Feels a bit silly to complain about a free certificate from the CA which probably helped a lot of people to even think about using SSL on their site and if I'm not mistaken it's just 25$ to get a new one. That's even cheaper than getting one from Comodo/etc. They always said that revoking a certificate is not free, that's what you signed up for.
It's a silly complaint. It's also the inevitable result of offering something useful at a "free" price point: it attracts pathological customers --- for instance, the ones who will attempt to organize informal boycotts against you when something about that free offering turns out not to be to their liking.
The problem with this analysis, as with most libertarian analyses, is that it ignores externalities. The security of x.509 is a cooperative endeavor. The continued existence of compromised certificates from any CA undermines the security of the entire internet because you can no longer trust the browser padlock icon. So while it is certainly arguable that Start could justifiably refuse to provide a service for customers who have never paid, it is a much harder case to make that Start is justified in undermining the security of the internet because it chose (wisely or unwisely) to provide certificates for free.
> The continued existence of compromised certificates from any CA undermines the security of the entire internet because you can no longer trust the browser padlock icon.
True, but my guess is that StartCom doing free revocations / reissues would only make a tiny dent in that situation.
That may be, but it's beside the point. Given that we have a situation where the continued viability of the internet depends on everyone rowing in the same direction, the argument that Start has no responsibility in this case because "you get what you pay for" should not carry the day.
The viability of the Internet in no way depends on Start's actions here. Certificate revocation is not in fact a giant "everyone row the same direction" coordinated effort to save the Internet. It's closer to theater than it is to triage.
It's not an externality of Start's business. They were up-front with their clients: revocation carries a handling fee. The externality you're referring to was caused by the users of StartSSL, who deliberately opted to pay nothing for SSL certificates that didn't have free revocation.
(Certificate revocation simply doesn't work regardless, but let's stipulate here that it does).
That assumes that all their clients were paying attention. That is almost certainly not the case. It is arguable where the responsibility lies in a case like this, but there is a case to be made that Start carries at least some of the responsibility for having created an environment where such a critical item was so easy to miss.
I am not saying that Start is in fact the villain it is being made out to be, only that the "you get what you pay for" argument should not be the last word.
You can't see them, but my eyebrows are raised. Start is famous for providing free SSL certificates; in fact, that may be all they're famous for. Virtually all other certificates cost money. What you're suggesting is that it wouldn't be the first question any reasonable person would have had, "what are the limitations of this free SSL certificate"?
I also find the notion that people would have gone elsewhere for their certificates had they only known Start's were irrevocable a bit dubious. More than a bit; "laughable" is perhaps a better word. From out here on the limb I'm standing on, I'll suggest that you probably (and quietly) agree.
This disagreement has spread into multiple branches of this thread. I'm going to try to consolidate all of my responses here to keep things from spinning too wildly out of control.
> I'll suggest that you probably (and quietly) agree.
I agree with most of the literal text of what you have written, but you still continue to ignore the salient fact that this is an unprecedented situation. The continued existence of large numbers of potentially compromised certificates undermines the entirety of X.509 because you can no longer trust the green padlock. The more un-revoked certificates exist in the wild, the less you can trust the entirety of X.509.
Under normal circumstances this wouldn't matter because the number of certificates that get compromised in the normal course of events is small, so the risk of encountering a compromised but un-revoked certificate is small. But in the current situation that is not the case. Vast numbers of private keys are potentially compromised with no way to know, and until something is done about that, the entirety of x.509 is undermined. Cert revocation is far from an ideal solution, but it's better than nothing. At least it offers the possibility of rejecting potentially compromised certs.
In the face of this unprecedented situation, Start's refusal to make any kind of contribution towards mitigation cannot be defended simply by saying that their users should have read the TOS more carefully because those users are not the ones who are being hurt. Everyone who relies on x.509 is being hurt (hence, externality). Start is in a position to make a major contribution towards the mitigation of this problem and the restoration of trust in x.509, and they are refusing to do so. They are entirely within their rights. But it is also not unreasonable to criticize them for choosing not to contribute to the common good.
