To better understand the stupidity in leaving the power with the CI for SSL/TLS :
$ gpg --gen-revoke $(whoami)@$(hostname -f)
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
How would you like to pay us?
(1) Mastercard
(2) VISA
(3) Other
Your selection?
Also, a dark cynical part of me wants to ask exactly what the business model behind "free" SSL certs is? You're not paying them, someone else is?
Only their entry level certificate is free, they have higher priced options for the likes of wildcard and EV certificates. Once your root certificate has a good level of acceptance, the true cost of certificates is the validation process; actual certificate generation is negligible, hence certificates with little-to-no validation can be offered at little-to-no charge.
If you're interested in security or programming anywhere in the area of TLS, it's worth your time to set up your own CA, issue yourself certificates, figure out how to convince your local browser to accept them, etc.
Had I done that myself properly earlier, I'd have some less heartache in my future.
Classic Big Lebowski moment: You're not wrong, you're just an asshole. Their stance is entirely correct. The customer used a file that StartCom provided in software that turns out to have had a security flaw. That's neither StartCom's problem nor liability. They didn't say "use this certificate with anything other than OpenSSL; you'll be sorry if you use OpenSSL," nor could they have foreseen it.
On the other hand, showing a cold unwillingness to help when doing so is by far the above-and-beyond response doesn't engender good customer loyalty. It's also how StartCom operates. This is the same cert authority that insisted that I send them a full, unredacted copy of a mobile telephone bill with every "family plan" member's full call, SMS, and data history in order to call me. Otherwise, they could only "verify" me by sending a snail mail letter from Israel to South America (where I lived at the time). Independently-linked, outside verification databases operated by local government entities weren't sufficient.
At least they're consistent with their "rules are rules" processes.
Well it sounds like their stance is wrong if they've agreed to the Mozilla CA Certificate Maintenance Policy:
CAs must revoke Certificates that they have issued
upon the occurrence of any of the following events:
...
the CA obtains reasonable evidence that the
subscriber’s private key (corresponding to the
public key in the certificate) has been compromised
True, but all that violating that policy does is get them kicked out of Mozilla-operated software (at least directly; indirectly I suspect it causes a lot more hassle for them). Their internal rules say that a certificate revocation requires payment so, by their own rules, they are correct. If Mozilla comes down on them for their rules, StartCom may choose to modify those rules at their option.
It doesn't say it needs to be free. It's perfectly reasonable to charge a nominal handling fee, as other CAs do for their services. What's special is that StartSSL offers their basic certificates for free, but this shouldn't make people feel entitled. Especially when someone exposes their private key on purpose they don't deserve special treatment in my book.
I understand the word "must" to mean that they cannot add additional strings, such as payment, to their obligation to revoke the certificate. Is there another way of interpreting it that I am missing? I guess you could interpret it as "must provide a mechanism", but I can't see that that was the intent of the original document.
Mozilla's use of the word "must" here I think is important, because the barriers to correctly dealing with a security breach should be minimized. For better or worse, root CA's are entrusted with maintaining the security of large chunks of the internet. Charging users who suspect that their certificates _may_ have been compromised (due to the Heartbleed bug, in this case) will cause users to err on the side of inaction, which is going to weaken internet security in the long run.
I wouldn't have put it better myself.
I just added a new update on the website.
Saturday, April 12, 09:50 (GMT-3)
OK, so here's my reply to Nikolai:
"Let me address this question.
> Anything about free revocations there?
It doesn't, but that's not relevant.
It's pretty damn clear: You see the evidence,
that alone should be enough for you to take action.
If you take Mozilla's policy by the letter,
one doesn't even have to own a certificate to be able to request its revocation.
All that should be needed is the evidence of compromise.
If I disclosed the private keys for a certificat I don't own,
would you just ignore that information?
Or would you come after the certificate owner demanding payment first?
You're a CA, A CA!!!
You should be worried about the security of the internet above all things.
You should also be worried that you have a bunch of green padlocks around that don't mean what they once did.
You're not worried about that.
So in my opinion you don't deserve the trust of the internet anymore.
Paying Class 2 customers, like myself, are also charged the fee.
Their basic free Class 1 certificates are advertised on their website as “No Charge, Unlimited + 100 % Free” and “No Kidding 100% FREE”.
