
Why I stopped using StartSSL (Hint: it involves a Chinese company) - kindachris
https://pierrekim.github.io/blog/2016-02-16-why-i-stopped-using-startssl-because-of-qihoo-360.html
======
hannob
The author doesn't explain at all why he thinks that not using StartSSL solves
any problem. This indicates a major and common misunderstanding of how
certificates and PKI work.

Essentially it doesn't matter which Certificate Authority you use for security
reasons - because any CA can attack you, whether you're their customer or not.
This can only be mitigated by using key pinning (hpkp), but then - at least if
you pin leaf certificates - it still doesn't matter which CA you choose.

Every text that indicates "I don't trust CA X for reason Y, therefore I don't
use them" is based on a misunderstanding of how certificates work.

(And yes - I know that there is the issue that you can let StartSSL create the
private key for you. Just don't do this ever, no matter which CA you use.)

~~~
maggit
Can you pin leaf certificates?

Quoting
[https://developer.mozilla.org/en/docs/Web/Security/Public_Ke...](https://developer.mozilla.org/en/docs/Web/Security/Public_Key_Pinning):

> Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated
> certificate chain terminates at a user-defined trust anchor (rather than a
> built-in trust anchor).

I understand this as "when using HPKP, you have to pin a CA certificate, not
your site's leaf certificate". If this understanding is correct, I think your
comment about HPKP is wrong and it is in fact a good idea to use a CA you find
trustworthy and pin its certificate. Agree?

~~~
lmm
No, that phrasing is saying that custom CA certificates override pinning (e.g.
for corporate MITM proxies).

------
mfjordvald
Why anything to do with Qihoo is worrying:
[https://en.greatfire.org/blog/2014/oct/china-collecting-
appl...](https://en.greatfire.org/blog/2014/oct/china-collecting-apple-icloud-
data-attack-coincides-launch-new-iphone)

It's proven in the past that they're not a security company for anything that
deals with protecting yourself against snooping by the Chinese state and will
negatively affect your security.

Seeing this in relation to free SSL intended to be deployed all over the
internet. Yeah, that is worrying.

~~~
StavrosK
Looks like we can't win, since most companies are being snooped by someone.
There's hardly a service I use that's not within the NSA's reach, for example,
and China is probably less dangerous to me than the US.

------
steve371
Chinese company is not a red flag. but Qihoo is. The company has known bad
reputation.

a. they labeled their own browser as a Microsoft security update, which
triggered MS investigation

b. they cheated on the anti-virus lab testing and got banned. ....etc.

~~~
jaysoncena
I've worked with a company that at least 30% of our user base uses Qihoo
brower. They blocked few of our domains and now, someone from Qihoo asked us
to pay so that they will unblock our domains.

~~~
favadi
What's is their reason to block yours domains? They can't do that for no
reason, right?

~~~
jaysoncena
They do have a reason :) But paying them to remove our domains in the
blacklist is a different issue.

~~~
ca98am79
congrats on making item 11111111

------
Laforet
Qihoo offers CDN and managed DNS services[1]. The choice is odd on StartSSL's
part but may not be necessarily insidious.

What more, not using their services does not enhance or harm your security in
many meaningful way as long as they remain a trusted CA who can sign any
domain they want to. If nation-state espionage is really a concern for you,
take a few minutes of your time and purge the list of trust anchors installed
on your OS[2].

[1]:[https://cdn.cloud.360.cn/](https://cdn.cloud.360.cn/)

[2]:[https://github.com/chengr28/RevokeChinaCerts](https://github.com/chengr28/RevokeChinaCerts)

------
bjacobel
There's really not much reason to use StartSSL now that Let's Encrypt, AWS
Certificate Manager and others offer free certs with vastly better support,
tooling and interfaces.

~~~
ascorbic
StartSSL has some of the worst support I've ever encountered. Normally bad
support means clueless or non-responsive. However StartSSL support is often
actively hostile, treating customers as idiots or worse. I should point out
that this isn't always the case, and I have used them in the past without
trouble, but the times when it is bad are bad enough to write them off. Their
site also looks like it was made in 1998, and while using client certificates
is secure and everything, it's also seriously user-hostile. I have to remember
which computer and browser I used a year ago to sign up? Yeah, I know I should
back up client certificates, but seriously who does that?

~~~
josteink
> while using client certificates is secure and everything, it's also
> seriously user-hostile. I have to remember which computer and browser I used
> a year ago to sign up? Yeah, I know I should back up client certificates,
> but seriously who does that?

So you want a secure website, and you agree that SSL is needed for things to
be secure.

But you're not willing to put in one inch of effort yourself to secure your
own SSL keys. You can't even bother to back up the master key to your own
certs, because it's too much work?

Cognitive dissonance much?

If you care about security, then do it properly. If you're going to do it
half-assed, just don't bother at all. All you're doing then is contributing to
security-theater, which is all the work and no real benefits.

