This is utterly ridiculous. These people signed up for a free SSL certificate knowing that revocations would cost them money. Enforcing a contract that both parties willingly agreed to does not make them untrustworthy, it demonstrates that their customers carry immense senses of entitlement.
There are tons of SSL certificate providers out there. Their business model was not a secret when folks signed up.
I am not their customer. At most, I am their customers' customer. Why do I have any obligation toward StartSSL? If StartSSL is free to choose a business model, then others are free to make judgment based on that business model.
Should the customers of StartSSL pay the revocation fee? Yes. Should StartSSL be required to give free revocations? No. Are either of those at all relevant to whether or not I should trust StartSSL certificates, given that they are less likely to be revoked when they need to be revoked?
The business model an practices of the company are completely irrelevant to the people concerned in this case though - the users of the web browser. They never signed up for shit, and they have no incentive to trust a business which refuses to invoke compromised certs because people are unwilling to pay.
Yes, this doesn't make them untrustworthy as a business, since their business model was known - it does make them untrustworthy as a party which is meant to be securing the web though - because they'll be failing at it spectacularly.
Again: I never signed up to shit, and their business model means shit to me too - I just want some degree of security when browsing.
The other responders have no idea what you're talking about.
You're right, of course, but I suspect most other CA's certificates should also not be trusted even though they don't have this revocation hurdle because a lot of these certificates were given to unsophisticated users who aren't going to revoke compromised certificates anyway.
Who am I going to trust less? StartSSL certs? Or OpenSSL?
I'm not saying I don't appreciate the hard work the two OpenSSL developers put into the code. But its incredulous that we're upset a business would give away a service due to an event completely out of its control.
I would argue that something that is the underlying component of e-commerce, privacy, and security for the majority of Internet activity should probably be audited.
At least StartSSL will have good certificates for everybody in their free tier in 12 months.
Can any of the other CA's make that claim?
So, are you going to lead the charge at the rest of the CA's?
And, I suspect that StartSSL couldn't possibly handle every single person calling them up to revoke a certificate right now. And that is NOT their fault--they didn't cause this bug.
People would better be advised not to trust admins who can't shed 20 bucks for their users' security. Most likely these are the same admins to whom you certainly wouldn't want to give an email, password or any sort of confidential information.
Who is suppose to pay for staff time require to manually maintain the revoke list?
BTW, revoking a cert doesn't stop it from being used in the wild as plenty of clients will still see it a valid cert. We are basically screwed until all current certs expire.
No, any StartSSL cert. There are still unpatched systems and there likely will be for quite some time. Just because there's a CVE doesn't mean everyone updated
Sure, and there are also StartSSL certs used on systems that don't use OpenSSL.
Do we just nuke every certificate, destroy their business, and force people with secure computers to buy new ones elsewhere even though their servers weren't affected by heartbleed? Because that option sucks too.
As a user, I much prefer that my browser and my OS never ever again show a StartSSL-signed cert as valid over even just one compromised cert being displayed with a fancy lock. How StartSSL is going to achieve that, I don’t care, but neither do I care whether or not they go out of business over this.