The business model animating Start's terms is clear to both of us (we've both sold software long enough to see it). Start doesn't make money selling ads and they don't make money reselling personal information. And yet they give something valuable away for free. There's pretty much one model left for them to avail themselves of: upselling.
The Start deal is obvious: you can have an SSL certificate for free now, but that certificate is inappropriate for (for lack of a better term) "serious business" (actually, any business, as stated in their terms, but I digress). The idea behind the offering is that once you realize you actually get value out of the thing they gave you, you'll convert to a paying customer.
Revocation is, as is clearly stated, one of the points in their customer acquisition process at which window-shopping free SSL cert users convert to paying users.
This isn't a complicated analysis. It is the idea behind the offering. People revoking their certificates are demonstrating that they value them. Like most people who value their certs already did, they should simply pay for the new certificate. Failing that, they can (a) accept the minimal risk that their keys were compromised, or (b) change hostnames, kill the old hostname, and start up with a new certificate.
What's at stake here isn't the fate of the Internet. It's the convenience of "customers" who have a revealed $0 preference for security.
I'm guessing that neither of us like the CA cartel, but we deal with the world as it presents itself to us, not as we wish it to be. Support TACK! It's a step in the direction of less dependences on for-profit central authorities.
I am curious why/how you concluded this was a libertarian analysis? Do you and tptacek have a history that gave you additional context to what he wrote? When I read it I did not see anything that screamed libertarian.
I didn't know whether he was a libertarian or not, but ignoring externalities is a hallmark of libertarian thought. I apologize if I made an unwarranted assumption. But the substance of my comment applies regardless.
The substance of your argument is that, having provided a free "no commercial use" SSL certificate that explicitly requires a $40 handling fee for revocation, Start has somehow assumed some obligation on the part of the users that opted into this scheme, and that their users' reticence in forking out money for revocation is an externality created by Start. I don't find that argument credible.
The $24.90 fee also applies to paying Class 2 customers. Only EV certificates get free revocation from StartCom.
My own personal blog (not very critical) has a Class 2 certificate, and I decided to switch to a Comodo PositiveSSL ($5/year for 5 years) and not revoke the StartSSL one.
I mean, damn people who use a free thing that then get screwed, through no fault of their own, not wanting to be charged $25 for a part of the service that they would never need to use otherwise.
You're either free, or you're not -- StartSSL is a mish-mash of "free" and opportunistic costs.
I think some people are exaggerating how aware Class 1 customers were of the revocation policy. It’s in the FAQ, but the site also advertises “100% Free”. I think the expectation is that free services have automated infrastructure, and that they’re a way to advertise your paid services—and I did, in fact, start out as a Class 1 and later paid for Class 2.
I don't see where it said $5/year. Right now it costs $50 per year.
EDIT:
Are resellers like them more trustworthy? I understand that big CA often sells out to smaller CA and smaller CA sell out to even smaller CA. But how trustworthy are ssls.com and namecheap?
EDIT
Okay. I see. namecheap has been running since 2001 which means it has been doing business pretty well :) So why are they cheaper? Because namecheap are the one managing all the accounts and Comondo is only doing validation?
I'm really confused. If you think your original certificate may have been compromised, the only reason to get a new certificate would be to protect your users from a MITM attack. Since you have not revoked your old certificate, you have done nothing to reduce this risk.
This is all kind of pointless for my silly personal blog, so you could view it as a symbolic way of registering my displeasure with StartCom ;-)
To answer your question, suppose I think my key has been compromised. Then I don’t want to continue using that key because non-MITM’ed communication between my server and the client is compromised. So I generate a new key, and I’d like a a new certificate for that new key—the old one won’t work (Apple Secure Transport bug notwithstanding). My users are still vulnerable to a MITM attack, yes.
--edit: assuming that the user’s connection uses a non-PFS cipher suite.
To put it more succinctly: my private key has potentially been compromised, not my certificate. By generating a new private key (which implies a new certificate), I can protect against non-MITM eavesdropping for non-PFS ciphers.