It wasn’t hard for me to find the provision that revocations cost $24.90 in question 72 of the FAQ, but it’s not exactly highlighted either. It’s probably not something that most people think about; they probably assume that StartCom provides free certificates (and have the automated infrastructure to do so) for publicity and/or to up-sell paid services. And I did actually go to a paid StartSSL service, which I probably won’t renew.
This isn’t to say that I have a “right” to a free revocation, and I should read the fine print, but I think I’m justified in lowering my opinion of their business practices a few notches.
They should collect enough up front to make the revocation pre-paid. Refusing to revoke certs results in an unsafe internet and ruins the value of the entire service they are supposed to be providing.
Ensuring that valid certificates issued by them are only used by legitimate owners of the corresponding domains is their obligation.
Unfortunately, it seems as if Mozilla doesn’t care about the security of their users, otherwise this sorry excuse for a CA would have been dropped from their trust store already.
Why is the power of revocations in cert issuer's hands? As long as the private key is private, I don't see how a malicious entity could add your private key to the revocation list.
In fact, a place in the revocation list should be reserved every time a cert is issued, possibly with a mechanism to trigger it with the private key. For example, if I send a message encrypted/signed with my private key to the revocation authority, they can decrypt/verify it with my public key, which they received when the CA issued my cert.
I see. Using the private key to revoke the certificate would be a denial of service attack, so requiring the CA for revocation avoids that, but admittedly it's not the first thing to worry about when a private key is compromised.
So? Even if the key is in the hands of an attacker, what can they do to the corresponding entry in a revocation list? Add it, nothing else!
Unless, you mean that the owner has lost access to the private key itself. For that case, I can see CA's having the power to revoke certs in addition to my suggested method.
Hmm, I considered this possibility in a comment, incidentally two hours before yours, below. Let the CA have an ability to revoke certs, I'm not suggesting against that. I'm suggesting a method in addition to it.
Mozilla should just spin-off their own CA, pricing the service fairly as a non-profit. It's not like they aren't the gatekeepers anyway.
Users don't trust Verisign or StartSSL, they trust whoever Mozilla, Microsoft or Google trust. Stop accepting new CAs in to the browser whitelist, start a CA for the public good with a true open source, full disclosure mentality. Why not?
That seems kind of like putting all your eggs in one basket. I think the separation of powers is good, even if what it has produced right now is a bad situation.
Mozilla, Microsoft and Google are carrying the baskets. What you have now is N ways of getting compromised, because even the CAs you don't trust can issue certificates for your domains. To be honest, I'm being a bit tongue-in-cheek. I don't think Mozilla should really do this. I just think people should question this naive belief that the CA industry is out there to help the little guy paying ~$20 for a certificate for their blog or forum.
I've used these guys in the past and quite like them, but yeah, this is poor PR and I hope they get pulled for not paying attention to, you know, the overall security of the trust product they're selling. I don't want lock-in on my SSL cert but it's effectively a contract if I have to pay a fee to break it and the SSL padlock on my domain is held hostage if I don't. Maybe someone should open a bug report on Bugzilla...
There are arguments about this being "their right" to not give free cert revocation, since that's how their business model works. They give you free certificates, but then you must pay quite a bit to revoke them.
That being said, PR wise, this was a pretty dumb move by them. It should've been a great PR opportunity for them, by submitting a blog post on HN about how serious this issue is and how they're going to allow everyone to revoke their certificate, say for the next 7 days, or even 48h. Everyone would've had their hands in the air cheering for StartSSL, about what an awesome company it is for doing this, and they would've gained a lot of good will and trust from the community for many years to come.
Instead, they saw this as an opportunity to make as much as money as possible in the short term, regardless of how catastrophic this vulnerability was. In a way, it's like stores raising the price of food and water in a time of crisis (natural disaster, war, etc) because they know they can get away with it then, since so many people need it, and they're the only source in the area.
Bottomline is, they could've made a judgement call to "not make" some extra cash in this period, while gaining a lot of long-term trust from its current and potential customers, but instead they decided to take the money, and have a PR scandal on their hands. Not a great move at all.
