
Most StartSSL certs will stay compromised - aroch
https://bugzilla.mozilla.org/show_bug.cgi?id=994033
======
patio11
Pathological customers: when you give them free stuff, they will demand more
free stuff, and if you refuse them more free stuff, they will do their
darndest to destroy your business.

Meanwhile, look at all the nonsense that e.g. GoDaddy (who also charges for
revocations) is not getting right now. Because the folks with altered
understandings of reality got scared away by the $20 or whatever it costs on
year 1, and are plaguing StartSSL instead.

~~~
lucb1e
> Pathological customers: when you give them free stuff, they will demand more
> free stuff, and if you refuse them more free stuff, they will do their
> darndest to destroy your business.

I guess you caught me. On the other hand, at the time I started using
StartSSL, the cheapest non-free certificate provider I could find charged
something like €70 a year, which was more than it was worth to me. Just two
days ago I happened to look for cheap certificates again and found one for €9,
and I'd totally pay that as long as my real name can stay anonymous (like now
with StartSSL, my name isn't included in the certificate).

So it also has much to do with how much you charge. Free is a special price
and may make people ask for unreasonable things, but if the choice is between
nothing or more than it was worth, that choice is very easy. Then when shit
hits then fan...

------
larkinrichards
As a free SSL provider I think this is entirely valid for them to charge for
revocations. Plus, it's entirely possible that not all people using
certificates from StartSSL are using OpenSSL.

It's the cert owner's prerogative to ensure their certificate is properly
secured. There's no reason for debian/mozilla to remove StartSSL from their CA
lists. If you have StartSSL and you used OpenSSL 1.01f or another vulnerable
version, pay the $25 and move on-- it's cheaper than if you used godaddy.

~~~
steveklabnik
It is totally valid for you to be a jerk, and then it is totally valid for
other people to call you out on being a jerk.

Yes, maintaining a revocation list costs them time and money. But this is a
Big Deal. Extenuating circumstances. They have a social responsibility here,
and they're failing at it.

~~~
akerl_
They do not have a social responsibility.

It is totally valid for people to call them out for not going above and
beyond, but that doesn't mean Mozilla/Debian/etc should be popping them out of
CAs.

The mob is welcome to mob, but Mozilla and Debian shouldn't be making
decisions based on the whims of the mob.

~~~
steveklabnik
If you can't trust the certificates they produce, then they should be removed.
And there will be a lot of valid-but-dangerous certs in the wild from them.

~~~
polemic
You _can_ trust the certificates they produce. It's only users who were
running exploitable OpenSSL who's certs are at risk through no fault of
StartSSL. There will be many perfectly safe certificates from other customers
affected if the root trust is revoked.

~~~
steveklabnik
You can trust some of the certificates the produce, but you don't know which
one. A responsible person would trust none of them, because you can't know who
you can and cannot trust.

------
madsushi
If it was a StartSSL security leak, then I would expect them to give away
revocations for free. But if YOU, the customer, leaked your own private key by
running some bad software? That's simply not their fault, nor their problem.

~~~
oakwhiz
StartSSL is actually causing a problem, though.

With a regular CA, you pay upfront, and you can revoke and reissue with no
problems. If you trust a CA that does this, you can count on the fact that
anybody buying a cert from that CA has the ability to grab a brand new
certificate whenever they want until the expiration period.

But with a CA like StartSSL, they give out certificates without guaranteeing
that websites using those certificates have the ability to regenerate their
certificate. If a website gets compromised, since they haven't paid upfront,
you don't know if they will pay to reissue. They might just keep quiet and
pretend there was no security breach, instead of doing the proper thing and
renewing the certificate. If you know they paid upfront, you can be more sure
that they will take advantage of the free renew upon a security breach.

I find this issue to be vaguely similar to the difference between socialist
healthcare systems and privatized healthcare systems. If everyone is
guaranteed to have healthcare because it must be paid through their taxes,
then people are generally healthier since they are encouraged to go to the
doctor. But if you must pay a bill whenever you receive healthcare, people
might be encouraged to forego treatment or checkups that could catch deadly
diseases in an early phase before they become life-threatening. I don't really
think this is a good analogy though because the other pros and cons of both
healthcare systems don't map well to this problem.

~~~
ampersandy
StartSSL's denying free cert revocation does not make them untrustworthy from
a technical perspective. The onus remains on the site owner to implement their
site security properly and pay any fees necessary to do that. So the only
issue here is a moral one and whether you believe they have a responsibility
to revoke these certificates for free.

I think that given the extenuating circumstances, they probably _should_
revoke the certificates if requested, but I have no right to demand that they
do so.