From a POV of fairness to StartCom, I agree with you, and initially saw it as a ridiculous sense of entitlement on the part of their (non-paying) customers. However as a third party user of the web I am somewhat persuaded by the simple argument that the certs should be distrusted on the basis that they are no longer trustworthy.
Edit: Having thought about it for a minute, a logical consequence of my argument is that all certificates signed by CAs that charge a revocation or reissue fee should be distrusted, which probably makes it not a very reasonable argument. I guess this just leaves us at "Valid SSL certificates are not necessarily trustworthy and we just have to live with that".
I have no problem with them asking for money to issue a new certificate, but revoking the old one when it is compromised is an obligation they took on when selling (or giving it away) in the first place. An obligation to Mozilla and others that have put them in their trust store if I may add.
It is the same reason we have mandatory recycling provisions. Just because your shit is free doesn't mean we have to sit by and watch you pollute the world.
Hm, by that argument I guess they (and all other CAs) should just revoke all of the ones on servers that are/were vulnerable without user intervention. I can't imagine that would make them any more popular, although it probably would be the right thing to do.
StartSSL can make free certificates because the entire system is automated (until you require Level 2 certificates) so the cost of operation is very low.
My guess is that the revocation is not entirely automated. There might also be reasons other than technical why it's not the case. In any case, if they explained the reasons it would put some perspective on their point of view and help people understand.
Due to $0 price of certificate I guess many had considered it would be a good idea to have a certificate per service, i.e. a separate one for HTTPS, email, XMPP and so on. I did. The overall thought was that if one service would be compromised, others would likely remain safe - but Heartbleed had completely changed the story.
In my case if I'd revoke all the certificate it would be about $600. Call me names if you want to, but I'm not going to shell out that much. Guess, many others would think the same.
I've updated OpenSSL but if any certs were compromised, they would stay so until they would naturally expire.
StartSSL's default usage mode is to generate private keys on their website. Yet another horribly insecure system.
I'd much rather that people used self-signed certs (and browsers had certificate pinning) by default, and could then step up to real CA certificates. Self-signed certs provide almost the same amount of trust that StartCom does.
For server certificates, unless you supply the CSR by yourself by skipping a step (IIRC, you're softly encouraged to do so), they generate the key server-side and send it to you back. They even have a FAQ entries (##43,44, although their site is down ATM, so Google for a cached copy) about that.
None of this has anything to do with StartSSL's trustworthiness as a CA. It is ridiculous to see that people are whining that a company that signed their cert for $0.00 is asking for some money for additional work. The $25 rekeying is a steal for a certificate.
What CA in mozilla/chromium comes closest to StartSSL's $0.00 or $25.00 certificate? That question is not rehetorical, I am genuinely curious what is the second cheapest option for a signed certificate (from a CA trusted by default in mozilla/chromium).
They're in both browser's truststores. That's about as "trusted" a CA can be by an inanimate object.
For a CA that issues hundreds of thousands of certs, three instances of mistakes is not damning. Whereas a CA, like STartCom, that boldly proclaim to be the second coming of CA-Jesus and gives away certs for free and relies on predatory charges (pay high fees when you're in trouble) is.
They're a reseller, if you took the 20sec it took you to make asinine replies to actually look you would see that they sell Comodo, Thwate, and Verisign certs. But thank you for your useful commentary.
What was asinine about my comment? I knew cheapsslsecurity was a reseller and I specifically said "from a CA" in my initial comment and then again in my first reply to you. I said from a CA because I was thinking about Comodo and their RAs history of awesomeness.
What is the significance of the fact that they also resell other companies certificates?
I think people should clam down and think thoroughly.
I don't know the actual math on the cost for a CA to revoke and re-issue a new certificate. But what if someone finds another critical vulnerability? Do we go back and ask to revoke our certificate again? Free of charge?
Is it necessary to call StartCom evil? Is that even fair?
If you are serving real user data, please get a paid certificate yourself. Why? Because you have slightly better control of your certificate. If you are just running demo or running personal blog then get one from places like gandi.net (1 year at $16.00)
edit: someone mention ssls.com and namecheap.com (resellers) offer cheap Comondo PositiveSSL at less than $10 per year.
