Heartbleed

After the HeartBleed bug in OpenSSL, a lot of SSL certificates must be considered compromised now. This means that a huge amount of SSL certificates needs to be reissued. The security scheme we are using relies on trust. You have to trust that the CA only signs certificates after verifying the requester and that nobody else knows the private key for the SSL certificate. CloudFlare demonstrated now that it really is possible to get the private key through this vulnerability. If you don’t trust your own SSL certificate any more because its private key has been compromised, you have to get a new one and revoke the old one.
Going through this process alone is bad enough already. However, many people I know and also myself are using free SSL certificates issued by StartSSL.
StartSSL
I always thought StartCom, the company behind the StartSSL brand, is doing the right thing by providing free SSL certificates. I trusted them because I thought they would advance the use of crypto on the internet by giving everyone access to SSL certificates in order to secure their personal web server, mail server, or anything else that uses SSL.
Continue reading →