StartCom Will Stop Issuing Certificates, Revoking Them All in 2020 (startcomca.com) 42
thegarbz writes: Startcom, a certificate authority which as we covered previously has been distrusted by Mozilla, by Google, and recently also by Microsoft, has announced that it will cease trading as a Certificate Authority. While their website currently shows no indication that their certificates have any problems, a news posting has announced their intentions to stop providing certificates as of January 2018, and to revoke all remaining certificates in 2020.
The original submission also says StartCom sent an email to all their former customers -- including customers of their free StartSSL certificates -- announcing their intentions. As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.
The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcoms website.
StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years. StartCom would like to thank you for your support during this difficult time.
The original submission also says StartCom sent an email to all their former customers -- including customers of their free StartSSL certificates -- announcing their intentions. As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.
The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcoms website.
StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years. StartCom would like to thank you for your support during this difficult time.
Really? (Score:5, Funny)
So Startcom will rename to Stopcom? Cute.
Re:BeauHD is a Russian Plant! (Score:5, Funny)
I'm pretty sure nospam007 read that in Woosh Magazine.
Re: (Score:2)
Perhaps you are looking for http://whooshmagazine.com/ [whooshmagazine.com]
Re: (Score:1)
instead of buying one cert from one authority, perhaps they want us to buy a cert from every authority. profits!
Re: I thought most browser companies wanted "freed (Score:4, Informative)
https://arstechnica.com/information-technology/2017/07/google-drops-the-boom-on-wosign-startcom-certs-for-good/
This doesn't seem like an agenda. Its more like if i write a bunch of bad checks, people will stop accepting my checks because i have broken the trust in my credit worthiness.
Back dating security certs and failing to follow the rules the cert companies have to follow to maintain trust seems like a good reason to stop trusting them.
Re: (Score:3)
Yes, there are actual standards: https://cabforum.org/documents... [cabforum.org]
Re: I thought most browser companies wanted "free (Score:4, Interesting)
Re: I thought most browser companies wanted "free (Score:4, Informative)
There are issues with Symantec and particular CA were revoked, a lot of them regional and not very newsworthy.
The mailing lists of the individual browsers capture some of the drama but most CA actually try to fix the issues, StartCom just made things worse as they went along.
They sold themselves to another CA and started signing and backdating certificates, then when people made a complaint of that all they did was spin off the company to a shell company simply to disassociate them from the name but the same company and people were still in charge.
Then they got hacked and when heartbleed came along it was proven that they had someoneâ(TM)s certificates stolen, they refused to retract the certificate until their customer paid them to retract it.
StartComs business model was to profit of customers that found themselves in a bind. It backfired on them.
Re: (Score:2)
It's not Let's Encrypt or's fault in particular or certificates' fault in general if people expect more from certificates than they can deliver. All a certificate does is to say that you are indeed connected to www.bankofamerika.com. That you mistake it for your bank and enter your login credentials is your problem.
Re: (Score:2)
Forget better education. Nice idea and I'd like it, but education isn't something you can enforce. The one to be educated has to demand it. And that's not forthcoming. You identified correctly that most users want something that "just works" and don't want to be bothered with the details of how and why. That is basically what happens here.
If you, as the user, can manipulate the certificate chain and storage, it also means that any attacker gaining access to it can easily manipulate it. And, and this is the
Re: (Score:2)
Shady people don't need these muppets, they just use Let's Encrypt nowadays.
Shady people do need these muppets. Let's Encrypt only provides DV certificates which in general do fuck all for proving who the shady person is behind a computer. All they do is identify the computer as being who they claim their are in their domain.
Startcom managed to break even this, issuing DV certificates for domains not proven to be in control of the computer. Not to mention they happily issued known weak certificates and had numerous exploitable bugs in their website that allowed you to automatically
Selling Customer Details ??? (Score:5, Informative)
Dear customer,
As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.
The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcoms website.
StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years.
StartCom would like to thank you for your support during this difficult time.
StartCom is contacting some other CAs to provide you with the certificates needed. In case you dont want us to provide you an alternative, please, contact us at certmaster@startcomca.com
Please let us know if you need any further assistance with the transition process. We deeply apologize for any inconveniences that this may cause.
Best regards,
StartCom Certification Authority
I don't think their existing customers expect their details to be passed on to the CA's so they can offer their services. Sounds like another way for a dying business to monetise their remaining assets.
Re: (Score:3)
Can confirm, I got the same thing. And I haven't used a startcom cert in several years now.
Re: (Score:3)
That's actually a great and very relevant observation that I glossed over during the submission. Thanks for pointing it out.
Concerning (Score:1)
Is it just me who is concerned that browser makers now rule like kings over the internet? They now have the power to make or break any company in the world by putting pressure onto certificate authorities, and/or simply unrecognising whoever they want. If ever there was a case for government regulation this is surely it. Maybe startcom deserved to get smacked down, I have no idea. But it's the principle of the thing.
Re: (Score:2)
In theory a browser could easily stop supporting websites or script or whatever. Just like with Adobe and Java right?
Startcom was the Best until WoSign bought them (Score:5, Informative)
StartCom was the best option for multiple certificates. Their price model was vastly better and I wonder if they are having a hard time getting re-certified because the other CAs didn’t like their model.
You paid for validation not per cert.
Tier 1 was free and the certs were good for a year. Domain/Email control is all that was validated.
Tier 2 was your name, and it was $50 a year, but your certs were valid for 2 years. This allowed you to have your name in your email cert and basic checks were performed for domain certs. You were also allowed one Code Cert.
Tier 3 was more for Organizations or EV certs. Another $50 and the certs were good for 3 years. You could also have code cert with your organization name in it.
$100 every 3 years could get you UNLIMITED Domain, Email, and two Code certs. One in your name and one in your organization name. The best deal if you ask me. I had 5 email certs and 10 domain certs for $25/year as I only needed to verify once two years.
The problem started when they were bought by Wosign
https://www.wosign.com/english... [wosign.com]
Then the shady things that got them revoked started happening and now they are closing shop. My same needs will cost close to a thousand dollars a year.
Re: (Score:2)
Yeah. Fuck WoSign with a bargepole, they ruined everything. :-(
Re: (Score:2)
Not quite. There were a few problems with Startcom themselves. But they were more along the lines of lack of disclosure and bugs in the certificate issuance process than major policy issues.
Startcom deserved to get slapped on the face even without Wosign but without Wosign they'd probably still be in business.
Re: (Score:2)
It is far more likely that Startcom are having problems being accepted by browser manufacturers because:
Wosign owns Startcom.
Wosign is known to issue certificates outside the CA/Browser forum rules.
Startcom has also been seen to issue certificates outside the CA/Browser forum rules since they were purchased by Wosign.
Wosign still owns Startcom and therefore still controls Startcom.
Startcom is still poisoned by Wosign and since Wosign won't separate from Startcom, Startcom cannot be trusted as a CA and they
Re: (Score:2)
Re: (Score:2)
The fact that the OP said the same needs will cost him $1000s means that he quite likely wasn't using DV certificates which is all that Lets Encrypt offers.
Re: (Score:2)
This has nothing to do with their business model or any other CA's ... other than the one who bought them.
Mozilla has a very detailed rundown [mozilla.org] of what the problems were with Startcom and Wosign. Both Startcom and their parent have multiple failings listed against them which breached their trust.