Slashdot Mirror
StartSSL Suspends Services After Security Breach
An anonymous reader writes "StartSSL has suspended issuance of digital certificates and related services following a security breach on 15 June. A trademark of Eddy Nigg's StartCom, the StartSSL certificate authority is well known for offering free domain validated SSL certificates, but also sells organisation and extended validation certificates."
Mainstream SSL certificate issuers are hard enough to trust; ones too tight to even check the requester's identity properly doubly so.
Not sure whether to blame the issuers for not really caring as long as they get their overpayment, browser manufacturers for their root acceptance policy, or customers for not caring as long as the little lock icon is there.
Register story from a couple of days ago the only site so far with any real info. StartSSL is still down and no info has been provided on when they will start back up. Their OpenID service is not functioning either.
http://www.theregister.co.uk/2011/06/21/startssl_security_breach/
Before the FUD starts flying, here's the message on the StartSSL page.
Due to an attack on our systems and a security breach that occurred at the 15th of June, issuance of digital certificates and related services have been temporarily suspended as a defensive measure. Our services will be gradually reinstated as the situation allows.
Subscribers and holders of valid certificates are not affected in any form.
Visitors to web sites and other parties relying on valid certificates are not affected.
We apologize for the temporary inconvenience and thank you for your understanding.
I've used their services for years now. Never had a problem, though their web application is truly awful - I've always wondered how fragile it might be. Hope they can pick themselves up and get back to business.
Say a hobbyist wants to run a blog, forum, or wiki, but doesn't want users' passwords and sessions to get snooped with tools such as Firesheep. Can anyone recommend a good CA for hobbyist web site administrators?
darn, just used up all my mode points.
I noticed this a few days ago when I was trying to generate some new certs. I also noticed there was almost no news coverage on it. At least nothing bad happened.
Its not what it is, its something else.
I personally was impressed with StartSSL. They weren't necessarily the most user-friendly Certificate Authority, but Eddy Nigg was always prompt with helping out. It always felt more personal than going with the overpriced mainstream Certificate Authorities for an SSL who outsourced all their customer service overseas (if they even had customer service other than a FAQ).
However, I guess the big question of the day would be whether or not previously issued StartSSLs will be revoked and have to be reissued in light of this security breach.
I created a certificate through them a while back, for testing something; I forget what. I had forgotten about them until I got an email on the 16th:
This mail is intended for the person who owns a digital certificate issued by the StartSSLâ Certification Authority (http://www.startssl.com/).
The client certificate for _______@gmail.com and serial number XXXXX (YYYYY) is about to expire within the next two weeks. Please log into the StartSSL Control Panel at https://www.startssl.com/?app=12 and get a new certificate for this purpose. Failing to update your client certificate might result in the loss of your account.
Should you have lost the client certificate which was previously issued to you, please register once again - login without the client certificate installed into your browser will not work in that case.
-- Best Regards StartCom Ltd. StartSSLâ Certification Authority
Not sure offhand whether my certificate is legitimately expiring (don't recall the details on it; it was for a one-shot test of something), or whether this is some sort of phishing attempt. The email was sent on 16 Jun at 5:34pm - after startssl went down.
Their new name is now, StopSSL. *puts on shades*
Non impediti ratione cogitationus.
I submitted a story about this about a week ago: http://slashdot.org/submission/1653760/Free-Certificate-Authority-StartCom-Taken-Offline and speculated on whether or not this was due to a security breach.
I am a bit disappointed in StartCom, considering they probably knew about this for a while and failed to tell anyone the moment it became apparent.
I am fearful about what, if any customer data, was compromised. When you submit info for validation, you have to submit scans of your ID -- a drivers license, passport etc -- as well as other personal information. If the crackers got a hold of that info, there could be a bastion of fraud being perpetrated without anyone realizing it until it is too late.
Many bank accounts these days can be opened over the Internet simply with a scan of a photo ID and filling out a form. One can apply for loans using the same information without ever setting foot inside a bank. This is a bigger threat, IMO, than fraudulent certs being issued; this can be revoked and patched in a matter of days. Identity theft is never so easy to fix.
A new company called SmartSSL has suddenly started selling certificates and claims to be the worlds most secure vendor. ;-)
Click on the fucking .pem file.
I have IE 8, Firefox 5, and Opera 10.something on this Windows XP machine. None of them appears to have any file whose name ends in ".pem". All the .pem files on this PC's hard drive are in copies of Python (the one in Blender, the one in OpenOffice.org, and a stand-alone installation of Python).
AffirmTrust apparently does this now
Your verb tense confuses me. The web site claims that it's not yet available: "We are launching soon and will notify you when AffirmSecure SSL is available. Just fill out our form below and we will send you an email on the day we launch. We look forward to providing you with free ssl certificates very soon!" Nor does it even give an ETA.
So how would a hobbyist who has chosen CAcert convince his web site's users to convince their PC administrators or Internet appliance manufacturers to install this root certificate?
Okay, this is tacky.
I woke up with a sick headache this morning, took some Ibuprofen, and have ween way, way out of sorts. Not in a good mood all day.
This is first thing that I laughed at.
Thanks, Mr. Immature "Troll"
SSL provides two services: verifiability, and confidentiality. Not having the CA's certificate installed only prevents the verifiability part of this
There are SSL MITMs in the wild. The one publicized by Bugzilla involved a wireless access point that routed all HTTPS requests through a proxy. Web browsers are right to show scary warnings when the verifiability service fails because people could be giving their passwords to such a MITM.
You only need to verify once.
Once on each device (computer or Internet appliance) that you use. (I've never seen anyone carry around a repository of sites' self-signed certificates on a USB flash drive or microSD card.) And if one of those devices is behind a MITM proxy the first time you add the site's certificate on a given device, you're fastened with a screw.
If you are repeatedly asked on every visit, this is something you should report as a bug in said browser.
If by "report as a bug" you mean file a feature request to let people store their repositories of self-signed certificates in the "cloud", such a feature request would probably linger unfixed for years. And even if were fixed in one browser, there's probably no chance that IE, Firefox, Chrome, Android Browser, Safari for Mac and PC, Mobile Safari, and Opera would all adopt the same scheme. One might use ASCII files (pem/der), one might use binary files (pfx), one might not publicly specify the protocol by which it communicates with the online keystore server, etc.
Whatever may or may not have happened, StartSSL seems to be back in operation. I'm relieved, since I need to renew my Class 2 validation as well as some certs.