------
notdonspaulding
Let me see if I have this straight:

    
    
        Alice's Lemonade Stand charges $0.25 for a cup of ice-cold lemonade,
        and has a recycling bin that her customers can use for free.
    

meanwhile, down the street:

    
    
        Bob's Lemonade Stand gives out free lemonade,
        and charges $0.25 to use their recycling bin.
    

The message here is basically "boycott Bob for his anti-recycling business
practices", right?

Seems like a distinction without a difference to me.

~~~
oakwhiz
Personally, I think it's more like this:

    
    
        Alice's Lemonade Stand charges $0.25 for a cup of lemonade,
        gives out free refills, and will give you a new cup each time.
    
        Bob's Lemonade Stand gives out free lemonade with free refills,
        and gives you one free paper cup to start with,
        but you must use the same cup each time.
        Bob charges $0.25 to replace a lost, damaged, or dirty cup.
    

So basically people who go to Bob's Lemonade Stand are incentivized to
continue drinking from the same cup even if it's dirty (its integrity is
compromised.)

Of course it's not a perfect analogy since certificates eventually expire, but
you get the idea.

~~~
akerl_
This is akin to saying Amazon Glacier should be boycotted for having a low
cost of entry and high cost on the other end.

Their business strategy isn't a secret. If there were a vulnerability found in
btrfs and a wave of people had their filesystems go belly up, I'd not expect
Amazon to change the price of restorations.

~~~
oakwhiz
The issue here is not about boycotting StartSSL because of their 'vulture-
like' business model, it is about whether StartSSL can be trusted by browsers
to actually secure connections. It can be argued that StartSSL is not actually
providing an acceptable level of security, since the ability to revoke and
regenerate a certificate is part of the service that a CA should provide. If
StartSSL isn't performing security audits, gives out free certificates like
candy, but charges for maintaining security, none of the free certificates are
actually known to have any level of security.

There are many websites using StartSSL certificates that could also be using a
compromised private key. Should there really be a lock icon in your browser if
your connection is not actually secure?

~~~
akerl_
StartSSL does provide revocation and regeneration of certificates. They charge
for this service, just like other CAs charge for generation of certificates.

I would much rather StartSSL provide free certificates, even knowing that not
everyone whose private key was compromised regenerated a certificate, than
have StartSSL pulled from trust stores and thus cause fewer future sites to
not have SSL because of the associated cost.

~~~
oakwhiz
This is more of a problem with the simplistic trust model that is typically
used with X.509 and TLS, rather than a problem with StartSSL. The type of
security that you are suggesting is similar to opportunistic encryption or
decentralized trust. Self-signed certificates are intended to fill this role,
however, it is too difficult for the average user to use self-signed
certificates securely, so browsers put up a scary warning to protect users
from themselves. If cryptographic concepts could be securely exposed to end-
users, then self-signed certificates could be used securely. In that case,
StartSSL wouldn't even need to exist. Unfortunately in the current trust model
that is being used, StartSSL has to exist to fill the niche for people who
just want SSL to work. But because of recent events, this creates a problem in
which the all-or-nothing security model essentially requires that StartSSL be
blacklisted because of their business model.

~~~
derefr
Keeping in mind that while plain self-signed certs just don't work at all
given user-behavior, self-signed certs _plus TACK_ have about the same
security level as SSH host keys. If-and-when most browsers have TACK, and most
sites use TACK headers, the CA infrastructure will become mostly (though not
entirely) irrelevant.

------
azov
As an end-user I couldn't care less about CAs, their business models, and the
way they handle revocations. All I care about is that if I see a lock icon in
my address bar I can be sure that the page I'm looking at comes from whom I
think it comes from.

This is what should be driving Mozilla's decisions, not the moral aspects of
charging for revocations.

~~~
Perceptes
Very well stated. You should consider submitting this to their mailing list
discussion on the topic.

------
shimon_e
If someone stole your certs you are basically screwed until they expire.
Currently most browsers don't check if certs are revoked.

~~~
sanderjd
This is a good point that seems to keep being ignored: do revocations even
matter? Are browser makers planning on changing their defaults with regard to
revocations? Is somebody planning a widespread consumer education campaign
regarding revocation? If not, this whole issue seems like a bunch of noise
that doesn't have much real impact.

~~~
riquito
For example at Mozilla there are discussions about it, I suspect it's
happening for other browsers too:

[https://lists.mozilla.org/listinfo/dev-security-
policy](https://lists.mozilla.org/listinfo/dev-security-policy)

