
Despite revoked CA’s, StartCom and WoSign continue to sell certificates - tombrossman
https://ma.ttias.be/despite-revoked-cas-startcom-wosign-continue-sell-certificates/
======
Mojah
Author of the article here: I learned in the meanwhile that the situation is
less bad than it sounds. It's not a link-bait article, but keep in mind that
they now _resell_ other CA's certificates, they're not selling their own
anymore.

There will however be a brief period where they _did_ sell their own
certificates, signed by their own CA, that are now being blocked.

~~~
willvarfar
Should we trust them as a reseller? If/when they mess up again, are they
nearly so easy to revoke? Does the cert contain their name still?

~~~
vtlynch
Certificate resellers are only taking money in exchange for the cert. They are
not doing any validation.

This is true even in cases like Gandi.net where some of the certs they sell
come from a custom-branded intermediate certificate. The root CA is Comodo and
they are doing the validation, controlling the private key's of the certs that
handle issuance, etc. Its just a branding thing.

There are a few cases with Sub-CAs/Registration Authorities where a third-
party company is handling some/all of the certificate validation. Symantec is
currently in trouble for the bad actions of CrossCert, a Korean company that
was licensed to be a Sub-CA. But WoSign/StartCom would not be able to
participate in any sort of arrangement like this without being immediately
banned again.

So there is no inherent problem with a banned CA continuing to sell
certificates that another CA is validating. However, in the investigation of
WoSign it was found that the company is deeply dishonest, incompetent, and
even a little bit malicious. So anything that puts money in their pocket
should be avoided.

------
tombrossman
I think we can expect to see more questions like this on StackExchange in the
near future:
[http://webmasters.stackexchange.com/questions/103405/install...](http://webmasters.stackexchange.com/questions/103405/installing-
startssl-certificate-under-apache-gives-sec-error-revoked-certificate)

~~~
cptskippy
Looks like all the browsers need to do a better job communicating that error.
Firefox and Safari are the only two that provide any clue as to the problem,
however Safari seems to jump to conclusions a bit.

------
vog
This is the ideal time to switch to Let's Encrypt, and be done with
certificate issues once and for all.

[https://letsencrypt.org/](https://letsencrypt.org/)

[https://certbot.eff.org/](https://certbot.eff.org/)

You no longer have to ask year after year for a new certificate. It will be
renewed automatically for as long as your webserver lives. And everything is
backed by good protocols, a strong community and a trustworthy organization
(EFF).

~~~
Someone1234
> You no longer have to ask year after year for a new certificate.

Now you have to ask every three months.

~~~
vog
_> Now you have to ask every three months._

No, you have a script running that updates your certificate automatically, and
you _never_ ever have do that that manually again. Or, you don't need that
script because your webserver (e.g. Caddy) does that for you.

Oh, and just in case one of the intermediate certificates of Let's Encrypt had
to be revoked for some reason: The very same mechanism would provide you with
a new, working certificate as soon as possible. This, again, is fully
automatic without any headache on your side.

Do you know any other CA where get this level of comfort?

~~~
OrdaGarb
Nice in theory, but just when I think I have it figured out something changes
and the script quits working. Specifically with 3rd-party hosting like
NearlyFreeSpeech, not my own, but still a PITA.

~~~
vog
That sounds like an integration issue of 3rd-party hosters, not like an issue
with Let's Encrypt itself.

I have a running system with Let's Encrypt certificates for webserver (HTTPS)
as well as mail server (SMTPS, IMAPS, POP3S), based on nginx, exim4 and
dovecot, using certbot.

Setting up Let's Encrypt literally consists of just 3 steps:

1\. In the webserver for all domains on HTTP, add alias /.well-known/acme-
challenge to /var/www/letsencrypt/.well-known/acme-challenge

2\. Run "certbot certonly" once for every domain

3\. Add cronjob for "certbot renew" with a post-hook that restarts your
webserver and mailservers.

Well, to be honest, there is one more step, but that one is specific to my own
setup, and also just a one-time effort:

3a. Add a post-hook command that fixes a permission issue with Debian-exim.
Note that this is only needed if you want to use the certificates for SMTPS
and use exim under Debian.

If you add a new domain later on, this is just a single step, no need to touch
the cronjob:

1\. Run "certbot certonly" once for that domain

So yes! Once you have the setup running, setting up a new SSL/TLS domain is
actually easier with Let's Encrypt than with any other CA.

(Of course, you'll also have to add the domain to your webserver
configuration, but that's always needed, whether you use Let's Encrypt or
not.)

------
ealexhudson
Unfortunately, StartSSL appear to be claiming that the SSL certificates
themselves are free, and that they are only charging for the validation
process - and while validation is potentially valuable, if you are unable to
issue an SSL certificate that can make use of it, it seems limited.

To say this is "shady practice" is putting it nicely; I daresay few but the
keenest observers would pick up the problem.

~~~
justinclift
Well, the "we charge for the validation, not the certificates" approach is how
they've done things for ages.

Prior to the clusterf __k of becoming untrusted by Mozilla (etc), it was
really useful.

Once verified you could generate many certificates (subdomains, etc) without
forking over cash each time.

Compared to the general (scam-like?) model of other providers, it seems like a
sane alternative.

Now they're untrusted though, it's kind of moot. :(

------
beatle_sauce
Did anybody notice that the Opera browser company and Wosign are both owned by
Qihoo?
[https://en.wikipedia.org/wiki/Qihoo_360](https://en.wikipedia.org/wiki/Qihoo_360)

What is the status of Wosign/Startcom certificates in the Opera browser? And
in the Qihoo ("360 secure") browser?

------
y04nn
Is this why I had problems with my new free certificate from StartSSL about 2
weeks ago? It wasn't obvious, I ended up using Let's Encrypt.

------
omash
Google can use its monopoly to accomplish almost anything!

~~~
ChefDenominator
My understanding is the issue with WoSign and discovery of their purchase of
StartCom (which violated trusted CA process by not informing anyone that they
were sold) was originally done by Mozilla, which was also the first to act to
remove them from trust stores.

[https://blog.mozilla.org/security/2016/10/24/distrusting-
new...](https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-
and-startcom-certificates/)

