StartCom

From Wikipedia, the free encyclopedia
Jump to: navigation, search
StartCom Ltd.
Type Private company
Industry Internet security, Public key infrastructure
Founded 1999 (1999)
Headquarters Eilat, Israel
Key people President & CEO: Eddy Nigg
Website www.startcom.org

StartCom is a company based in Eilat, Israel that has three main activities: StartCom Linux Enterprise (Linux distribution), StartSSL (Certificate Authority) and MediaHost (Web hosting).

StartSSL[edit]

StartCom offers the free (for personal use) Class 1 X.509 SSL certificate "StartSSL Free", which works for webservers (SSL/TLS) as well as for E-mail encryption (S/MIME). It also offers Class 2 and 3 certificates as well as Extended Validation Certificates, where a comprehensive validation (with costs) is mandatory.

In June, 2011, the company suffered a network breach which resulted in StartCom suspending issuance of digital certificates and related services for several weeks.[1] The attacker was unable to use this to issue certificates (and StartCom was the only breached provider, of six, where the attacker was blocked from doing so).[2]

The "StartCom Certificate Policy & Practice Statements" document §3.1.2.1 is explicit that the Class 1 (free) certificates are for non-commercial uses only.[3] The previous version of the CPS did not include this restriction.[4]

StartCom does not issue certificates for certain top-level domains like .tk or .ga.[5][6]

Trustedness[edit]

The StartSSL certificate is included by default in Mozilla Firefox 2.x and higher, in Apple Mac OS X since version 10.5 (Leopard), all Microsoft operating systems since 24 September 2009,[7][8] and Opera since 27 July 2010.[9] Since Google Chrome, Apple Safari and Internet Explorer use the certificate store of the operating system, all major browsers include support for StartSSL certificates.

Limitations of StartSSL Free[edit]

While certificates are free for certain uses, there are limitations imposed unless an upgrade is purchased:

  • One-year certificate validity (new certificate can be issued for free at any time).
  • One domain plus one subdomain name per certificate (e.g. example.com, www.example.com).
  • No commercial use[3]
  • Certificate revocation requires a fee

Response to heartbleed[edit]

On 13 Apr 2014, StartCom announced[10] a FAQ page[11] related to heartbleed, a critical bug in OpenSSL estimated to have left 17% of the Internet's secure web servers vulnerable to data theft.

While StartCom states in its FAQ[11] that their PKI infrastructure are not vulnerable to heartbleed, they will continue to charge their customers at $25 per certificate revocation due to its unique business model. Nevertheless, a few customers who paid for wild card and EV certificates reported that StartCom had waived the charge for reissurance of their certificate, citing "exceptional circumstances". [12] [13] [14] [15]

Customers have also reported [16] with StartSSL infrastructure, a certificate must be revoked before a new certificate can be generated, and as StartSSL does not state how long it takes to revoke and reissue a certificate, a site can be inaccessible securely for an undetermined amount of time, with one customer reporting about 5 hours of downtime.[15]

See also[edit]

References[edit]

  1. ^ "Web authentication authority suffers security breach". The Register. June 26, 2011. Retrieved January 14, 2012. 
  2. ^ "How StartCom Foiled Comodohacker: 4 Lessons". InformationWeek. September 8, 2011. Retrieved December 20, 2012. 
  3. ^ a b "StartCom Certificate Policy & Practice Statements". 2.3. StartCom. October 31, 2012. 3.1.2.1. Retrieved December 20, 2012. 
  4. ^ "Policy & Practice Statements". 2.2. StartCom. June 13, 2010. Retrieved December 20, 2012. 
  5. ^ ".Tk domain is not available?". arnowelzel. 13 February 2014. 
  6. ^ ".ga Gabon domain removed". 1 July 2014. 
  7. ^ "Microsoft Adds Support for StartCom Certificates" (Press release). StartCom.org. September 24, 2009. Retrieved 2011-01-14. 
  8. ^ "Microsoft updates trusted root certs to include StartCom". Sophos.com Naked Security blog. September 27, 2009. 
  9. ^ "New Roots, new EV, and a new Public Suffix file". Opera.com Rootstore blog. 
  10. ^ "Twitter / startssl: We released a small FAQ page ...". StartCom. 13 April 2014. 
  11. ^ a b "Heartbleed F.A.Q.". StartCom. 13 April 2014. 
  12. ^ "I use StartCom, and I revoked and re-keyed yesterday. In the revocation reason, ... Hacker News". Geoff. 9 April 2014. 
  13. ^ "Twitter / codeawe: @tonylampada @startssl ...". J. Breitsprecher. 11 April 2014. 
  14. ^ "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". Jan. 9 April 2014. 
  15. ^ a b "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". arnowelzel. 10 April 2014. 
  16. ^ "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". arnowelzel. 9 April 2014. 

External links[edit]