~~~
sanderjd
Any links to specific threads? I don't find anything when searching that list
for "revocation" or "revoke", though there seem to be lots of threads about
CAs in general, so maybe there's relevant discussion in some of those.

~~~
brohee
[https://groups.google.com/forum/#!searchin/mozilla.dev.secur...](https://groups.google.com/forum/#!searchin/mozilla.dev.security.policy/OCSP/mozilla.dev.security.policy/mwmg2X74vlI/fYEljQnJVN4J)
for example (3 years old).

The right keyword to search for is OCSP, because CRLs are completely
impractical in the browser.

But then we have the issue that OCSP is a pretty retarded protocol. OCSP
stapling helps with some issues, but there is still the issue that it doesn't
really check if a certificate is valid, but whether a certificate bearing the
given serial number is valid. Which didn't help AT ALL when using MD5
collisions people managed to create multiple certificates under the same
serial number.

------
mapgrep
Are there any cert providers who have particularly solid reputations?

I get basic certs via my domain provider Gandi, they run ~$17 year (12 euros),
or $160 for wildcard which seems steep.

~~~
dm2
Comodo PositiveSSL for $9 / year and $99 for wildcard.

Multi-domain (100 domains or subdomains) for $30.

[https://www.namecheap.com/security/ssl-
certificates/comodo.a...](https://www.namecheap.com/security/ssl-
certificates/comodo.aspx)

~~~
PaulBurke
Comodo Positive SSL for $9/Year offered by namecheap is really very much cheap
in price, but there is one more SSL certificate vendor "CheapSSLSecurity" that
offers comodo Positive SSL at only $5.99/Year and if you are purchasing it for
5 year then the price is most cheapest at $4.80.

For Wildcard SSL Certificate I've found that "CheapSSLSecurity" offers it at
$72.95/Year and $58.36 for 5 Year.

I bet no one can beat CheapSSLSecurity's price.

------
2close4comfort
Now this seems like something that StartSSL would want to be in front of
rather than risk everything by having compromised certs out there with their
name on them. I would think that kind of behavior would put their CA status at
risk...

~~~
revelation
Their CA status is not at risk, was never at risk and will not be at risk in
the future. Mozilla has made their stance clear that once you are in, you will
never be removed (unless you were compromised, at which point they'll happily
add your new CA).

I'll certainly not claim that we can magically make TLS work by starting to
enforce the requirements we put on CAs. But we should call Mozilla out for
their _strongly worded letters_ and other nonsense to get some momentum for
better solutions. The first step is admitting you have a problem.

~~~
klapinat0r
Incorrect. DigiNotar[1] was permanently removed.

Quoting Mozilla[2]: _" This is not a temporary suspension, it is a complete
removal from our trusted root program."_

[1]:
[https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudule...](https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates)

[2]: [https://blog.mozilla.org/security/2011/09/02/diginotar-
remov...](https://blog.mozilla.org/security/2011/09/02/diginotar-removal-
follow-up/)

~~~
revelation
They were removed for being compromised and went bankrupt before trying again.
I don't see how that invalidates what I said.

Meanwhile, CAs that have issued CA=yes certs remain, but you know, Mozilla
wrote them a letter reminding them on security best practices.

~~~
klapinat0r
True that they went bankrupt, but they filed on Sep 20th 2011, and the Mozilla
decision to _permanently_ remove them was a week prior or at least on Sep 2nd
2011; thus _" unless you were compromised, at which point they'll happily add
your new CA"_ is not correct.

EDIT: To clearify, this is the phrase that we seem to be arguing about:
_Complete revocation of trust is a decision we treat with careful
consideration, and employ as a last resort._ (from the Mozilla Security Blog
link above).

They were effectively out in the cold, not "in once you're in" after the
incident.

------
joeyh
StartSSL revoked one of my certs on request the night Heartbleed came out. I
mentioned heartbleed in the form.

However, that was a $24.90 gamble.. They could just has easily billed me.
Especially if you have a lot of different certs, that gamble may not be worth
it.

Also, I'm a paying customer, having gone through their process to get a
wildcard cert. A free customer may have different results.

And then, browsers don't check SSL cert revocations, and the infrastructure to
check reovocations is apparently broken too. So this is a gamble with not much
of a payoff.

------
mike-cardwell
They should have taken this as a marketting opportunity and offered up free
revocations for a week.

~~~
akerl_
I think that would have been a successful PR move, but deciding if they're
rather have the money or goodwill is their choice to make. They told people
upfront what the costs were, I don't fault them for following through with
that.

------
digitalabyss
Red Hat Enterprise Linux Server release 5.6 is still supported and ships with
OpenSSL 0.9.8e which is not vulnerable. I am sure there are other examples as
well. If I had a StartSSL certificate and the browsers started to remove
support of them or warn that my site has a StartSSL certificate signed before
a certain date and cant be trusted I would be really pissed.

I have always felt there was conflict between system administrators wanting
proven and stable versus developers wanting bleeding edge. I have given up the
fight when it comes to web development and use Ubuntu 12.04LTS which still is
not bleeding edge enough for most of my dev's. For infrastructure components
outside of web development though I dont think its a safe assumption that
people are on a vulnerable version.

