StartSSL
This article is a stub. You can help the IndieWeb wiki by expanding it.
StartSSL was a service from StartCom that provided introductory SSL certificates for no cost. As of 2016-11-30, Mozilla, Google, and Apple have stopped trusting new certificates from WoSign and StartCom, and StartCom will cede operations at the end of 2017.[1] See #Criticism for more information.
Benefits
- Single-domain SSL certificates are free.
- You can create multiple certificates for individual subdomains, for example www.example.com and test.example.com
- You can pay $59 to go through the "personal identity validation" process, at which point you get to do the following for the next 360 days:
- Create as many wildcard certificates as you want for free (*.example.com), each is valid for 2 years
- Create multi-domain certificates (example.org, example.com)
Issues
- The user interface is very awkward.
- Authentication is done only via browser client certificate, so make sure you back this up or you'll lose access to your account.
- While single SSL certificates are free, it costs $24.99 to revoke a certificate if you need to.
- You can only have one SSL certificate active per subdomain. There is a 2-week period where you can renew a certificate before it expires. This means if you lose your private key for a cert, you won't be able to re-create the cert with the same subdomain unless you pay to revoke the old one first.
Criticism
- https://pierrekim.github.io/blog/2016-02-16-why-i-stopped-using-startssl-because-of-qihoo-360.html "The PKI platform of StartSSL, an Israeli leader of free SSL certificates, is now hosted by Qihoo 360, a Chinese Antivirus Company." Qihoo 360 has a very bad reputation and so StartSSL may not be treated as trusted and secure anymore.
- https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview Mozilla investigation into backdating of certificates; may no longer trust newly-issued certificates in the near future:
- Allegations of "... WoSign has been intentionally back-dating certificates to avoid blocks on SHA-1 issuance in browsers, having qualified audits and/or being caught violating the CAB Forum Baseline Requirements."
- "Taking into account all the issues listed above, Mozillaβs CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA. Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands."
- https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/E13eT13wMBQ
- "It seams that wosign has registered the domains letsencrypt.cn and letsencrypt.com.cn in 2014 after the public announce of Let's Encrypt"
FAQ
I lost my client certificate, or my client certificate expired
If you lost your client certificate, or if you forgot to create a new one before it expired, you can still recover you account. Create a new account with the same email address, and then email certmaster at startssl.com with the subject line "merge accounts", provide your email address, and ask that your accounts be merged.