~~~
ascorbic
So every other CA in the world is doing it half-assed? I'm not aware of any
others that require client certs to access the site.

~~~
ascorbic
I should add that of course I back up private keys, but in 20 years of using
the web, I've not encountered a single other site that uses client
certificates for authentication. I know it's more common in enterprise
situations. I'm supposed to have a workflow to backup my browser client
certificates just for one site? It's not their fault that browsers mostly have
poor UI for handling client certs, but it is their fault for requiring them.
Let's not even get started on what happens when you get chain problems, or if
the client cert expires, or any of the myriad other ways it can go wrong. Just
use 2FA like every other secure site, and I'll store a secure password in
LastPass.

~~~
josteink
> I should add that of course I back up private keys, but in 20 years of using
> the web, I've not encountered a single other site that uses client
> certificates for authentication.

I don't know what you have been doing the last 20 years on the web (and I'll
assume it's more than just surfing facebook), but it's not entirely uncommon,
and I've encountered it several places.

Symantec's CA uses it. My online bank used to do so too. I've seen VPNs using
it. Iirc some IPv6 tunnel-providers also require you to authenticate using
certificates before letting you set up new IPv6 subnets.

It may not be mainstream, but it's part of the standard. And it's _much_ more
secure than a regular username/password, for the same reason SSH keys are more
secure than allowing username/password logins.

~~~
ascorbic
The fact I'm on Hacker News should probably give you an idea. I know it's
relatively common on corporate intranets, but I don't use those. I can assure
you that I've used lots of CAs, banking sites, VPN providers, registrars,
hosting providers (and plenty of others) and made no specific effort to avoid
them, and StartSSL is (almost) the only one I've found. I've remembered that
the UK Government Gateway used to use them about 10 years ago, but they were
optional. My point was that you referred to all other security as "half-assed"
(and implied I was too), which would make almost all other sites half-assed.
Now there are a lot of sites with half-assed security, but I'm not sure you
could call all of these half-assed:
[https://twofactorauth.org/](https://twofactorauth.org/)
[http://www.dongleauth.info/](http://www.dongleauth.info/)

~~~
josteink
> My point was that you referred to all other security as "half-assed" (and
> implied I was too), which would make almost all other sites half-assed.

To be clear about that: My point about half-assed was your seeming
unwillingness to back up client-certificates which gives full access to your
real certificates and (in some cases) private certificate keys.

Unless on Windows (where StartSSL has its private keys marked non-exportable
in the certificate store, sic), doing such a backup takes almost no effort.
There's no excuse for going all the way through to get a cert and _then_ not
bothering backing up these client-certs too.

~~~
ascorbic
Even if it's easy (and it may be now - I haven't done it for a while), it's
still a whole extra backup workflow, which I have to work out how to do for
all different browsers, and if I'm on another machine work out how to import,
and work out if it's possible on mobile, and oh look, my personal certificate
has expired so I can't login to renew it so I need to create a new account to
get a new certificate and email them to get the accounts merged...all for one
site. Or

    
    
      ./letsencrypt-auto renew

~~~
josteink
Good for you, I guess. I've yet to have letsencrypt work a single one of my
websites and I'll stick to StartSSL until it there's something better around.

------
larrymcp
The author doesn't say why this is worrisome. He just says he's worried "that
the PKI front-end (auth.startssl.com) is now hosted within a Chinese Antivirus
Company, who uses a Chinese ISP for 2 months and that there hasn't been any
news around".

The article could certainly use a bit more connecting-the-dots to show how he
gets from "they're hosted in China" to "I won't use them anymore".

~~~
taneq
I think the implication is that the Chinese government exerts a lot of control
over the internet there, and are openly monitoring/intercepting internet
traffic. As such, they shouldn't be considered a trusted authority for
security related purposes.

~~~
Laforet
Your concern is well placed but the linked post really missed the point.
Signing authorities in X509 don't have access to private keys and they don't
really need domain owner's input to sign a MITM cert.

