Heartbleed
After the HeartBleed bug in OpenSSL, a lot of SSL certificates must be considered compromised now. This means that a huge amount of SSL certificates needs to be reissued. The security scheme we are using relies on trust. You have to trust that the CA only signs certificates after verifying the requester and that nobody else knows the private key for the SSL certificate. CloudFlare demonstrated now that it really is possible to get the private key through this vulnerability. If you don’t trust your own SSL certificate any more because its private key has been compromised, you have to get a new one and revoke the old one.
Going through this process alone is bad enough already. However, many people I know and also myself are using free SSL certificates issued by StartSSL.
StartSSL
I always thought StartCom, the company behind the StartSSL brand, is doing the right thing by providing free SSL certificates. I trusted them because I thought they would advance the use of crypto on the internet by giving everyone access to SSL certificates in order to secure their personal web server, mail server, or anything else that uses SSL.
But there is a catch to their offer: they charge a fee of US $24.90 for a single revocation. Also, you can’t reissue a free Class 1 certificate as long as it is still valid. That is a fact that many might not have been aware of and even if they were, they thought this would be fair. If you loose trust in your SSL certificte because you accidentally exposed its private key, it is your fault and you pay to revoke it.
For heavy users of StartSSL, these revocation fees even just for a few subdomains will be a huge amount of money. A whole lot more than buying a multi-domain or even wildcard SSL certificate from another company would have cost. Especially as other companies selling SSL certificates usually include reissue and revocation for free.
StartSSL’s Upgrade and Revocation Policies
But there is more: even if you upgrade to a paid Class 2 certificate at StartSSL, they will not revoke a free Class 1 certificate previously issued. This totally defeats the purpose of upgrading to the paid level in case your certificate is compromised — the old one will still be valid and can be used for man-in-the-middle attacks!
@martinbarry No, it will not – in this situation you should request revocation.
— StartSSL PKI (@startssl) April 9, 2014
Even more alarming is that they don’t tell you the fact that you really need to revoke the certificates. Quoting from their FAQ:
72.) I made a mistake, can I get my certificate revoked?
Revocations carry a handling fee of currently US$ 24.90. Class 1 subscribers may use a different sub domain in order to create additional certificates without the need to revoke a previously created certificate. […]
This is total bullshit. You can only issue a free Class 1 certificate for a subdomain which will be valid for both foo.example.org and example.org domain names. Even using a different subdomain will still leave the domain itself exposed!
[…] Alternatively it’s possible to upgrade to Class 2 level which allows to create the same set of certificates once again (besides all the other benefits), because different levels are issued by different issuers, making revocation unnecessary.
Bullshit again! No, this does not make revocation unnecessary. As long as another certificate is valid for a specific domain name, any connection there might be compromised. You would need to manual check which certificate is being used all the time. Which is exactly why we use the system of CAs at all, we don’t want to do this. We only want to trust the CA as a third-party once instead of doing any checks ourself.
If they had offered free revocations of the Class 1 certificates when paying for the Class 2 verification, I would have seriously considered doing this. With their current policies I would pay for a service and still feel ripped off. No, thanks.
If I have to pay for the revocations of Class 1 anyway, there is no reason to choose StartSSL as CA. There are other offers that include reissue and revocation in their price tag. StartCom, you lost me as potential customer over this.
Conclusion
I won’t get any more certificates from StartSSL. With such policies in this situation, I do not trust them any more and rather pay the fees for SSL certificates from another company up-front instead of paying a whole lot more later.
Seems like the mistake they refer to in the quoted FAQ entry was to use StartSSL at all.
This blog was secured with a StartSSL certificate before. Due to my laziness of upgrading the Debian Linux distribution on the server, it is still running the squeeze release with OpenSSL 0.9.8o. Running Debian squeeze at this point is not particularly bad, as it’s still covered by security updates and might even get long term support. The SSL certificate of this blog could not have been compromised by the Heartbleed bug that was introduced in OpenSSL 1.0.1. Anyway, to show my distrust in StartSSL, I replaced it with a Comodo PositiveSSL certificate today.
Pingback: On resetting passwords because of the OpenSSL vulnerability « The Wiert Corner – irregular stream of stuff
Pingback: Joacim.net | En säkrare webbsajt med SSL-certifikat
Do you still trust Commodo to be more trustworthy than StartCom just because they asked for money to handle revocations? Think twice – a guy from Finland managed to get a valid certificate from Commodo for “live.fi”, (Microsoft Live in Finland), just because he was able to register “hostmaster@live.fi” as his e-mail-address:
http://arstechnica.com/security/2015/03/bogus-ssl-certificate-for-windows-live-could-allow-man-in-the-middle-hacks/
Thank you for your question. As the comment I typed as an answer to this question became too long, I published it as a new blog post:
Should we distrust Comodo after issuing a rogue SSL certificate for Windows Live?
I use StartSSL and am worried that they may offer inferior certificate. I am also thinking of using Comodo, however, I notice that your site now issues the following warning: “raim.codingfarm.de is encrypted with obsolete cryptography”. To me, that seems like a backward move as my StartSSL certificates do not show such a warning. Do you think I should bother?
This warning in Google Chrome about obsolete cryptography is based on my web server still allowing the use of cipher suites that are considered insecure. Actually it does not have anything to do with the certificate itself, but about the configuration of the web server.
A SSL/TLS connections ensures two separate goals:
1) It confirms the identity of the domain/server, so that nobody else can pretend to be this website. This is achieved by presenting a certificate signed by a third-party CA, which you trust (or usually your browser/OS trusts them).
2) It ensures the connection is encrypted, so nobody else can read the data transmitted.
The warning you get is about the latter. It is probably still using the CBC encryption mode, while it would be better to use AES-GCM now. I did not bother to configure my Apache web server specifically to prohibit use of bad cipher suites. However, the impeding upgrade to Debian Jessie with Apache 2.4 will allow use of even stronger SSL tweaks, such as OCSP stapling.
For more information see:
https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
https://cipherli.st/ (copy & paste instructions)
Thanks for writing about this. I was wondering what is the deal with StartSSL. I did not understood how come StartSSL doesn’t get out of business all other providers of certificates.
It’s all clear to me now. They are making money in “hidden” ways. I would never use them. For me, free reissue of a certificate is very important. First, of all, during the first month of usage I needed more and more domains added. Each time I added a new domain I would reissue the certificate – obviously for free (when the number of domains was up to the max allowed initially). When I went over the initial deal I paid more but only for the new domains, not for the reissue itself.
Something else: when I bought the initial certificate I wanted to have some subdomains added to the list. Later on i decided that I did not needed certification for those subdomains. In this situation, I would have to pay again, right? WTF?!
In any case, ignoring all the above, a company that has hidden costs has shady business practices. I really don’t understand why there is so much free advertising for StartSSL. So many ppl recommend them I am talking about authoritative sources like StackOverflow.
Wtf?! The mirage of something “free” really clouds the judgement of ppl? This is like any other “free offer”: you get it for free then anything else you want it goes deep into your pocket.
Pingback: Macpro
Essentially you’re really complaining that a company that offers a free product/service doesn’t give you everything they have for free. How horrible of them to have things that cost money. Then you go and pay for a cert anyway.