StartSSL

From IndieWeb
(Redirected from StartCom)


StartSSL was a service from StartCom that provided introductory SSL certificates for no cost. As of 2016-11-30, Mozilla, Google, and Apple have stopped trusting new certificates from WoSign and StartCom, and StartCom will cede operations at the end of 2017.[1] See #Criticism for more information.

Benefits

  • Single-domain SSL certificates are free.
  • You can create multiple certificates for individual subdomains, for example www.example.com and test.example.com
  • You can pay $59 to go through the "personal identity validation" process, at which point you get to do the following for the next 360 days:
    • Create as many wildcard certificates as you want for free (*.example.com), each is valid for 2 years
    • Create multi-domain certificates (example.org, example.com)

Issues

  • The user interface is very awkward.
  • Authentication is done only via browser client certificate, so make sure you back this up or you'll lose access to your account.
  • While single SSL certificates are free, it costs $24.99 to revoke a certificate if you need to.
  • You can only have one SSL certificate active per subdomain. There is a 2-week period where you can renew a certificate before it expires. This means if you lose your private key for a cert, you won't be able to re-create the cert with the same subdomain unless you pay to revoke the old one first.


Criticism

  • https://pierrekim.github.io/blog/2016-02-16-why-i-stopped-using-startssl-because-of-qihoo-360.html "The PKI platform of StartSSL, an Israeli leader of free SSL certificates, is now hosted by Qihoo 360, a Chinese Antivirus Company." Qihoo 360 has a very bad reputation and so StartSSL may not be treated as trusted and secure anymore.
  • https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview Mozilla investigation into backdating of certificates; may no longer trust newly-issued certificates in the near future:
    • Allegations of "... WoSign has been intentionally back-dating certificates to avoid blocks on SHA-1 issuance in browsers, having qualified audits and/or being caught violating the CAB Forum Baseline Requirements."
    • "Taking into account all the issues listed above, Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA. Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands."
  • https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/E13eT13wMBQ
    • "It seams that wosign has registered the domains letsencrypt.cn and letsencrypt.com.cn in 2014 after the public announce of Let's Encrypt"

FAQ

I lost my client certificate, or my client certificate expired

If you lost your client certificate, or if you forgot to create a new one before it expired, you can still recover you account. Create a new account with the same email address, and then email certmaster at startssl.com with the subject line "merge accounts", provide your email address, and ask that your accounts be merged.

See Also