StartCom customers received word that the company would close down as a certification authority due to the protective action browser manufacturers took against it, over a year ago. The news of the company closing down had been published November 16th on their website, but went unnoticed until now.
StartCom has played a critical role as a Certification Authority in data security and electronic commerce by providing an independent "trusted third party" guarantee all these years.
Around a year ago the majority of the browser makers decided to distrust StartCom, remove the StartCom root certificates from their root stores and not accept newly end entity certificates issued by StartCom.
Despite the efforts made during this time by StartCom, up to now, there has not been any clear indication from the browsers that StartCom would be able to regain the trust. Therefore, the owners of StartCom have decided to terminate StartCom as a Certification Authority (CA).
From January 1st, 2018, StartCom will not issue any new end entity certificate and will only provide validation services through its OCSP and CRL services for two years from January 1st, 2018. Starting 2020, all remaining valid certificates will be revoked.
StartCom wants to thank all of our customers and partners during these years for their support.
Disclaimer: Early on, SoylentNews used StartCom certs.
Related Stories
Last August, after being alerted by GitHub's security team that the certificate authority WoSign had errantly issued a certificate for a GitHub domain to someone other than GitHub, Google began an investigation in collaboration with the Mozilla Foundation and a group of security professionals into the company's certificate issuance practices. The investigation uncovered a pattern of bad practices at WoSign and its subsidiary StartCom dating back to the spring of 2015. As a result, Google moved last October to begin distrusting new certificates issued by the two companies, stating "Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome."
WoSign (based in Shenzen, China) and StartCom (based in Eliat, Israel) are among the few low-cost certificate providers who've offered wildcard certificates. StartCom's StartSSL offers free Class 1 certificates, and $60-per-year wildcard certificates—allowing the use of a single certificate on multiple subdomains with a single confirmation. This made the service wildly popular. But bugs in WoSign's software allowed a number of misregistrations of certificates. One bug allowed someone with control of a subdomain to claim control of the whole root domain for certificates. The investigation also found that WoSign was backdating the SSL certificates it issued to get around the deadline set for certificate authorities to stop issuing SHA-1 SSL certificates by January 1, 2016. WoSign continued to issue the less secure SHA-1 SSL certificates well into 2016.
Source: Google drops the boom on WoSign, StartCom certs for good
Previously:
Heads Roll as Qihoo 360 Moves to End Wosign, Startcom Certificate Row
Game Over for WoSign and StartCom Certificate Authorities?
(Score: 4, Informative) by FatPhil on Thursday December 07 2017, @03:52PM (5 children)
Did we learn nothing from Honest Achmed? (https://bugzilla.mozilla.org/show_bug.cgi?id=647959 still bloody funny all these years later.)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Thursday December 07 2017, @03:59PM
What about those CAs that have fucked up in the past, and still enjoy being built in, like Commodo?
Makes me wonder how much cash does flow to the browser oligarchs to make amends.
(Score: 0) by Anonymous Coward on Thursday December 07 2017, @05:18PM (2 children)
What browser do you use? I'd certainly expect that CAs I disabled remain disabled, but I admittedly never checked.
(Score: 2) by FatPhil on Thursday December 07 2017, @09:41PM (1 child)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Thursday December 07 2017, @10:29PM
Yes, but you didn't read the small print. It said "Delete or distrust, for built-in tokens all trust is removed which is basically the same thing as removal."
You can verify this with the Edit trust... button.
(Score: 2) by takyon on Thursday December 07 2017, @07:46PM
Check out that buzzkill from 3 years ago.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by JoeMerchant on Thursday December 07 2017, @04:06PM (3 children)
In a nutshell, what did they do to get un-trusted?
🌻🌻 [google.com]
(Score: 5, Informative) by Pino P on Thursday December 07 2017, @04:19PM (2 children)
WoSign is distrusted because it backdated certificates [mozilla.org] to evade the SHA-1 sunset.
StartCom is distrusted because WoSign bought the company [mozilla.org] and nobody told the browser publishers in a timely manner.
(Score: 2) by JoeMerchant on Thursday December 07 2017, @04:56PM (1 child)
Fair enough... I know backdating goes on in industry, I just don't know why (yes, you _might_ evade some scrutiny - or in this case continue some functionality without having to do the updating work - in the short term, but if the backdating is _ever_ discovered the resulting increased scrutiny would seem to be a severe deterrent.) I suppose it continues to happen because people are still getting away with it.
🌻🌻 [google.com]
(Score: 1, Informative) by Anonymous Coward on Thursday December 07 2017, @06:07PM
It means you have assholes making decisions instead of security people, big no-no IMO.
(Score: 2, Informative) by Anonymous Coward on Thursday December 07 2017, @06:14PM
startcom was fine (if you didn't mind getting your certs from israeli intelligence) until wosign bought them. don't let the door hit you in the ass and thanks for the free certs before let's encrypt came along.
(Score: 4, Interesting) by NotSanguine on Thursday December 07 2017, @07:33PM
I'd already moved most of my certs to Let's Encrypt, but one site which is currently inactive (and has been for three years) was still configured with a Startcom cert.
Given the nature of the site, it was never a big deal, as no financial or other PII was ever stored or transmitted. Encryption was the only real benefit. Since the cert was pretty old, I'd have needed to create a new one in a couple of years with SHA-512 anyway. So no great loss.
However, it's sad that those who were supposed to be helping to improve security were actively involved in degrading it.
No, no, you're not thinking; you're just being logical. --Niels Bohr