
Termination of the certificates business of StartCom - marksamman
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/LM1SpKHJ-oc
======
DyslexicAtheist
I worked as Director of Engineering for an investor[1] who helped bootstrap
StartCom. StartCom was back then the first successful firm from the
Authenticity Institute portfolio. I joined Authenticity because I thought it
could really shake up the certification industry.

I quit after 6 months when I learned that the equity based contracts were
designed to scam the engineers that I hired. Also I dared to raise concerns
over bringing StartCom founder Eddy Nigg back into the company for advise on
how to build a sound infrastructure (fit for ETSI & WebTrust certification).

Management there has a thing for "hiring struggling entrepreneurs" and then
phishing them for their ideas with promise of equity which is never paid out.
There were also a range of other issues such as racist coworkers (which I
fired in my first week) and a refusal from the founder to face up to these
issues.

One applicant was made promises, then stalled on the contract and when she
quit her original job was told on her first day of work that her salary
negotiation hasn't even started. I was let go (or I quit with a bang depending
who you ask) because I dared to point out they're all crooks.

I personally don't see how trust can every be implemented in systems when it
is owned by a company which can be acquired with M&A and the same bad apples
who cash out from projects are then investing in similar companies.

[1]
[https://en.wikipedia.org/wiki/Wes_Kussmaul](https://en.wikipedia.org/wiki/Wes_Kussmaul)

------
nickjj
I won't miss them. For many years their certificate registration process was
extremely confusing and tedious, but they conveniently charged a lot of money
to revoke a certificate (read: it was cheaper to buy a new certificate from
someone else like SSLMate for less money than it was to revoke a free
certificate with StartSSL).

I once contacted their support and was barraged with unprovoked
aggressiveness. Things like asking an innocent question with no snarkiness and
getting a response like "Next time you should read the page :)".

Nowadays I use Let's Encrypt and I'm really happy with it. I haven't even
thought about an SSL certificate in about a year and all of my sites have auto
renewing certificates for free.

If anyone is curious how to set all of that and just want to see how all of
the pieces of hosting a secure site come together (from hosting, domain
purchasing and automated SSL integration with Let's Encrypt) then you can
check out a course I put together that demonstrates everything at
[https://httpswithletsencrypt.com/](https://httpswithletsencrypt.com/).

------
creshal
StartCom will always have a special place in my heart – they're the only
company that I had to outright bribe to do business with.

On the other hand… I really won't miss 'em.

~~~
mariuolo
> StartCom will always have a special place in my heart – they're the only
> company that I had to outright bribe to do business with.

Can you elaborate on that?

~~~
creshal
Their ToS stated that only a single person could ever be allowed to touch
StartCom accounts, and if that person ever went on vacation, or quit, we'd
have to re-register, re-authenticate, and have support move over all
certificates one by one, because StartCom was unable to handle the idea that a
company might have an IT staff with a size >1.

So we said "fuck that" and shared the account. When we were caught, they would
have had the right to terminate our account and revoke all our certs. Instead,
they offered to look the other side as long as we paid the authentication fee
again.

------
lithiumfrost
The loss of this particular business isn't nearly the shame that the loss of
the business model is. Activities that required human effort and involvement
had a cost, like identity verification, while activities that had near zero
costs were free.

That was terrific, as you could verify your identity, get a code signing cert,
one for the website, and one for s/mime or digital document signing all for
$60. I like Let's Encrypt and have used it since, but it's nowhere near as
full featured of an offering.

~~~
jlgaddis
> _I like Let 's Encrypt and have used it since, but it's nowhere near as full
> featured of an offering._

Yet.

I think they'll begin offering a non-free service inthe next two years or so.
The free DV certs will remain but eventually they'll need actual income (as
opposed to donations and/or corporate sponsorhips). EV certs may be one way
that heppens, I don't know.

For the longest time, we heard they wouldn't be offering wildcart
certificates. Then, I just happened to be looking at their (recently updated)
CPS one day (I was working on building out an intenral PKI at the time) and
saw mention of issuance of wildcard certificates. They announced those shortly
after.

Anyways, like I said, st some point they'll need actual income. I'm not sure
what they'll offer in order to do that, though. Maybe EV certs, maybe longer
issuance periods after more in-depth organizational verification, maybe some
subscription-based "manage all your certs easily" tool, who knows. But I
expect them to follow the same "automated == free", "manual intervention/work
== not free" business model.

~~~
merb
> Anyways, like I said, st some point they'll need actual income.

I'm pretty sure they get sponsored by lots of big vendors. i.e. google has
letsencrypt support in gcoud. I'm pretty sure that big vendors need to pay to
query their API more often.

------
jchw
[https://www.startcomca.com/index/News/newDetail?date=2017111...](https://www.startcomca.com/index/News/newDetail?date=20171116)

Press release from their website.

~~~
ibotty
Interestingly it does send a different message than the mailing list post.
While not factually wrong, the press release sounds like the browsers are to
blame for the decision (which they definitely are not, see the mailing list
posting).

~~~
jlgaddis
Go back to right after all of this started and read some of their "public
communications" (statements aimed at their customers, etc.).

IMO, they tried to make it sound like they were the victim and the browser
vendors (especially Mozilla) were "picking on them". They were trying to shirk
responsibility and minimize/downplay their own actions and "fuck ups" that got
them in the position they found themselves in.

As an outsider reading along on m.d.s.p. as events unfolded, I got the
impression that they thought they were going to quickly and easily "fix"
everything just by saying "oops, sorry" and making a few changes. As they
discovered, it doesn't work like that.

Let this be a lesson to the other CAs.

------
bmn__
It went all to shambles when Eddy Nigg lost control.

~~~
oliwarner
Lost? He sold it. Half the issues here came from him selling the company in
secret.

But even before then StartSSL was a hinky CA. Three times I contacted support,
I got direct responses from Eddy. Each time he managed to make me feel like
I'd personally insulted him. Abrasive.

All that said, he was providing well trusted free certificates at a time
nobody else was.

------
moduspwnens14
I used them for a few years without issue. They were always quick to respond
to my e-mails.

Let's Encrypt and AWS cover my cert needs now.

------
rmdoss
Details on why it happened here:

[https://groups.google.com/forum/#!msg/mozilla.dev.security.p...](https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/mLMajxdtaL0/qMaMaDy6FQAJ)

Good read on what not to do.

------
hinkley
Since they are owned by a parent company (look at the sig of the email), are
they really shutting it down or are they going to reassign the employees to
another team with a different name?

------
ComputerGuru
No doubt victim to the success of LetsEncrypt and good riddance, too. Before
LE, Starcom was the only way to get a free and recognized SSL certificate,
only it was a pain to use (client certificates) and only worked with specific
browsers.

~~~
Ajedi32
I think this had less to do with Let's Encrypt, and more to do with the fact
that StartCom's root certificates were distrusted by nearly all major browser
vendors some time ago due to [their parent company's violations of the
Baseline
Requirements]([https://wiki.mozilla.org/CA:WoSign_Issues](https://wiki.mozilla.org/CA:WoSign_Issues)).

~~~
gatmne
They were shady bunch long before WoSign acquired them. I say good riddance to
them and their practices.

