
StartSSL, please revoke me – My private key has been compromised - tonylampada
https://revokame.tonylampada.com.br/
======
Nanzikambe
To better understand the stupidity in leaving the power with the CI for
SSL/TLS :

    
    
      $ gpg --gen-revoke $(whoami)@$(hostname -f)
       
      gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
    
      How would you like to pay us?
      
          (1) Mastercard
          (2) VISA
          (3) Other
    
       Your selection?
    

Also, a dark cynical part of me wants to ask exactly what the business model
behind "free" SSL certs is? You're not paying them, someone else is?

~~~
jamescun
Only their entry level certificate is free, they have higher priced options
for the likes of wildcard and EV certificates. Once your root certificate has
a good level of acceptance, the true cost of certificates is the validation
process; actual certificate generation is negligible, hence certificates with
little-to-no validation can be offered at little-to-no charge.

~~~
Nanzikambe
Fair play, now I know. The hand waving wild-eyed long-haired conspiracy
theorist in me has been silenced .. for now :)

~~~
jerf
If you're interested in security or programming anywhere in the area of TLS,
it's worth your time to set up your own CA, issue yourself certificates,
figure out how to convince your local browser to accept them, etc.

Had I done that myself properly earlier, I'd have some less heartache in my
future.

------
techsupporter
Classic Big Lebowski moment: You're not wrong, you're just an asshole. Their
stance is entirely correct. The customer used a file that StartCom provided in
software that turns out to have had a security flaw. That's neither StartCom's
problem nor liability. They didn't say "use this certificate with anything
other than OpenSSL; you'll be sorry if you use OpenSSL," nor could they have
foreseen it.

On the other hand, showing a cold unwillingness to help when doing so is by
far the above-and-beyond response doesn't engender good customer loyalty. It's
also how StartCom operates. This is the same cert authority that insisted that
I send them a full, unredacted copy of a mobile telephone bill with every
"family plan" member's full call, SMS, and data history in order to call me.
Otherwise, they could only "verify" me by sending a snail mail letter from
Israel to South America (where I lived at the time). Independently-linked,
outside verification databases operated by local government entities weren't
sufficient.

At least they're consistent with their "rules are rules" processes.

~~~
taspeotis

        Their stance is entirely correct
    

Well it sounds like their stance is wrong if they've agreed to the Mozilla CA
Certificate Maintenance Policy:

    
    
        CAs must revoke Certificates that they have issued
        upon the occurrence of any of the following events:
        
        ...
        
          the CA obtains reasonable evidence that the
          subscriber’s private key (corresponding to the
          public key in the certificate) has been compromised

~~~
andreasvc
It doesn't say it needs to be _free_. It's perfectly reasonable to charge a
nominal handling fee, as other CAs do for their services. What's special is
that StartSSL offers their basic certificates for free, but this shouldn't
make people feel entitled. Especially when someone exposes their private key
_on purpose_ they don't deserve special treatment in my book.

~~~
daveasdf
> CAs must revoke [...]

I understand the word "must" to mean that they cannot add additional strings,
such as payment, to their obligation to revoke the certificate. Is there
another way of interpreting it that I am missing? I guess you could interpret
it as "must provide a mechanism", but I can't see that that was the intent of
the original document.

Mozilla's use of the word "must" here I think is important, because the
barriers to correctly dealing with a security breach should be minimized. For
better or worse, root CA's are entrusted with maintaining the security of
large chunks of the internet. Charging users who suspect that their
certificates _may_ have been compromised (due to the Heartbleed bug, in this
case) will cause users to err on the side of inaction, which is going to
weaken internet security in the long run.

~~~
tonylampada
I wouldn't have put it better myself. I just added a new update on the
website.

Saturday, April 12, 09:50 (GMT-3)

OK, so here's my reply to Nikolai:

"Let me address this question.

> Anything about free revocations there?

It doesn't, but that's not relevant. It's pretty damn clear: You see the
evidence, _that alone_ should be enough for you to take action.

If you take Mozilla's policy by the letter, one doesn't even have to own a
certificate to be able to request its revocation. All that should be needed is
the evidence of compromise.

If I disclosed the private keys for a certificat I don't own, would you just
ignore that information? Or would you come after the certificate owner
demanding payment first?

You're a CA, A CA!!! You should be worried about the security of the internet
above all things.

You should also be worried that you have a bunch of green padlocks around that
don't mean what they once did. You're not worried about that. So in my opinion
you don't deserve the trust of the internet anymore.

Cheers Tony"

------
pritambaral
Why is the power of revocations in cert issuer's hands? As long as the private
key is private, I don't see how a malicious entity could add your private key
to the revocation list.

In fact, a place in the revocation list should be reserved every time a cert
is issued, possibly with a mechanism to trigger it with the private key. For
example, if I send a message encrypted/signed with my private key to the
revocation authority, they can decrypt/verify it with my public key, which
they received when the CA issued my cert.

