After the HeartBleed bug in OpenSSL, a lot of SSL certificates must be considered compromised now. This means that a huge amount of SSL certificates needs to be reissued. The security scheme we are using relies on trust. You have to trust that the CA only signs certificates after verifying the requester and that nobody else knows the private key for the SSL certificate. CloudFlare demonstrated now that it really is possible to get the private key through this vulnerability. If you don’t trust your own SSL certificate any more because its private key has been compromised, you have to get a new one and revoke the old one.
Going through this process alone is bad enough already. However, many people I know and also myself are using free SSL certificates issued by StartSSL.
I always thought StartCom, the company behind the StartSSL brand, is doing the right thing by providing free SSL certificates. I trusted them because I thought they would advance the use of crypto on the internet by giving everyone access to SSL certificates in order to secure their personal web server, mail server, or anything else that uses SSL.
But there is a catch to their offer: they charge a fee of US $24.90 for a single revocation. Also, you can’t reissue a free Class 1 certificate as long as it is still valid. That is a fact that many might not have been aware of and even if they were, they thought this would be fair. If you loose trust in your SSL certificte because you accidentally exposed its private key, it is your fault and you pay to revoke it.
For heavy users of StartSSL, these revocation fees even just for a few subdomains will be a huge amount of money. A whole lot more than buying a multi-domain or even wildcard SSL certificate from another company would have cost. Especially as other companies selling SSL certificates usually include reissue and revocation for free.
StartSSL’s Upgrade and Revocation Policies
But there is more: even if you upgrade to a paid Class 2 certificate at StartSSL, they will not revoke a free Class 1 certificate previously issued. This totally defeats the purpose of upgrading to the paid level in case your certificate is compromised — the old one will still be valid and can be used for man-in-the-middle attacks!
@martinbarry No, it will not – in this situation you should request revocation.
— StartSSL PKI (@startssl) April 9, 2014
Even more alarming is that they don’t tell you the fact that you really need to revoke the certificates. Quoting from their FAQ:
72.) I made a mistake, can I get my certificate revoked?
Revocations carry a handling fee of currently US$ 24.90. Class 1 subscribers may use a different sub domain in order to create additional certificates without the need to revoke a previously created certificate. […]
This is total bullshit. You can only issue a free Class 1 certificate for a subdomain which will be valid for both foo.example.org and example.org domain names. Even using a different subdomain will still leave the domain itself exposed!
[…] Alternatively it’s possible to upgrade to Class 2 level which allows to create the same set of certificates once again (besides all the other benefits), because different levels are issued by different issuers, making revocation unnecessary.
Bullshit again! No, this does not make revocation unnecessary. As long as another certificate is valid for a specific domain name, any connection there might be compromised. You would need to manual check which certificate is being used all the time. Which is exactly why we use the system of CAs at all, we don’t want to do this. We only want to trust the CA as a third-party once instead of doing any checks ourself.
If they had offered free revocations of the Class 1 certificates when paying for the Class 2 verification, I would have seriously considered doing this. With their current policies I would pay for a service and still feel ripped off. No, thanks.
If I have to pay for the revocations of Class 1 anyway, there is no reason to choose StartSSL as CA. There are other offers that include reissue and revocation in their price tag. StartCom, you lost me as potential customer over this.
I won’t get any more certificates from StartSSL. With such policies in this situation, I do not trust them any more and rather pay the fees for SSL certificates from another company up-front instead of paying a whole lot more later.
Seems like the mistake they refer to in the quoted FAQ entry was to use StartSSL at all.
This blog was secured with a StartSSL certificate before. Due to my laziness of upgrading the Debian Linux distribution on the server, it is still running the squeeze release with OpenSSL 0.9.8o. Running Debian squeeze at this point is not particularly bad, as it’s still covered by security updates and might even get long term support. The SSL certificate of this blog could not have been compromised by the Heartbleed bug that was introduced in OpenSSL 1.0.1. Anyway, to show my distrust in StartSSL, I replaced it with a Comodo PositiveSSL certificate today.