This is a prime example of why I would never give anything away free.
Unrelated to SSL certificates; I rather throw out my old equipment than give
it away since the people I give it too will never be happy and don't
understand its free for a reason and demand support. The fact that you cant
afford something better does not give you rights to it.

------
gbl08ma
I'm worried that StartSSL free certs will stop being trusted. I run a service
(tny.im) where HTTPS is not essential, but I like to provide it, to secure
logins if not for anything else. However, I make little to no money from that
website, and so I rather not invest much money in it. By the price SSL certs
go, if StartSSL became untrusted, I'd have no choice but remove SSL support,
or issue my own certificate which is as bad as not having HTTPS.

StartSSL plays an important role in ensuring that all websites, no matter how
small, can provide https access. I recommend it to people that are just
launching a service; their reaction often is like "SSL? You know how much that
costs? I can barely pay for the server!" but they happily go through the
trouble of installing a StartSSL cert when they understand that it will only
cost them the effort. Without StartSSL these people would never implement
https, if for some reason they didn't want to spend money with their project
as is often the case with things done in their spare time.

Personally this is even more disgusting, because I know for sure that my
certificate has not been compromised: two days ago my service was hosted on a
server with OpenSSL 0.9.8, and today I was forced to migrate to a new server
due to issues unrelated to Heartbleed, and the certificate was not installed
before updating OpenSSL to a patched version. And as some users have said,
other people may be using StartSSL free certs on systems that don't even use
OpenSSL.

There's also something we should not forget: free StartSSL certificates are
only valid for one year. That means that any cert will only be compromised
for, at most, a year. My cert will expire in June, and then I'll be able to
issue a new one, which (even if I wasn't sure the current one isn't)
definitely isn't compromised.

~~~
driverdan
You can't afford $20 a year for a cert? Drink a few less coffees during the
year.

~~~
gbl08ma
Things add up, you know... $20 for a cert, plus $10 for a domain, and not even
taking into account the server, it's $30. Now imagine you have five or six
side-projects, you may not be willing to spend $150 per year to maintain them,
especially when you get little to nothing in return.

It's not like every website must have a profitable business plan just to be
online and secure...

~~~
korzun
That's still $2.50/per month and even less after a write off.

Multiply that by 6 projects and it will be $15 bucks per month.

~~~
drdaeman
And in case one's living in a third-world country when their income is, say,
$600/mo, I think $15/mo is a bit pricey.

------
felix
Is there any actual data anywhere (ANYWHERE) that suggests this is the case?
Or statistically more the case than any other CA with a more traditional
payment model?

Or is this hand wringing about the stupid people who got the free certificate
from the stupid company that likes to give away free certificates but under
normal circumstances they might actually charge people for some other part of
the service that almost no one ever uses?

------
ridruejo
What are good alternatives to StartSSL? Either free or moderately priced

~~~
sliverstorm
I've been using PositiveSSL. I am paying less than $10 a year for a basic
cert, revocation is free.

I don't know anyone else who uses it, but there's nothing not to like so far,
unless you are the sort who expects to pay nothing at all for your certs.

~~~
PaulBurke
Today I was searching for PositiveSSL Certificate for my website.

I Googled and found many online store offers PositiveSSL Certificate, but
there were major difference on price. I've found some stores offers
PositiveSSL at $49/Year, $19.95/Year, $12/Year, $9/Year & $5.99/Year.

I want that PositiveSSL certificate for 5 Years. SO I've bought it from
CheapSSLSEcurity at only $4.80/Year. I loved their service. The certificate
was issued minute and its now live on my website.

Thanks and Regards Paul Burke

------
dm2
How long would it take their staff to revoke a single certificate?

$25 seems expensive for something that can't take more than 5 minutes per
certificate, unless there is more to it than I'm aware of.

I guess it doesn't really matter to them if they lose several free customers.
[https://twitter.com/startssl/status/453631038883758080](https://twitter.com/startssl/status/453631038883758080)

They're probably making a ton of money from this, in the long run I'm not sure
it'll be worth it though.

~~~
cpach
5 minutes of their employees’ time probably cost more than that. And of course
it would be silly for a business like this to charge for cost instead of
value.

~~~
dm2
Automate it and charge $1.

------
res0nat0r
Shouldn't this post be titled: Most StartSSL certs will stay compromised
because their customers are too cheap to pay to fix them?

~~~
drdaeman
Right, but...

I have about 30 certificates from StartSSL. Four second-level domains, and
best security practices recommended having a separate key per service, so web
server has its own keys, so is email server, XMPP and so on. The idea was that
if one's compromised - others would hopefully remain safe.

Call me names, but I'm not going to shell out $750.

