1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
StartSSL customers, it is time to leave. Now!
=============================================
:date: 2016-09-07T09:17:50
:category: computer
:tags: SSL
While listening to the `Security Now`_ podcast, I have listened
first with amusement then with horror to Steve reading `email
from Mozilla`_ about the security problems with WoSign CA.
Their list of woes is long, read the linked email for details,
but one thing turned up during the email which I was not aware
of: StartCom (owner of the StartSSL certificate authority) was
apparently recently bought by WoSign CA! Apparently one of the
security bugs StartSSL has (had?) was that with properly modified
POST request (yes, I guess you can do it in the Developer Tools
of your Firefox) you can get certificate linked to the root
ceritificate “CA 沃通根证书” (or “WoSign CA Free SSL
Certificate G2” with another value of the parameter). Awesome!
What’s even more interesting is that I am a paying customer of
StartSSL CA and I have never been made aware of the change of
ownership. The only other mention of the possible change of
ownership I found was on the Wikipedia page_, which linked to the
blogpost_, which is now unavailable due to “legal review of the
site” […]. Even better! (update later: fortunately the page has been
cached_).
You know, the term “trusted third party” (which is another
term for CA) indicates that they are in business of selling
trust. I was willing to trust a happy Jewish hacker in Eliat,
Israel. But I am not willing to trust him anymore after doing
this change without letting me know, and even less I am willing
to trust mysterious Chinese corporation with disasterous security
track record.
It is time to move.
Update on 2016-11-10
--------------------
So, I have finally found time to replace all my certificates with
the ones from `Let’s Encrypt`_ [#]_ and it was the time to severe
all my ties with StartSSL. Unfortunately, I have discovered that
it is `the Hotel California`_ (“We are programmed to receive
/ You can check out any time you like / But you can never
leave!”). OK, so my account won’t be ever deleted and my personal
data will be for seven years stored with 沃通, but at least I can
revoke all my certificates, so that nobody would be mistaken
I support their operations, right?. Wrong, this is what I see
when I try to do revoke one of my certificate, I found that
StartSSL requires payment when you try to abandon them!
.. image:: {filename}/images/startssl-joke.png
:scale: 66%
:align: center
:alt: StartSSL requires payment when you try to leave
.. [#] Using their certs on webserver-less XMPP-only server was
a bit challenge, but it is possible_, it is just necessary to
open ports 80 and 443 even without web server running behind
them, certbot will just fire up and then kill its own small
server.
.. _`Security Now`:
https://twit.tv/shows/security-now/episodes/576
.. _`email from Mozilla`:
https://groups.google.com/d/topic/mozilla.dev.security.policy/k9PBmyLCi8I/discussion
.. _page:
https://en.wikipedia.org/wiki/StartCom
.. _blogpost:
https://letsphish.org/?part=about
.. _cached:
http://archive.is/2016.08.26-085336/https://www.letsphish.org/?part=2
.. _`Let’s Encrypt`:
https://letsencrypt.org/
.. _possible:
https://certbot.eff.org/#centosrhel7-other
.. _`the Hotel California`:
https://danconnor.com/posts/50f65364a0fd5fd1f7000001/avoid_startcom_startssl_like_the_plague_
|
