diff options
| author | Matěj Cepl <mcepl@cepl.eu> | 2016-09-07 10:19:19 +0200 |
|---|---|---|
| committer | Matěj Cepl <mcepl@cepl.eu> | 2016-09-07 10:19:19 +0200 |
| commit | 4191ffe4dd1c2d175b854b3f99e069b166ff4712 (patch) | |
| tree | 0c9c8c812c14f9032408aad98566c1bdc94d2451 /stop-startssl.rst | |
| parent | e785d0e1c09d2eca8bbf449efbb240653b24d8d3 (diff) | |
| download | blog-source-4191ffe4dd1c2d175b854b3f99e069b166ff4712.tar.gz | |
More posts
Diffstat (limited to 'stop-startssl.rst')
| -rw-r--r-- | stop-startssl.rst | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/stop-startssl.rst b/stop-startssl.rst new file mode 100644 index 0000000..755843b --- /dev/null +++ b/stop-startssl.rst @@ -0,0 +1,46 @@ +StartSSL customers, it is time to leave. Now! +============================================= + +:date: 2016-09-07T09:17:50 +:category: computer +:tags: SSL + +While listening to the `Security Now`_ podcast, I have listened +first with amusement then with horror to Steve reading `email +from Mozilla`_ about the security problems with WoSign CA. + +Their list of woes is long, read the linked email for details, +but one thing turned up during the email which I was not aware +of: StartCom (owner of the StartSSL certificate authority) was +apparently recently bought by WoSign CA! Apparently one of the +security bugs StartSSL has (had?) was that with properly modified +POST request (yes, I guess you can do it in the Developer Tools +of your Firefox) you can get certificate linked to the root +ceritificate “CA 沃通根证书” (or “WoSign CA Free SSL +Certificate G2” with another value of the parameter). Awesome! + +What’s even more interesting is that I am a paying customer of +StartSSL CA and I have never been made aware of the change of +ownership. The only other mention of the possible change of +ownership I found was on the Wikipedia page_, which linked to the +blogpost_, which is now unavailable due to “legal review of the +site” […]. Even better! + +You know, the term “trusted third party” (which is another +term for CA) indicates that they are in business of selling +trust. I was willing to trust a happy Jewish hacker in Eliat, +Israel. But I am not willing to trust him anymore after doing +this change without letting me know, and even less I am willing +to trust mysterious Chinese corporation with disasterous security +track record. + +It is time to move. + +.. _`Security Now`: + https://twit.tv/shows/security-now/episodes/576 +.. _`email from Mozilla`: + https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/k9PBmyLCi8I/mKSMaz9eCgAJ +.. _page: + https://en.wikipedia.org/wiki/StartCom +.. _blogpost: + https://letsphish.org/?part=about |