29 comments

[ 3.0 ms ] story [ 50.3 ms ] thread
Interestingly it does send a different message than the mailing list post. While not factually wrong, the press release sounds like the browsers are to blame for the decision (which they definitely are not, see the mailing list posting).
If it helps people in other CA businesses to convince management to take compliance and security seriously, all the better.

"No, we can't take a shortcut here. See what happened to StartCom after they bent the rules a bit too much".

Go back to right after all of this started and read some of their "public communications" (statements aimed at their customers, etc.).

IMO, they tried to make it sound like they were the victim and the browser vendors (especially Mozilla) were "picking on them". They were trying to shirk responsibility and minimize/downplay their own actions and "fuck ups" that got them in the position they found themselves in.

As an outsider reading along on m.d.s.p. as events unfolded, I got the impression that they thought they were going to quickly and easily "fix" everything just by saying "oops, sorry" and making a few changes. As they discovered, it doesn't work like that.

Let this be a lesson to the other CAs.

(comment deleted)
And yet they're still advertising EV certificates on the side banner... https://imgur.com/a/x7wwm
> "We´ll set January 1st 2018 as the termination date and will stop issuing certificates therefrom."
Their EV certs are coming from a 'partner' (that i'm not entirely certain is a partner) - camerfirma, not startcom, iirc.
No doubt victim to the success of LetsEncrypt and good riddance, too. Before LE, Starcom was the only way to get a free and recognized SSL certificate, only it was a pain to use (client certificates) and only worked with specific browsers.
Unfortunately usability was the least of its problems.
It was much easier to use than LE for me. I've never had a problem with client certificates. It's awesome technology and it's a pity that it's basically unchanged for years, while insignificant things developed. It could completely replace login mechanism everywhere with much more reliable and secure way to handle credentials.
I think this had less to do with Let's Encrypt, and more to do with the fact that StartCom's root certificates were distrusted by nearly all major browser vendors some time ago due to [their parent company's violations of the Baseline Requirements](https://wiki.mozilla.org/CA:WoSign_Issues).
They were shady bunch long before WoSign acquired them. I say good riddance to them and their practices.
Victim of their own violations of the BRs, leading ultimately to the "distrusting" of their roots by the major browsers.
StartCom will always have a special place in my heart – they're the only company that I had to outright bribe to do business with.

On the other hand… I really won't miss 'em.

> StartCom will always have a special place in my heart – they're the only company that I had to outright bribe to do business with.

Can you elaborate on that?

Their ToS stated that only a single person could ever be allowed to touch StartCom accounts, and if that person ever went on vacation, or quit, we'd have to re-register, re-authenticate, and have support move over all certificates one by one, because StartCom was unable to handle the idea that a company might have an IT staff with a size >1.

So we said "fuck that" and shared the account. When we were caught, they would have had the right to terminate our account and revoke all our certs. Instead, they offered to look the other side as long as we paid the authentication fee again.

It went all to shambles when Eddy Nigg lost control.
And by lost control, you mean sold the company, yes!
Lost? He sold it. Half the issues here came from him selling the company in secret.

But even before then StartSSL was a hinky CA. Three times I contacted support, I got direct responses from Eddy. Each time he managed to make me feel like I'd personally insulted him. Abrasive.

All that said, he was providing well trusted free certificates at a time nobody else was.

Yes, but it was shady before. Remember that they let you pay for revocation. Even worse, also after heartbleed!
I won't miss them. For many years their certificate registration process was extremely confusing and tedious, but they conveniently charged a lot of money to revoke a certificate (read: it was cheaper to buy a new certificate from someone else like SSLMate for less money than it was to revoke a free certificate with StartSSL).

I once contacted their support and was barraged with unprovoked aggressiveness. Things like asking an innocent question with no snarkiness and getting a response like "Next time you should read the page :)".

Nowadays I use Let's Encrypt and I'm really happy with it. I haven't even thought about an SSL certificate in about a year and all of my sites have auto renewing certificates for free.

If anyone is curious how to set all of that and just want to see how all of the pieces of hosting a secure site come together (from hosting, domain purchasing and automated SSL integration with Let's Encrypt) then you can check out a course I put together that demonstrates everything at https://httpswithletsencrypt.com/.

I worked as Director of Engineering for an investor[1] who helped bootstrap StartCom. StartCom was back then the first successful firm from the Authenticity Institute portfolio. I joined Authenticity because I thought it could really shake up the certification industry.

I quit after 6 months when I learned that the equity based contracts were designed to scam the engineers that I hired. Also I dared to raise concerns over bringing StartCom founder Eddy Nigg back into the company for advise on how to build a sound infrastructure (fit for ETSI & WebTrust certification).

Management there has a thing for "hiring struggling entrepreneurs" and then phishing them for their ideas with promise of equity which is never paid out. There were also a range of other issues such as racist coworkers (which I fired in my first week) and a refusal from the founder to face up to these issues.

One applicant was made promises, then stalled on the contract and when she quit her original job was told on her first day of work that her salary negotiation hasn't even started. I was let go (or I quit with a bang depending who you ask) because I dared to point out they're all crooks.

I personally don't see how trust can every be implemented in systems when it is owned by a company which can be acquired with M&A and the same bad apples who cash out from projects are then investing in similar companies.

[1] https://en.wikipedia.org/wiki/Wes_Kussmaul

Since they are owned by a parent company (look at the sig of the email), are they really shutting it down or are they going to reassign the employees to another team with a different name?
The loss of this particular business isn't nearly the shame that the loss of the business model is. Activities that required human effort and involvement had a cost, like identity verification, while activities that had near zero costs were free.

That was terrific, as you could verify your identity, get a code signing cert, one for the website, and one for s/mime or digital document signing all for $60. I like Let's Encrypt and have used it since, but it's nowhere near as full featured of an offering.

> I like Let's Encrypt and have used it since, but it's nowhere near as full featured of an offering.

Yet.

I think they'll begin offering a non-free service inthe next two years or so. The free DV certs will remain but eventually they'll need actual income (as opposed to donations and/or corporate sponsorhips). EV certs may be one way that heppens, I don't know.

For the longest time, we heard they wouldn't be offering wildcart certificates. Then, I just happened to be looking at their (recently updated) CPS one day (I was working on building out an intenral PKI at the time) and saw mention of issuance of wildcard certificates. They announced those shortly after.

Anyways, like I said, st some point they'll need actual income. I'm not sure what they'll offer in order to do that, though. Maybe EV certs, maybe longer issuance periods after more in-depth organizational verification, maybe some subscription-based "manage all your certs easily" tool, who knows. But I expect them to follow the same "automated == free", "manual intervention/work == not free" business model.

> Anyways, like I said, st some point they'll need actual income.

I'm pretty sure they get sponsored by lots of big vendors. i.e. google has letsencrypt support in gcoud. I'm pretty sure that big vendors need to pay to query their API more often.

I used them for a few years without issue. They were always quick to respond to my e-mails.

Let's Encrypt and AWS cover my cert needs now.