|This article needs additional citations for verification. (April 2010)|
|Industry||Internet security, Public key infrastructure|
|Key people||President & CEO: Eddy Nigg|
StartCom offers the free (for personal use) Class 1 X.509 SSL certificate "StartSSL Free", which works for webservers (SSL/TLS) as well as for E-mail encryption (S/MIME). It also offers Class 2 and 3 certificates as well as Extended Validation Certificates, where a comprehensive validation (with costs) is mandatory.
In June, 2011, the company suffered a network breach which resulted in StartCom suspending issuance of digital certificates and related services for several weeks. The attacker was unable to use this to issue certificates (and StartCom was the only breached provider, of six, where the attacker was blocked from doing so).
The "StartCom Certificate Policy & Practice Statements" document §18.104.22.168 is explicit that the Class 1 (free) certificates are for non-commercial uses only. The previous version of the CPS did not include this restriction.
The StartSSL certificate is included by default in Mozilla Firefox 2.x and higher, in Apple Mac OS X since version 10.5 (Leopard), all Microsoft operating systems since 24 September 2009, and Opera since 27 July 2010. Since Google Chrome, Apple Safari and Internet Explorer use the certificate store of the operating system, all major browsers include support for StartSSL certificates.
Limitations of StartSSL Free
While certificates are free for certain uses, there are limitations imposed unless an upgrade is purchased:
- One-year certificate validity (new certificate can be issued for free at any time).
- One domain plus one subdomain name per certificate (e.g. example.com, www.example.com).
- No commercial use
- Certificate revocation requires a fee
Response to heartbleed
While StartCom states in its FAQ that their PKI infrastructure are not vulnerable to heartbleed, they will continue to charge their customers at $25 per certificate revocation due to its unique business model. Nevertheless, a few customers who paid for wild card and EV certificates reported that StartCom had waived the charge for reissurance of their certificate, citing "exceptional circumstances".    
Customers have also reported  with StartSSL infrastructure, a certificate must be revoked before a new certificate can be generated, and as StartSSL does not state how long it takes to revoke and reissue a certificate, a site can be inaccessible securely for an undetermined amount of time, with one customer reporting about 5 hours of downtime.
- "Web authentication authority suffers security breach". The Register. June 26, 2011. Retrieved January 14, 2012.
- "How StartCom Foiled Comodohacker: 4 Lessons". InformationWeek. September 8, 2011. Retrieved December 20, 2012.
- "StartCom Certificate Policy & Practice Statements". 2.3. StartCom. October 31, 2012. 22.214.171.124. Retrieved December 20, 2012.
- "Policy & Practice Statements". 2.2. StartCom. June 13, 2010. Retrieved December 20, 2012.
- ".Tk domain is not available?". arnowelzel. 13 February 2014.
- ".ga Gabon domain removed". 1 July 2014.
- "Microsoft Adds Support for StartCom Certificates" (Press release). StartCom.org. September 24, 2009. Retrieved 2011-01-14.
- "Microsoft updates trusted root certs to include StartCom". Sophos.com Naked Security blog. September 27, 2009.
- "New Roots, new EV, and a new Public Suffix file". Opera.com Rootstore blog.
- "Twitter / startssl: We released a small FAQ page ...". StartCom. 13 April 2014.
- "Heartbleed F.A.Q.". StartCom. 13 April 2014.
- "I use StartCom, and I revoked and re-keyed yesterday. In the revocation reason, ... Hacker News". Geoff. 9 April 2014.
- "Twitter / codeawe: @tonylampada @startssl ...". J. Breitsprecher. 11 April 2014.
- "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". Jan. 9 April 2014.
- "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". arnowelzel. 10 April 2014.
- "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". arnowelzel. 9 April 2014.