
StartSSL suspends services after a security breach - there
http://isc.sans.org/diary.html?storyid=11071&rss
======
gst
Not good. StartSSL is the only issuer of free SSL certificates that are
accepted by major browsers. Hope they come back online soon.

~~~
chayesfss
No, there are others.<http://certs.ipsca.com> offers free 3 month certs also

------
jcr
Thanks "there"! It's good to know. The trouble is neither the sans.org notice
nor the StartSSL site give any real detail on how bad this latest SSL fiasco
really is. For example:

> Subscribers and holders of valid certificates are not affected in any form.
> Visitors to web sites and other parties relying on valid certificates are
> not affected.

In other words, if there are bogus certs out there, they will still work.
(sigh)

~~~
extension
I think that means there are no bogus certs. The Register is a bit more clear
about it:

 _The hackers behind the attack on StartCom failed to obtain any certificates
that would allow them to spoof websites in a similar fashion, and they were
also unsuccessful in generating an intermediate certificate that would allow
them to act as their own certificate authority, Nigg said in an email_

~~~
pasbesoin
Yes, the linked document is really just notes the existence of the situation.
It links the Register article that has more detail:

[http://www.theregister.co.uk/2011/06/21/startssl_security_br...](http://www.theregister.co.uk/2011/06/21/startssl_security_breach/)

------
bwlang
As I understand the register article, it seems that the website was cracked,
but no false certs were issued.

Sounds like success story about a responsible operator with the information we
have so far.

------
mike-cardwell
Theregister has more info:

[http://www.theregister.co.uk/2011/06/21/startssl_security_br...](http://www.theregister.co.uk/2011/06/21/startssl_security_breach/)

Hackers managed to somehow generate certificates for arbitrary domains. Looks
like they spoke directly to Eddy Nigg (StartCom's CTO and COO) to get this
info

------
asciilifeform
_Cui bono?_ (<http://en.wikipedia.org/wiki/Cui_bono>)

The $500+ SSL rent-seekers, of course.

They didn't need to create fake Start certs or steal data - damaging Start's
reputation may have been enough to liven up interest in the competition's
wares.

------
ehutch79
does anyone know of any other inexpensive ssl cert providers?

~~~
ra
Comodo do a free one, but it only lasts 90 days.

Not that they haven't had their own problems: <http://pastebin.com/74KXCaEZ>

