StartCom customers received word that the company would close down as a certification authority due to the protective action browser manufacturers took against it, over a year ago. The news of the company closing down had been published November 16th on their website, but went unnoticed until now.
StartCom has played a critical role as a Certification Authority in data security and electronic commerce by providing an independent "trusted third party" guarantee all these years.
Around a year ago the majority of the browser makers decided to distrust StartCom, remove the StartCom root certificates from their root stores and not accept newly end entity certificates issued by StartCom.
Despite the efforts made during this time by StartCom, up to now, there has not been any clear indication from the browsers that StartCom would be able to regain the trust. Therefore, the owners of StartCom have decided to terminate StartCom as a Certification Authority (CA).
From January 1st, 2018, StartCom will not issue any new end entity certificate and will only provide validation services through its OCSP and CRL services for two years from January 1st, 2018. Starting 2020, all remaining valid certificates will be revoked.
StartCom wants to thank all of our customers and partners during these years for their support.
Disclaimer: Early on, SoylentNews used StartCom certs.
What about those CAs that have fucked up in the past, and still enjoy being built in, like Commodo?Makes me wonder how much cash does flow to the browser oligarchs to make amends.
What about all those other CA authorities (and therefore thereby signed other certificates) that my browser comes with that oblige me (I can't disable them, they're built in, when I delete them, they reappear) to trust?
What browser do you use? I'd certainly expect that CAs I disabled remain disabled, but I admittedly never checked.
Yes, but you didn't read the small print. It said "Delete or distrust, for built-in tokens all trust is removed which is basically the same thing as removal."
You can verify this with the Edit trust... button.
Check out that buzzkill from 3 years ago.
In a nutshell, what did they do to get un-trusted?
WoSign is distrusted because it backdated certificates [mozilla.org] to evade the SHA-1 sunset.
StartCom is distrusted because WoSign bought the company [mozilla.org] and nobody told the browser publishers in a timely manner.
Fair enough... I know backdating goes on in industry, I just don't know why (yes, you _might_ evade some scrutiny - or in this case continue some functionality without having to do the updating work - in the short term, but if the backdating is _ever_ discovered the resulting increased scrutiny would seem to be a severe deterrent.) I suppose it continues to happen because people are still getting away with it.
I know backdating goes on in industry, I just don't know why
It means you have assholes making decisions instead of security people, big no-no IMO.
startcom was fine (if you didn't mind getting your certs from israeli intelligence) until wosign bought them. don't let the door hit you in the ass and thanks for the free certs before let's encrypt came along.
I'd already moved most of my certs to Let's Encrypt, but one site which is currently inactive (and has been for three years) was still configured with a Startcom cert.
Given the nature of the site, it was never a big deal, as no financial or other PII was ever stored or transmitted. Encryption was the only real benefit. Since the cert was pretty old, I'd have needed to create a new one in a couple of years with SHA-512 anyway. So no great loss.
However, it's sad that those who were supposed to be helping to improve security were actively involved in degrading it.