~~~
andreasvc
> Why is the power of revocations in cert issuer's hands? As long as the
> private key is private

Because a major reason for revocation is when the private key has been
compromised.

~~~
riquito
>> Why is the power of revocations in cert issuer's hands? As long as the
private key is private

>Because a major reason for revocation is when the private key has been
compromised.

His point is that whoever compromised the key is not interested to put it in
the revocation list. If he does it... well, he did the good thing.

~~~
andreasvc
I see. Using the private key to revoke the certificate would be a denial of
service attack, so requiring the CA for revocation avoids that, but admittedly
it's not the first thing to worry about when a private key is compromised.

------
nly
Mozilla should just spin-off their own CA, pricing the service fairly as a
non-profit. It's not like they aren't the gatekeepers anyway.

Users don't trust Verisign or StartSSL, they trust whoever Mozilla, Microsoft
or Google trust. Stop accepting new CAs in to the browser whitelist, start a
CA for the public good with a true open source, full disclosure mentality. Why
not?

~~~
mnx
That seems kind of like putting all your eggs in one basket. I think the
separation of powers is good, even if what it has produced right now is a bad
situation.

~~~
nly
Mozilla, Microsoft and Google are carrying the baskets. What you have now is N
ways of getting compromised, because even the CAs you don't trust can issue
certificates for your domains. To be honest, I'm being a bit tongue-in-cheek.
I _don 't_ think Mozilla should really do this. I just think people should
question this naive belief that the CA industry is out there to help the
little guy paying ~$20 for a certificate for their blog or forum.

------
lstamour
I've used these guys in the past and quite like them, but yeah, this is poor
PR and I hope they get pulled for not paying attention to, you know, the
overall security of the trust product they're selling. I don't want lock-in on
my SSL cert but it's effectively a contract if I have to pay a fee to break it
and the SSL padlock on my domain is held hostage if I don't. Maybe someone
should open a bug report on Bugzilla...

~~~
saurik
So, to verify, would you rather pay a (smaller) fee upfront for every
registration (effectively, insurance against revocation), rather than pay a
(larger) fee if and only if you ever need to revoke? (Or, are you saying that
StartSSL is somehow evil, because they refuse to do everything you ever wished
they could do for you with no compensation of any kind?) (Is the issue simply
that they won't revoke without a fee, even if you don't have your key
reissued? I thought that it was just a charge for reissue, but if they won't
let you even revoke the key _without_ reissue, then I agree that sucks; but
that doesn't seem to be what you are complaining about.)

~~~
A_COMPUTER
I think Startcom are morally in the right about the payment issue and to have
whatever business model they want. But at the same time that's a separate
issue from their responsibilities as a CA and if that's compatible with their
business model. I got burned by Heartbleed and I was proactive about getting
my certs revoked because it never occurred to me that I should beg for a free
revoke because it wasn't my fault or something. But now I see that Startcom is
in a tought position because they should be revoking the guy's cert and just
billing him, but his backlash is not atypical and free cert offers probably
select for the type of person who will avoid paying for things at all costs.

------
quasque
The author is running a business on the domains he's talking about (a
crowdfunding site that takes a 3% fee [1]) so he should just regard it as an
unplanned business expense and pay up if he feels it's so important for his
certs to be revoked.

Not that revocation will have much practical effect on the unlikely event of
his keys having been compromised, and an attacker considering his website
important enough to MITM - and having the means to do so to a sufficiently
large audience to make it worthwhile. Seems like a lot of fuss over nothing
much, in this case.

EDIT: Also just to note that the private key he has shown on this website was
compromised solely by him putting it there, and not extracted via Heartbleed.
Indeed, the certificate was created a few days after the vulnerability was
reported and fixed. Makes this strange cry for attention even more absurd.

[1]
[https://freedomsponsors.org/faq#How%20do%20payments%20work](https://freedomsponsors.org/faq#How%20do%20payments%20work)?

