
StartCom operated solely in China: an analysis of the new StartCom website - arthur2e5
http://www.percya.com/2016/09/startcom-operated-solely-in-china.html
======
eeZi
The secrecy surrounding this is highly disappointing and means I cannot longer
trust them at all. If it had been properly announced I would think differently
about it, it being a Chinese company doesn't make me automatically trust them
less. Now, WoSign got some bad press recently, but that's a different matter.
But this? It feels like they have something to hide.

After trying to log in to their portal using my old client certificate, I
realized that they have supplemented this mechanism by a simple pass code that
it sent per mail. This effectively negates all of the security benefits the
old approach had and means that my account has no two factor authentication
and anyone who can intercept the mail or access my account, can log in. It's
literally one factor since there's no account password, the code that is sent
per mail is sufficient. I hope they reconsider this.

I was a happy StartCom customer in the past and I hope that the new owners
safeguard my personal data/passport scan that I uploaded during validation
just as well as the old owners did. The interactions with Eddy Nigg that I had
were really friendly (long time customer, when the company was young he'd do
the validation phone calls himself and respond to customer tickets), and
StartCom was really important before Lets Encrypt existed and they did a good
job at it.

StartCom has/had a policy of keeping your personal data for seven years after
validation, so yeah. Makes you wonder what happens to customer data when
companies get sold. Even if you trust them today, you don't know what will
happen in the future.

------
lwhalen
Yeaahhh, I was a big fan of StartCom until this move. I'll be migrating to
LetsEncrypt as soon as my current certs expire.

~~~
nsfmc
why wait? i made the switch from startcom to letsencrypt in a few hours
spending most of the time updating my ssl configuration (using
[https://cipherli.st/](https://cipherli.st/) at the time). `./certbot renew`
is easy to throw into a cron job, too, at least much easier than the classic
startcom certificate generation/signing/etc process.

~~~
nsfmc
ha, sorry, i swear i started composing this before 0x0's comment :(