So, to verify, would you rather pay a (smaller) fee upfront for every registration (effectively, insurance against revocation), rather than pay a (larger) fee if and only if you ever need to revoke? (Or, are you saying that StartSSL is somehow evil, because they refuse to do everything you ever wished they could do for you with no compensation of any kind?) (Is the issue simply that they won't revoke without a fee, even if you don't have your key reissued? I thought that it was just a charge for reissue, but if they won't let you even revoke the key without reissue, then I agree that sucks; but that doesn't seem to be what you are complaining about.)
I think Startcom are morally in the right about the payment issue and to have whatever business model they want. But at the same time that's a separate issue from their responsibilities as a CA and if that's compatible with their business model. I got burned by Heartbleed and I was proactive about getting my certs revoked because it never occurred to me that I should beg for a free revoke because it wasn't my fault or something. But now I see that Startcom is in a tought position because they should be revoking the guy's cert and just billing him, but his backlash is not atypical and free cert offers probably select for the type of person who will avoid paying for things at all costs.
Hmm. Would I rather pay a fee every year for my domain name or only if I happen to need to change my name servers, contact info or account password. Perhaps more realistically, pay the host before a transfer or early termination. Yes, getting started might be free, but that just makes accidental lock in easier. Life happens, changes happen. Free should be free, is all I'm saying. Makes for a better internet. Maybe browser vendors should offer free SSL certs, or promote pinning self-signed ones somehow? ;-)
What I would rather have is a %$#@! CA cert signed by my registrar valid for *.my-domain.com for free. In what world should I have to pay annually for some asshole to run "openssl ca" on my behalf? Our whole CA system is bullshit.
When Mozilla put them in my browser, they promised “we will make sure that only people who own the domains get certs for them”. Now there are a bunch of people with leaked private keys and StartSSL is apparently doing nothing about them.
Note that I don’t care what StartSSL wants their “customers” to do, nor do I care what these “customers” want StartSSL to do, but I do care about private keys with associated valid StartSSL certificates floating around the internet, and it is not the responsibility of the owners of these keys to revoke the certs ASAP but StartSSL’s. Given that they don’t seem willing to do so, I’ll have to remove their CA from my browser.
One easy way out for “free certs” would be a clause like “If we have reasonable evidence that your certificate is compromised, we will revoke it immediately and you agree to pay a handling fee of 25 € for that.” in their Terms and Conditions. If such a clause would be illegal, I guess free certificates are just not feasible.
The author is running a business on the domains he's talking about (a crowdfunding site that takes a 3% fee [1]) so he should just regard it as an unplanned business expense and pay up if he feels it's so important for his certs to be revoked.
Not that revocation will have much practical effect on the unlikely event of his keys having been compromised, and an attacker considering his website important enough to MITM - and having the means to do so to a sufficiently large audience to make it worthwhile. Seems like a lot of fuss over nothing much, in this case.
EDIT: Also just to note that the private key he has shown on this website was compromised solely by him putting it there, and not extracted via Heartbleed. Indeed, the certificate was created a few days after the vulnerability was reported and fixed. Makes this strange cry for attention even more absurd.
So now it's official. They got the evidence that the certificate is compromised yet they refuse to take action. If that's not violation of CA policy I don't know what is.
How dare they give you a free service, and then decide to charge for a revocation which they had said they would charge for (and is meaningless because by default all browsers ignore revocations).
Unfortunately for various historical fuckups, we consider self signed certificates to be more dangerous than cleartext unsecured http. Lots of scary warnings pop up. That is absurd. Starcom is helping fix this by issuing free certificates.
The Mozilla CA policy does not include a provision for obvious trolling and posturing. If Starcom were to be forced to revoke your certificate for free, why would anyone else (on any CA) ever pay for revocation?
> (and is meaningless because by default all browsers ignore revocations)
Strange, because when I revoked my cert at StartSSL yesterday (and payed for it), the browser, Firefox on Ununtu immediately showed it as revoked. With a big bold warning when visiting the page.
> The Mozilla CA policy does not include a provision for obvious trolling and posturing. If Starcom were to be forced to revoke your certificate for free, why would anyone else (on any CA) ever pay for revocation?
This is not your garden variety, "I screwed up my .htaccess file and accidentally leaked my private key to the world" situation. This is a special case, and some special case rules would be really appreciated by this one, at least.
> The Mozilla CA policy does not include a provision for obvious trolling and posturing.
