StartSSL customers, it is time to leave. Now!

St 07 září 2016

While listening to the Security Now podcast, I have listened first with amusement then with horror to Steve reading email from Mozilla about the security problems with WoSign CA.

Their list of woes is long, read the linked email for details, but one thing turned up during the email which I was not aware of: StartCom (owner of the StartSSL certificate authority) was apparently recently bought by WoSign CA! Apparently one of the security bugs StartSSL has (had?) was that with properly modified POST request (yes, I guess you can do it in the Developer Tools of your Firefox) you can get certificate linked to the root ceritificate “CA 沃通根证书” (or “WoSign CA Free SSL Certificate G2” with another value of the parameter). Awesome!

What’s even more interesting is that I am a paying customer of StartSSL CA and I have never been made aware of the change of ownership. The only other mention of the possible change of ownership I found was on the Wikipedia page, which linked to the blogpost, which is now unavailable due to “legal review of the site” […]. Even better! (update later: fortunately the page has been cached).

You know, the term “trusted third party” (which is another term for CA) indicates that they are in business of selling trust. I was willing to trust a happy Jewish hacker in Eliat, Israel. But I am not willing to trust him anymore after doing this change without letting me know, and even less I am willing to trust mysterious Chinese corporation with disasterous security track record.

It is time to move.

Update on 2016-11-10

So, I have finally found time to replace all my certificates with the ones from Let’s Encrypt [1] and it was the time to severe all my ties with StartSSL. Unfortunately, I have discovered that it is the Hotel California (“We are programmed to receive / You can check out any time you like / But you can never leave!”). OK, so my account won’t be ever deleted and my personal data will be for seven years stored with 沃通, but at least I can revoke all my certificates, so that nobody would be mistaken I support their operations, right?. Wrong, this is what I see when I try to do revoke one of my certificate, I found that StartSSL requires payment when you try to abandon them!

StartSSL requires payment when you try to leave
[1]Using their certs on webserver-less XMPP-only server was a bit challenge, but it is possible, it is just necessary to open ports 80 and 443 even without web server running behind them, certbot will just fire up and then kill its own small server.

Category: computer Tagged: SSL