Most software that uses TLS nowadays ships with a number of CA root certs
sponsored by various nation states including China. On desktop they can be
disabled but iOS drvices are out of luck (or perpetually compromised in a
sense)

[http://slashdot.org/story/266739](http://slashdot.org/story/266739)

~~~
subway
By default, StartSSL's wizard generates private keys for you. (Providing your
own key is of course an option).

~~~
0x0
For the higher account levels, they also require uploaded scans/photos of
sensitive ID documents like passports / drivers' licenses.

~~~
pluma
There are people who use StartSSL for paid certificates? I though the free
certs were the only reason people put up with their craptacular website.

~~~
0x0
It used to be a pretty sweet deal, for $60 you could get unlimited multi-
domain multi-wildcard certs. Most other CAs charged more than that for a
single wildcard cert, and noone else seems to even offer _multiple wildcard
domains_ in a single cert.

Which was quite sensible, actually. Charge for the actual costly process of
manually verifying ID, and then allow for unlimited free domain-validations to
be issued to the corresponding ID (which is the machine-automatable part).

~~~
kennycox
After searching the web and comparing the different price rates, I just found
a lowest wildcard SSL at $42/yr. at
[https://www.ssl2buy.com](https://www.ssl2buy.com). I hope that you would not
find cheaper than this wildcard SSL. As they did not charge any extra beyond
the price and helped me to secure my number of sub domains. Even the backend
technical support was good enough.

------
nly
Fine, stop using them. You still trust them. Your visitors browsers still
trust them. Being paranoid wrt a Chinese CA really makes no sense. They have
as much incentive as a western CA to behave wrt keeping their signing keys
secure, and their revocation list sensible, which is all that really matters.

~~~
ctz
People need to read this.

There are many things to take into account when choosing a CA to use for your
site. But security, jurisdiction and any history of mis-issuance are not
relevant to you; only reliers. And no relier has any choice in the matter
anyway, or any economic relationship they can terminate.

(Things change if you start to use HPKP and pin to a particular root; nobody
does that though because it's an availability and economic nightmare.)

------
nbevans
Western CA's and ISPs are just as "state encumbered" as Chinese ones. We just
turn a blind eye, for some reason.

It would be so easy for NSA/GCHQ to recruit or place an "agent" inside of any
Western CA or ISP they wanted. There is even evidence in recent years that
this has been happening.

[http://www.theregister.co.uk/2015/09/21/symantec_fires_worke...](http://www.theregister.co.uk/2015/09/21/symantec_fires_workers_over_rogue_certs/)

This was merely the most recent incident. Yes Symantec covered it up quite
nicely and framed it as a test that went wrong (the Russian's used that excuse
with Chernobyl) but there is no evidence those "rogue employees" were not
acting for the state i.e. the USA.

There was also the recent incident with Juniper networks and the state-
sponsored backdoor that had been present in much of their network gear for a
few years. See: [http://www.wired.com/2015/12/researchers-solve-the-
juniper-m...](http://www.wired.com/2015/12/researchers-solve-the-juniper-
mystery-and-they-say-its-partially-the-nsas-fault/)

Still think the West CA's and ISPs are better than Chinese ones?

The only question you need to ask yourself is: Which government would you
rather have eyes on your data? One might surmise that if you have something to
hide from Western eyes then use a Chinese provider. And if you have something
to hide from Chinese eyes then use a Western provider. The balance of
probabilities, I believe, backs this up.

------
mmaunder
On a related note, Cloudflare use Baidu servers in China operated by Baidu
staff. My understanding is that this means private SSL keys given to
Cloudflare live on Baidu owned and operated servers.

[http://www.cnbc.com/2015/09/14/chinas-baidu-and-
cloudflare-i...](http://www.cnbc.com/2015/09/14/chinas-baidu-and-cloudflare-
in-partnership-to-boost-website-speeds.html)

They offer "keyless" ssl which puts the private key back in the data center
but this adds complexity and latency on the initial connect so I suspect most
don't use it.

~~~
jgrahamc
Nope.

Your "understanding" is completely wrong.

CloudFlare's network in China does not contain configuration, settings, SSL
certificates etc. from non-China CloudFlare customers. We run separate
infrastructure there and only if you go through the hoops to expose your web
site on our network inside China do we send information about your web site
there.

Source: me (I'm CloudFlare's CTO)

~~~
mmaunder
Not that wrong. You're just saying you have to enable China.