@EDIT: Sorry, that was me. I've misclicked the wrong button - meant to upvote, and there seems to be no way to undo. Nonetheless, I disagree.
> Do we go back and ask to revoke our certificate again? Free of charge?
That's right, ask to revoke. In current system, considering the position CAs' are in, trust is primarily their problem. If CA's not revoking the certificate that's compromised, it's CA who's to blame, not server administrators. Not sure about server admins who don't want to pay, but end users (those who see the false green padlock) have full moral right to call such CA "evil".
Thank you. I think people should try to explain their downvote whenever possible so that I can have a decent discussion as my argument isn't always "correct".
Like I said I don't know the cost to revoke certificate as a CA. One possible defense for StartCom is that they are worried about facing the same bill as the next critical vulnerability emerge. Someone said in some other threads that StartCom has this fee from ancient time. If that's true, this is just another "fine print" issue.
> but end users (those who see the false green padlock) have full moral right to call such CA "evil".
I agree. Though the question remains: should the CA take the blame of the flaw of a library every time given CA is not a charity, but a business?
Heartbleed is a big deal, and there's not a single entity that can bear the burden alone. We've all got to do our parts to revoke the millions of bad certificates, and we've go to be pretty quick about it.
I'm a StartCom customer, and I'm going to suck it up and pay to revoke all of my certificates, including several class 2s and an EV. I'm going to do it because it's better for the PKI than if I don't.
Now, StartCom, It would be nice if you'd help us out, too. This is a mess. Maybe we can get a bit of a break. Maybe you can revoke all of my certs for $25. Or maybe it can be $5 or $10 a piece. We want to put you out of business, but come on, we all know signing certs is tantamount to printing money. If the trust model falls apart, you're out anyway, so how about playing an active role in sorting this out?
Very few people will actually have lost privkeys. Patching your server is a much more important countermeasure than revocation. Certificate revocation in practice works nowhere nearly as well as it does on paper; in fact, it comes dangerously close to not working at all. Read Adam Langley's (jaundiced) take on OCSP for more details.
Long story short: certificate revocation is probably not a big enough deal for Start to somehow be required to rewrite the terms you agreed to when you acquired your certs from them.
Yup. So soft-fail revocation checks are like a seat-belt that snaps when you crash. Even though it works 99% of the time, it's worthless because it only works when you don't need it.
59 comments
[ 3.1 ms ] story [ 148 ms ] threadTrue, but my guess is that StartCom doing free revocations / reissues would only make a tiny dent in that situation.
http://news.netcraft.com/archives/2014/04/11/heartbleed-cert...
(Certificate revocation simply doesn't work regardless, but let's stipulate here that it does).
That assumes that all their clients were paying attention. That is almost certainly not the case. It is arguable where the responsibility lies in a case like this, but there is a case to be made that Start carries at least some of the responsibility for having created an environment where such a critical item was so easy to miss.
I am not saying that Start is in fact the villain it is being made out to be, only that the "you get what you pay for" argument should not be the last word.
I also find the notion that people would have gone elsewhere for their certificates had they only known Start's were irrevocable a bit dubious. More than a bit; "laughable" is perhaps a better word. From out here on the limb I'm standing on, I'll suggest that you probably (and quietly) agree.
> I'll suggest that you probably (and quietly) agree.
I agree with most of the literal text of what you have written, but you still continue to ignore the salient fact that this is an unprecedented situation. The continued existence of large numbers of potentially compromised certificates undermines the entirety of X.509 because you can no longer trust the green padlock. The more un-revoked certificates exist in the wild, the less you can trust the entirety of X.509.
Under normal circumstances this wouldn't matter because the number of certificates that get compromised in the normal course of events is small, so the risk of encountering a compromised but un-revoked certificate is small. But in the current situation that is not the case. Vast numbers of private keys are potentially compromised with no way to know, and until something is done about that, the entirety of x.509 is undermined. Cert revocation is far from an ideal solution, but it's better than nothing. At least it offers the possibility of rejecting potentially compromised certs.