This isn't really trolling, after Heartbleed we should consider all SSL certs used by OpenSSL based servers as compromised. This sites just tries to make the point more obvious by putting such compromised cert in public view.
Have you realized that not only OpenSSL, but any exploitable bug in any software that runs on servers (PHP, Apache, nginx, Linux, etc) should theoretically invalidate any certificate that is stored on those servers?
Any exploitable bug that allows to access private keys should invalidate certificates. There are many security vulnerabilities that don't give access to private keys.
Even if there's no publically-known way of using a particular security vulnerability to get access to private keys, how are we to be sure that somebody (perhaps malicious) didn't find a way and are just keeping it a secret?
If you understand a vulnerability, you can often tell for sure if it can lead to exposure of private keys. For example if a PHP app runs in a separate process with separate user credentials than nginx SSL endpoint, and if file access control flags for certificates are configured correctly, you can tell for sure that php bug alone won't allow for certificates access. This of course assumes that other components work correctly (like Linux access control mechanism), but without such assumptions you wouldn't be able to do anything productive.
I thought this post was simply making clear on an example domain what the policy was, and that because of the heartbleed issue, the author had legitimate concerns about the other certs' security. This one was just posted more obviously to prove the point.
It isn't compromised. You yourself handed out your private key to others who may act on your behalf. Not by mistake, not by Heartbleed, not by some hacking event, but out of your clear will and as part of your policy how to handle the key.
In terms of your business transaction with StartSSL, the private key is still only known to "you".
The private key being not private is the very definition of "compromised" when applied to the CA security architecture. Whether StartSSL has a different definition is completely immaterial to the Mozilla policy.
Now you're right that it's not StartSSL's fault that OpenSSL suffered Heartbleed, but nor is it the various end customers' fault (unless they introduced the bug themselves?). So pinning down the response to this as a simple exercise of assigning blame and responsibility completely misses the point and does nothing toward resolving what is admittedly a very difficult question.
So in your opinion the one who actually buys and gets the certificate from the StartSSL web site must not share it with the system administrator? Or some second-in-command?
IMO, as long as the key is only known to people who the rightful owner explicitly wanted it to possess, it is not compromised.
This is just an extreme case of a troll wanting the whole world to have the key.
It has nothing to do with Heartbleed! Posting your private key in a gist on the web is not the same as being victim to some hacking because of a OpenSSL bug.
> So in your opinion the one who actually buys and gets the certificate from the StartSSL web site must not share it with the system administrator? Or some second-in-command?
This key is now public and must be revoked. Bottom line. StartSSL can even conceivably invoice him for the work, but they have to revoke it if they want to be a CA in a secure public-key infrastructure.
I think you're right, if there's evidence the key is compromised, they should revoke first. Then they should bill you, and if you choose not to pay, they should send it to a collections agency.
I never understood why people use StartSSL. Their service is horrible. The interface is far beyond ugly. You could get a SSL certificate in a nice and easy way for 4,99$ at http://www.ssls.com/. (They reselling from different CAs. They cheapest one is currently PositiveSSL)
With StartSSL I've get multiple-domain wildcard (8 domains) cert for $59/year (or 2-3 years if you don't need to change it).
This is pretty hard to find in general, and the ssls.com interface does not make it any easier.
For example the same 8 domain wildcard
Positive SSL Multi-Domain: £360
I could revoke my cert a dozen times a year and it would still be cheaper than anything else I've found - happy to be informed of viable competitors at a similar price though (not necessarily lower)
As someone with several side projects (like most of us - I assume) this type of certificate is essential if we are to use SSL at all.
Personally, I'd just send a patch to my favorite browser removing their certificate from the trust chain, and then send StartSSL an email with a link to that. Although I doubt anyone will merge your change, it sends a cynical message about how their entire business lives and dies at the whims of people with commit access to the list of trusted CAs.
That is a critical security flaw in Chrome (and your toy OS there with the fancy graphics).
Arguing that someone else made a mistake which renders your mistake unimportant under some circumstances is neither excuse nor justification, in particular not for continuing to make that mistake.
toy OS? Honestly, grow up. The default in OSX is best effort. Its easy enough to change to require looking at revocations or fail the connection.
Anyone that cares about security is going to be looking at what their software does and ensure its configured securely. Not posting on hacker news about a "toy OS there with the fancy graphics" like a ninny.
