom is still poisoned by Wosign and since Wosign won't separate from Startcom, Startcom cannot be trusted as a CA and they

    • I've moved to Let's Encrypt (which, with acme-client is a bit easier to use) for TLS certs for web servers, but I've not found an alternative for issuing trusted S/MIME certs. This was the most useful thing for StartCom: their S/MIME certs were trusted by all major mail clients, so if you signed your mail with them then you got tamper detection.
      • The fact that the OP said the same needs will cost him $1000s means that he quite likely wasn't using DV certificates which is all that Lets Encrypt offers.

    • This has nothing to do with their business model or any other CA's ... other than the one who bought them.
      Mozilla has a very detailed rundown [mozilla.org] of what the problems were with Startcom and Wosign. Both Startcom and their parent have multiple failings listed against them which breached their trust.

"No, no, I don't mind being called the smartest man in the world. I just wish it wasn't this one." -- Adrian Veidt/Ozymandias, WATCHMEN

Working...