In the face of this unprecedented situation, Start's refusal to make any kind of contribution towards mitigation cannot be defended simply by saying that their users should have read the TOS more carefully because those users are not the ones who are being hurt. Everyone who relies on x.509 is being hurt (hence, externality). Start is in a position to make a major contribution towards the mitigation of this problem and the restoration of trust in x.509, and they are refusing to do so. They are entirely within their rights. But it is also not unreasonable to criticize them for choosing not to contribute to the common good.
The Start deal is obvious: you can have an SSL certificate for free now, but that certificate is inappropriate for (for lack of a better term) "serious business" (actually, any business, as stated in their terms, but I digress). The idea behind the offering is that once you realize you actually get value out of the thing they gave you, you'll convert to a paying customer.
Revocation is, as is clearly stated, one of the points in their customer acquisition process at which window-shopping free SSL cert users convert to paying users.
This isn't a complicated analysis. It is the idea behind the offering. People revoking their certificates are demonstrating that they value them. Like most people who value their certs already did, they should simply pay for the new certificate. Failing that, they can (a) accept the minimal risk that their keys were compromised, or (b) change hostnames, kill the old hostname, and start up with a new certificate.
What's at stake here isn't the fate of the Internet. It's the convenience of "customers" who have a revealed $0 preference for security.
I'm guessing that neither of us like the CA cartel, but we deal with the world as it presents itself to us, not as we wish it to be. Support TACK! It's a step in the direction of less dependences on for-profit central authorities.
Yep.
My own personal blog (not very critical) has a Class 2 certificate, and I decided to switch to a Comodo PositiveSSL ($5/year for 5 years) and not revoke the StartSSL one.
I mean, damn people who use a free thing that then get screwed, through no fault of their own, not wanting to be charged $25 for a part of the service that they would never need to use otherwise.
You're either free, or you're not -- StartSSL is a mish-mash of "free" and opportunistic costs.
EDIT:
Are resellers like them more trustworthy? I understand that big CA often sells out to smaller CA and smaller CA sell out to even smaller CA. But how trustworthy are ssls.com and namecheap?
EDIT
Okay. I see. namecheap has been running since 2001 which means it has been doing business pretty well :) So why are they cheaper? Because namecheap are the one managing all the accounts and Comondo is only doing validation?
To answer your question, suppose I think my key has been compromised. Then I don’t want to continue using that key because non-MITM’ed communication between my server and the client is compromised. So I generate a new key, and I’d like a a new certificate for that new key—the old one won’t work (Apple Secure Transport bug notwithstanding). My users are still vulnerable to a MITM attack, yes.
--edit: assuming that the user’s connection uses a non-PFS cipher suite.
From a POV of fairness to StartCom, I agree with you, and initially saw it as a ridiculous sense of entitlement on the part of their (non-paying) customers. However as a third party user of the web I am somewhat persuaded by the simple argument that the certs should be distrusted on the basis that they are no longer trustworthy.
Edit: Having thought about it for a minute, a logical consequence of my argument is that all certificates signed by CAs that charge a revocation or reissue fee should be distrusted, which probably makes it not a very reasonable argument. I guess this just leaves us at "Valid SSL certificates are not necessarily trustworthy and we just have to live with that".
Edit2: http://news.netcraft.com/archives/2014/04/11/heartbleed-cert...
It is the same reason we have mandatory recycling provisions. Just because your shit is free doesn't mean we have to sit by and watch you pollute the world.
StartSSL can make free certificates because the entire system is automated (until you require Level 2 certificates) so the cost of operation is very low.
My guess is that the revocation is not entirely automated. There might also be reasons other than technical why it's not the case. In any case, if they explained the reasons it would put some perspective on their point of view and help people understand.
Due to $0 price of certificate I guess many had considered it would be a good idea to have a certificate per service, i.e. a separate one for HTTPS, email, XMPP and so on. I did. The overall thought was that if one service would be compromised, others would likely remain safe - but Heartbleed had completely changed the story.
