Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday December 07 2017, @03:01PM   Printer-friendly
from the clear-warning-to-other-CAs dept.

StartCom customers received word that the company would close down as a certification authority due to the protective action browser manufacturers took against it, over a year ago. The news of the company closing down had been published November 16th on their website, but went unnoticed until now.

StartCom has played a critical role as a Certification Authority in data security and electronic commerce by providing an independent "trusted third party" guarantee all these years.
Around a year ago the majority of the browser makers decided to distrust StartCom, remove the StartCom root certificates from their root stores and not accept newly end entity certificates issued by StartCom.
Despite the efforts made during this time by StartCom, up to now, there has not been any clear indication from the browsers that StartCom would be able to regain the trust. Therefore, the owners of StartCom have decided to terminate StartCom as a Certification Authority (CA).
From January 1st, 2018, StartCom will not issue any new end entity certificate and will only provide validation services through its OCSP and CRL services for two years from January 1st, 2018. Starting 2020, all remaining valid certificates will be revoked.
StartCom wants to thank all of our customers and partners during these years for their support.

Disclaimer: Early on, SoylentNews used StartCom certs.


Original Submission

Related Stories

Google Drops the Boom on WoSign, StartCom Certs for Good 8 comments

Last August, after being alerted by GitHub's security team that the certificate authority WoSign had errantly issued a certificate for a GitHub domain to someone other than GitHub, Google began an investigation in collaboration with the Mozilla Foundation and a group of security professionals into the company's certificate issuance practices. The investigation uncovered a pattern of bad practices at WoSign and its subsidiary StartCom dating back to the spring of 2015. As a result, Google moved last October to begin distrusting new certificates issued by the two companies, stating "Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome."

WoSign (based in Shenzen, China) and StartCom (based in Eliat, Israel) are among the few low-cost certificate providers who've offered wildcard certificates. StartCom's StartSSL offers free Class 1 certificates, and $60-per-year wildcard certificates—allowing the use of a single certificate on multiple subdomains with a single confirmation. This made the service wildly popular. But bugs in WoSign's software allowed a number of misregistrations of certificates. One bug allowed someone with control of a subdomain to claim control of the whole root domain for certificates. The investigation also found that WoSign was backdating the SSL certificates it issued to get around the deadline set for certificate authorities to stop issuing SHA-1 SSL certificates by January 1, 2016. WoSign continued to issue the less secure SHA-1 SSL certificates well into 2016.

Source: Google drops the boom on WoSign, StartCom certs for good

Previously:
Heads Roll as Qihoo 360 Moves to End Wosign, Startcom Certificate Row
Game Over for WoSign and StartCom Certificate Authorities?


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Informative) by FatPhil on Thursday December 07 2017, @03:52PM (5 children)

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Thursday December 07 2017, @03:52PM (#606836) Homepage
    What about all those other CA authorities (and therefore thereby signed other certificates) that my browser comes with that oblige me (I can't disable them, they're built in, when I delete them, they reappear) to trust? The tree of transitive (and if you think about it, in some way's it's symmetric too) absolute trust is so utterly fragile I'm aghast that it's still a thing.

    Did we learn nothing from Honest Achmed? (https://bugzilla.mozilla.org/show_bug.cgi?id=647959 still bloody funny all these years later.)
    --
    If vaccination works, then why doesn't eucharist protect kids against Christianity?
    • (Score: 0) by Anonymous Coward on Thursday December 07 2017, @03:59PM

      by Anonymous Coward on Thursday December 07 2017, @03:59PM (#606839)

      What about those CAs that have fucked up in the past, and still enjoy being built in, like Commodo?
      Makes me wonder how much cash does flow to the browser oligarchs to make amends.

    • (Score: 0) by Anonymous Coward on Thursday December 07 2017, @05:18PM (2 children)

      by Anonymous Coward on Thursday December 07 2017, @05:18PM (#606875)

      What about all those other CA authorities (and therefore thereby signed other certificates) that my browser comes with that oblige me (I can't disable them, they're built in, when I delete them, they reappear) to trust?

      What browser do you use? I'd certainly expect that CAs I disabled remain disabled, but I admittedly never checked.

      • (Score: 2) by FatPhil on Thursday December 07 2017, @09:41PM (1 child)

        by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Thursday December 07 2017, @09:41PM (#607008) Homepage
        Firefox. Turktrust. Delete. Restart. Fuck.
        --
        If vaccination works, then why doesn't eucharist protect kids against Christianity?
        • (Score: 0) by Anonymous Coward on Thursday December 07 2017, @10:29PM

          by Anonymous Coward on Thursday December 07 2017, @10:29PM (#607017)

          Yes, but you didn't read the small print. It said "Delete or distrust, for built-in tokens all trust is removed which is basically the same thing as removal."

          You can verify this with the Edit trust... button.

    • (Score: 2) by takyon on Thursday December 07 2017, @07:46PM

      by takyon (881) Subscriber Badge <{takyon} {at} {soylentnews.org}> on Thursday December 07 2017, @07:46PM (#606964) Journal

      Check out that buzzkill from 3 years ago.

      --
      [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
  • (Score: 2) by JoeMerchant on Thursday December 07 2017, @04:06PM (3 children)

    by JoeMerchant (3937) on Thursday December 07 2017, @04:06PM (#606841)

    In a nutshell, what did they do to get un-trusted?

    • (Score: 5, Informative) by Pino P on Thursday December 07 2017, @04:19PM (2 children)

      by Pino P (4721) on Thursday December 07 2017, @04:19PM (#606848) Journal

      WoSign is distrusted because it backdated certificates [mozilla.org] to evade the SHA-1 sunset.

      StartCom is distrusted because WoSign bought the company [mozilla.org] and nobody told the browser publishers in a timely manner.

      • (Score: 2) by JoeMerchant on Thursday December 07 2017, @04:56PM (1 child)

        by JoeMerchant (3937) on Thursday December 07 2017, @04:56PM (#606862)

        Fair enough... I know backdating goes on in industry, I just don't know why (yes, you _might_ evade some scrutiny - or in this case continue some functionality without having to do the updating work - in the short term, but if the backdating is _ever_ discovered the resulting increased scrutiny would seem to be a severe deterrent.) I suppose it continues to happen because people are still getting away with it.

        • (Score: 1, Informative) by Anonymous Coward on Thursday December 07 2017, @06:07PM

          by Anonymous Coward on Thursday December 07 2017, @06:07PM (#606904)

          I know backdating goes on in industry, I just don't know why

          It means you have assholes making decisions instead of security people, big no-no IMO.

  • (Score: 2, Informative) by Anonymous Coward on Thursday December 07 2017, @06:14PM

    by Anonymous Coward on Thursday December 07 2017, @06:14PM (#606912)

    startcom was fine (if you didn't mind getting your certs from israeli intelligence) until wosign bought them. don't let the door hit you in the ass and thanks for the free certs before let's encrypt came along.

  • (Score: 4, Interesting) by NotSanguine on Thursday December 07 2017, @07:33PM

    by NotSanguine (285) Subscriber Badge on Thursday December 07 2017, @07:33PM (#606957) Homepage Journal

    I'd already moved most of my certs to Let's Encrypt, but one site which is currently inactive (and has been for three years) was still configured with a Startcom cert.

    Given the nature of the site, it was never a big deal, as no financial or other PII was ever stored or transmitted. Encryption was the only real benefit. Since the cert was pretty old, I'd have needed to create a new one in a couple of years with SHA-512 anyway. So no great loss.

    However, it's sad that those who were supposed to be helping to improve security were actively involved in degrading it.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
(1)