Do you make it clear in the UI that a private key is ending up on Baidu's
servers operated by Baidu's people? I don't use CF so I don't know - I'm just
curious what the user experience is like. I'm asking because your CEO
addressed concerns in the CNBC article about Baidu having access to your
intellectual property so they seem to have full access.

I think the issue of user education is a real problem. I'm Wordfence's CEO -
we're the biggest security vendor in the WordPress space. (We occasionally
work with your support staff to solve a customer issue) and I know that user
education in infosec isn't what it should be. We're actively working to try
and fix that with a vendor neutral learning center we created.

So for example I'm not sure users understand the impact of having a partially
secure connection to the endpoint when you only have SSL to a Cloudflare edge
server and are reverse proxying in the clear. Same issue here - I'd like to
learn more about the UX and how the location of their private keys is
explained to them.

I think as vendors we're often to blame because the marketing team gets a
little too excited at the cost of user education and clarity.

~~~
prdonahue
I'm the person designing this UX and yes, we plan to make quite clear/explicit
the _option_ of putting your private key in China. By default, keys will
remain outside the country.

Re your comments on user education: if you'd like to learn more about our
current UI, I encourage you to sign up for a free account at
[https://www.cloudflare.com/a/sign-up](https://www.cloudflare.com/a/sign-up).

And if you encounter any experiences you feel are not sufficiently clear, I
hope that you'll submit specific suggestions to me here: pat@cloudflare.com.

~~~
mmaunder
Thanks!

------
Tepix
Quote from the article:

"StartSSL already refused to revoke certificates affected by the HeartBleed
vulnerability and accused the user from negligence."

That's wrong. They did charge a $25 fee for the revocation, however. I think
it's reasonable since there is probably some manual process involved and the
certificate was already free. They have to earn money somehow.

~~~
tombrossman
Exactly, they've automated the issuance of free certs and revoking takes extra
work. $25 sounds high (sub-$10/year certs with unlimited free revocation & re-
issuance are easy to find) so it is a money maker for them but so what?

People think nothing of using the freemium model which gives you a basic
product for free, and charges you for extra features. It's exactly what
StartSSL are doing here.

I don't particularly like or use StartSSL, but much of the criticism of them
sounds totally invalid to me. Paid DV certs are dirt cheap people, shop
around!

~~~
malka
Except that it causes that a startSSL certificate had a higher chance of being
unrevoked if compromised. Therefore, I remove them from the truststore on my
computers.

------
derFunk
Reading this I'm more worried about the personal data StartSSL has about me. I
never felt good giving away so much personal data to CAs when acquiring
certificates to identify myself. Do we know how StartSSL handles this? Do the
Chinese now have a copy of my passport, electricity bill et cetera? (well,
I've been to China already, so the state already got my passport, but not
necessarily a "private" company).

~~~
testerooooooo
If the Chinese don't have it, the Mossad does. The fear is real. Maybe
StartSSL was only a Mossad front to collect valid/real identities from around
the world to use on covert ops.

------
daryltucker
Were you letting them generate your keys for you? What's the big hub-ub about?

------
hoodoof
So is that point that we can't trust the Chinese government and by implication
we can trust the U.S. and other governments?

------
mchahn
I personally have a serious problem dealing with the state of china's
telecommunications. It's about as close to evil as you can get. I'm not saying
other state actors are much better but, I'm just saying ...

~~~
markdown
You're joking, right?

China has a terrible record against their own citizens, but the US government
has a proven, published record of spying on the entire internet.

~~~
skeolawn
I'm guessing you have a lot to learn about China.

------
happywolf
I had a bad experience with StartSSL using their free SSL cert. Basically they
just treat you like a thief or scumbag trying to take advantage of their
freebie. Eventually I found a company selling $10/year cert which I am happily
paying. Now this adds another excuse for me to avoid StartSSL even more.

~~~
chebum
Opposite experience with their paid service. They respond quickly, even during
the night.

~~~
happywolf
No contradiction. It can treat paid customers as kings, but it doesn't mean
non-paying customers are beggars and thieves.

------
ck2
I really wish SSL had separated encryption from the authority.

Then you could have a choice of multiple authorities verifying each other,
independent and commercial.

------
prusswan
Qihoo bought Opera too. CRAP :(

------
mwcampbell
Why does the nationality of the company matter? Mentioning it so prominently
just plays to our natural xenophobia.