In my case if I'd revoke all the certificate it would be about $600. Call me names if you want to, but I'm not going to shell out that much. Guess, many others would think the same.
I've updated OpenSSL but if any certs were compromised, they would stay so until they would naturally expire.
I'd much rather that people used self-signed certs (and browsers had certificate pinning) by default, and could then step up to real CA certificates. Self-signed certs provide almost the same amount of trust that StartCom does.
No. AFAIR they use HTML5 <keygen> tag to generate key pair.
For server certificates, unless you supply the CSR by yourself by skipping a step (IIRC, you're softly encouraged to do so), they generate the key server-side and send it to you back. They even have a FAQ entries (##43,44, although their site is down ATM, so Google for a cached copy) about that.
What CA in mozilla/chromium comes closest to StartSSL's $0.00 or $25.00 certificate? That question is not rehetorical, I am genuinely curious what is the second cheapest option for a signed certificate (from a CA trusted by default in mozilla/chromium).
$16 per year.
edit
Someone said reseller namecheap and ssls are way cheaper and have the same trust as any CA.
https://bugzilla.mozilla.org/show_bug.cgi?id=470897
https://bugzilla.mozilla.org/show_bug.cgi?id=526560
https://bugzilla.mozilla.org/show_bug.cgi?id=599856
For a CA that issues hundreds of thousands of certs, three instances of mistakes is not damning. Whereas a CA, like STartCom, that boldly proclaim to be the second coming of CA-Jesus and gives away certs for free and relies on predatory charges (pay high fees when you're in trouble) is.
Comodo Free 90-day Certificate: https://www.comodo.com/e-commerce/ssl-certificates/free-ssl-...
What is the significance of the fact that they also resell other companies certificates?
I think people should clam down and think thoroughly.
I don't know the actual math on the cost for a CA to revoke and re-issue a new certificate. But what if someone finds another critical vulnerability? Do we go back and ask to revoke our certificate again? Free of charge?
Is it necessary to call StartCom evil? Is that even fair?
If you are serving real user data, please get a paid certificate yourself. Why? Because you have slightly better control of your certificate. If you are just running demo or running personal blog then get one from places like gandi.net (1 year at $16.00)
edit: someone mention ssls.com and namecheap.com (resellers) offer cheap Comondo PositiveSSL at less than $10 per year.
If you are running open source project, consider https://www.globalsign.com/ssl/ssl-open-source/ and http://www.godaddy.com/ssl/ssl-open-source.aspx.
If you still can't afford one, I really don't know what to say to you at the moment.
> Do we go back and ask to revoke our certificate again? Free of charge?
That's right, ask to revoke. In current system, considering the position CAs' are in, trust is primarily their problem. If CA's not revoking the certificate that's compromised, it's CA who's to blame, not server administrators. Not sure about server admins who don't want to pay, but end users (those who see the false green padlock) have full moral right to call such CA "evil".
Like I said I don't know the cost to revoke certificate as a CA. One possible defense for StartCom is that they are worried about facing the same bill as the next critical vulnerability emerge. Someone said in some other threads that StartCom has this fee from ancient time. If that's true, this is just another "fine print" issue.
> but end users (those who see the false green padlock) have full moral right to call such CA "evil".
I agree. Though the question remains: should the CA take the blame of the flaw of a library every time given CA is not a charity, but a business?
I'm a StartCom customer, and I'm going to suck it up and pay to revoke all of my certificates, including several class 2s and an EV. I'm going to do it because it's better for the PKI than if I don't.
Now, StartCom, It would be nice if you'd help us out, too. This is a mess. Maybe we can get a bit of a break. Maybe you can revoke all of my certs for $25. Or maybe it can be $5 or $10 a piece. We want to put you out of business, but come on, we all know signing certs is tantamount to printing money. If the trust model falls apart, you're out anyway, so how about playing an active role in sorting this out?
Long story short: certificate revocation is probably not a big enough deal for Start to somehow be required to rewrite the terms you agreed to when you acquired your certs from them.