StartSSL customers, it is time to leave. Now!
=============================================

:date: 2016-09-07T09:17:50
:category: computer
:tags: SSL

While listening to the `Security Now`_ podcast, I have listened
first with amusement then with horror to Steve reading `email
from Mozilla`_ about the security problems with WoSign CA.

Their list of woes is long, read the linked email for details,
but one thing turned up during the email which I was not aware
of: StartCom (owner of the StartSSL certificate authority) was
apparently recently bought by WoSign CA! Apparently one of the
security bugs StartSSL has (had?) was that with properly modified
POST request (yes, I guess you can do it in the Developer Tools
of your Firefox) you can get certificate linked to the root
ceritificate “CA 沃通根证书” (or “WoSign CA Free SSL
Certificate G2” with another value of the parameter). Awesome!

What’s even more interesting is that I am a paying customer of
StartSSL CA and I have never been made aware of the change of
ownership. The only other mention of the possible change of
ownership I found was on the Wikipedia page_, which linked to the
blogpost_, which is now unavailable due to “legal review of the
site” […]. Even better!

You know, the term “trusted third party” (which is another
term for CA) indicates that they are in business of selling
trust. I was willing to trust a happy Jewish hacker in Eliat,
Israel. But I am not willing to trust him anymore after doing
this change without letting me know, and even less I am willing
to trust mysterious Chinese corporation with disasterous security
track record.

It is time to move.

.. _`Security Now`:
    https://twit.tv/shows/security-now/episodes/576
.. _`email from Mozilla`:
    https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/k9PBmyLCi8I/mKSMaz9eCgAJ
.. _page:
    https://en.wikipedia.org/wiki/StartCom
.. _blogpost:
    https://letsphish.org/?part=about