~~~
DyslexicAtheist
indeed by that logic we shouldn't be using anything that is built or hosted in
the US either. It is stupid nationalist fear mongering.

------
Tepix
Is there any alternative to StartSSL for free S/MIME certificates that are
trusted by the popular mail clients?

~~~
Kovah
Would like to know that too. For websites there's Let's Encrypt but I haven't
found any suitable solution for S/MIME...

~~~
elgaton
COMODO still appears to offer a free e-mail certificate:
[https://www.comodo.com/home/email-security/free-email-
certif...](https://www.comodo.com/home/email-security/free-email-
certificate.php)

------
jrochkind1
I'd be suspicious an Israel company was cooperating with US national security
agencies in the first place.

------
vidoc
Funny how 'China' has replaced 'Russia' in being the
SingleAndUltimateEvilEnemyOfTheFreeWorld in the poorly informed mind of some.

~~~
dragonwriter
I thought that role had been taken by al-Qaeda, and recently succeeded by
"ISIS".

~~~
vidoc
It's true, but they aren't usually portrayed as being smart, just
crazy/ugly/stupid. Whereas Chinese and Russians are portrayed as being
extremely smart and cold hearted.

~~~
vidoc
Of course never as smart since as Marco Rubio says "it is the greatest nation
in the history of Mankind" no less ..

------
KaiserPro
but this is how PKI/SSL/CA works.

You are borrowing someone else's trust. You are hoping that the company you
get a cert from won't pretend to be you. There is no technical mechanism to
stop this, no matter where the parent company is based.

Also the other thing to note is that virtually all communications companies
have some sort of government involvement regardless of where they are based.

~~~
icebraining
_You are hoping that the company you get a cert from won 't pretend to be
you._

Actually, _any_ company can pretend to be you, whether you got the cert from
them or not.

------
ryanqian
Chinese Company is OK, but Qihoo is not, This is an awful Company.

------
skrowl
I'm all for jumping over to Let's Encrypt... as soon as they offer certs I
don't have to renew every 3 months

~~~
theandrewbailey
A certificate that expires every 3 months with an interface that is usable is
better than none at all. Write a script and add to cron.

------
Lanari
>Hint: it involves a Chinese company

Isn't saying that a bit wrong? at least point on the hint that it is having
connections with a state-owned company.

------
alvarosm
Pathetic let'sencrypt promotion.

Now I'm gonna give you a few reasons not to use let's encrypt: it forces you
to keep a piece of software that can generate keys in your server. It forces
you to reload your web server config every two months, unattended (they won't
issue certs valid for more than 90 days). The alernative would be to do the
process manually every two months(wtf?). Also, its certificates are not
trusted in Windows XP.

Now, as part of these piss-poor authoritarian decisions and attitude, someone
is trying to trick startssl users into using let's encrypt posting this crap
with circumstantial evidence about China and Startssl. I hope you fail
miserably.

No, I have no ties to Startssl whatsoever. And it's been ages since I last
used their service.

~~~
blfr
It does not force you to use any particular software. You can even write your
own client.

Shorter validity time makes your users safer. If you lose the private key, it
will only be a problem for three monts or less. Reloading your webserver
should be a complete non-issue.

~~~
alvarosm
Because everyone should love to waste their time writing their own client. And
running let'sencrypt scripts as root. And risking their security. And/or
renewing certificates every now and then instead of focusing on stuff that
matters. And anyone who disagreees should be downvoted to oblivion. YEAH!

~~~
pfg
You don't have to run anything as root if you don't want to. There are tons of
clients out there without that requirement. Your argument is basically that
Let's Encrypt should have put more focus on working like other CAs do, while
they decided to focus on better security and automation. Luckily, there are
plenty of other CAs out there, and it's quite likely that more of them will
start offering free DV certs soon, so it's not like Let's Encrypt is forcing
you to do anything you don't want to.

~~~
alvarosm
I don't think anyone will be offering free DV certs while let's encrypt is
still so dysfunctional and unusable in a real life situation. There was the
potential for that, sure, but they've screwed up.

~~~
pfg
Two CAs already do this (StartSSL, WoSign). FWIW, there's a blog post by
CertSimple[1] _kind_ of confirming this is coming (no sources or specifics,
though).

[1]: [https://certsimple.com/blog/domain-validated-ssl-will-be-
fre...](https://certsimple.com/blog/domain-validated-ssl-will-be-free)