------
tonylampada
So now it's official. They got the evidence that the certificate is
compromised yet they refuse to take action. If that's not violation of CA
policy I don't know what is.

~~~
achille
How dare they give you a free service, and then decide to charge for a
revocation which they had said they would charge for (and is meaningless
because by default all browsers ignore revocations).

Unfortunately for various historical fuckups, we consider self signed
certificates to be more dangerous than cleartext unsecured http. Lots of scary
warnings pop up. That is absurd. Starcom is helping fix this by issuing free
certificates.

The Mozilla CA policy does not include a provision for obvious trolling and
posturing. If Starcom were to be forced to revoke your certificate for free,
why would anyone else (on any CA) ever pay for revocation?

~~~
mixedbit
> The Mozilla CA policy does not include a provision for obvious trolling and
> posturing.

This isn't really trolling, after Heartbleed we should consider all SSL certs
used by OpenSSL based servers as compromised. This sites just tries to make
the point more obvious by putting such compromised cert in public view.

~~~
vilda
Have you realized that not only OpenSSL, but any exploitable bug in any
software that runs on servers (PHP, Apache, nginx, Linux, etc) should
theoretically invalidate any certificate that is stored on those servers?

~~~
mixedbit
Any exploitable bug that allows to access private keys should invalidate
certificates. There are many security vulnerabilities that don't give access
to private keys.

~~~
Pacabel
Even if there's no publically-known way of using a particular security
vulnerability to get access to private keys, how are we to be sure that
somebody (perhaps malicious) didn't find a way and are just keeping it a
secret?

~~~
mixedbit
If you understand a vulnerability, you can often tell for sure if it can lead
to exposure of private keys. For example if a PHP app runs in a separate
process with separate user credentials than nginx SSL endpoint, and if file
access control flags for certificates are configured correctly, you can tell
for sure that php bug alone won't allow for certificates access. This of
course assumes that other components work correctly (like Linux access control
mechanism), but without such assumptions you wouldn't be able to do anything
productive.

------
TheHippo
I never understood why people use StartSSL. Their service is horrible. The
interface is far beyond ugly. You could get a SSL certificate in a nice and
easy way for 4,99$ at [http://www.ssls.com/](http://www.ssls.com/). (They
reselling from different CAs. They cheapest one is currently PositiveSSL)

~~~
rythie
With StartSSL I've get multiple-domain wildcard (8 domains) cert for $59/year
(or 2-3 years if you don't need to change it).

This is pretty hard to find in general, and the ssls.com interface does not
make it any easier.

For example the same 8 domain wildcard Positive SSL Multi-Domain: £360

I could revoke my cert a dozen times a year and it would still be cheaper than
anything else I've found - happy to be informed of viable competitors at a
similar price though (not necessarily lower)

As someone with several side projects (like most of us - I assume) this type
of certificate is essential if we are to use SSL at all.

------
jrockway
Personally, I'd just send a patch to my favorite browser removing their
certificate from the trust chain, and then send StartSSL an email with a link
to that. Although I doubt anyone will merge your change, it sends a cynical
message about how their entire business lives and dies at the whims of people
with commit access to the list of trusted CAs.

------
bananas
Money trumps security always.

PKI as it stands is fucked up.

------
joesb
> Starcom's position is very firm and clear (and horrible, and against the
> security of the internet). [...] I won't be using their service again.

Funny the author didn't see it that way when he started using their service.

------
wut42
Let's admit StartSSL will revoke you. Then what ? Chrome will still don't
check revoked certs. Mac OS X neither (and Safari). Only Firefox will...

~~~
claudius
That is a critical security flaw in Chrome (and your toy OS there with the
fancy graphics).

Arguing that someone else made a mistake which renders your mistake
unimportant under some circumstances is neither excuse nor justification, in
particular not for continuing to make that mistake.

~~~
mitchty
toy OS? Honestly, grow up. The default in OSX is best effort. Its easy enough
to change to require looking at revocations or fail the connection.

Anyone that cares about security is going to be looking at what their software
does and ensure its configured securely. Not posting on hacker news about a
"toy OS there with the fancy graphics" like a ninny.

------
lazylizard
perhaps startssl is thinking about ending their free cert "business", much
like how dyn has stopped free dyndns..

~~~
andreasvc
There's no reason to think that. This has been their policy all along.

