From Wikipedia, the free encyclopedia
Jump to: navigation, search
StartCom Ltd.
Private company
Industry Internet security, Public key infrastructure
Founded 1999; 16 years ago (1999)
Headquarters Eilat, Israel
Key people
President & CEO: Eddy Nigg

StartCom is a company based in Eilat, Israel that has three main activities: StartCom Linux Enterprise (Linux distribution), StartSSL (Certificate Authority) and MediaHost (Web hosting).


StartCom offers the free (for personal use) Class 1 X.509 SSL certificate "StartSSL Free", which works for webservers (SSL/TLS) as well as for E-mail encryption (S/MIME). It also offers Class 2 and 3 certificates as well as Extended Validation Certificates, where a comprehensive validation (with costs) is mandatory.

In June 2011, the company suffered a network breach which resulted in StartCom suspending issuance of digital certificates and related services for several weeks.[1] The attacker was unable to use this to issue certificates (and StartCom was the only breached provider, of six, where the attacker was blocked from doing so).[2]

The "StartCom Certificate Policy & Practice Statements" document § is explicit that the Class 1 (free) certificates are for non-commercial uses only.[3] The previous version of the CPS did not include this restriction.[4]

StartCom does not issue certificates for certain top-level domains like .tk or .ga.[5][6]


The StartSSL certificate is included by default in Mozilla Firefox 2.x and higher, in Apple Mac OS X since version 10.5 (Leopard), all Microsoft operating systems since 24 September 2009,[7][8] and Opera since 27 July 2010.[9] Since Google Chrome, Apple Safari and Internet Explorer use the certificate store of the operating system, all major browsers include support for StartSSL certificates.

Limitations of StartSSL Free[edit]

While certificates are free for certain uses, there are limitations imposed unless an upgrade is purchased:

  • One-year certificate validity (a new certificate can be issued for free after the old certificate expires).
  • One domain plus one host name per certificate (e.g. and, or and
  • No commercial use[3]
  • Certificate revocation requires a fee

Response to Heartbleed[edit]

On 13 April 2014, StartCom announced[10] a FAQ page[11] related to Heartbleed, a critical bug in OpenSSL estimated to have left 17% of the Internet's secure web servers vulnerable to data theft.

StartCom's policy is to charge $25 for each revoked certificate, and it refused to waive this fee in lieu of certificates compromised due to Heartbleed, though some paying customers were granted a single free revocation.[12][13][14][15] This caused many to doubt StartCom's status as a certificate authority.[16] When provided with proof of a compromised certificate, StartCom refused to revoke the certificate for free, providing trust even after StartCom had learned that the certificate had been compromised.[17]


Customers have reported[18] with StartSSL infrastructure, a certificate must be revoked before a new certificate can be generated, and as StartSSL does not state how long it takes to revoke and reissue a certificate, a site can be inaccessible securely for an undetermined amount of time, with one customer reporting about 5 hours of downtime.[15]

Concerns have been expressed over StartSSL's arbitrary and inconsistent policies and poor customer service.[19]

See also[edit]


  1. ^ "Web authentication authority suffers security breach". The Register. June 26, 2011. Retrieved January 14, 2012. 
  2. ^ "How StartCom Foiled Comodohacker: 4 Lessons". InformationWeek. September 8, 2011. Retrieved December 20, 2012. 
  3. ^ a b "StartCom Certificate Policy & Practice Statements" (PDF). 2.3. StartCom. October 31, 2012. Retrieved December 20, 2012. 
  4. ^ "Policy & Practice Statements" (PDF). 2.2. StartCom. June 13, 2010. Retrieved December 20, 2012. 
  5. ^ ".Tk domain is not available?". arnowelzel. 13 February 2014. 
  6. ^ ".ga Gabon domain removed". 1 July 2014. 
  7. ^ "Microsoft Adds Support for StartCom Certificates" (Press release). September 24, 2009. Retrieved 2011-01-14. 
  8. ^ "Microsoft updates trusted root certs to include StartCom". Naked Security blog. September 27, 2009. 
  9. ^ "New Roots, new EV, and a new Public Suffix file". Rootstore blog. 
  10. ^ "Twitter / startssl: We released a small FAQ page ...". StartCom. 13 April 2014. 
  11. ^ "Heartbleed F.A.Q.". StartCom. 13 April 2014. 
  12. ^ "I use StartCom, and I revoked and re-keyed yesterday. In the revocation reason, ... Hacker News". Geoff. 9 April 2014. 
  13. ^ "Twitter / codeawe: @tonylampada @startssl ...". J. Breitsprecher. 11 April 2014. 
  14. ^ "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". Jan. 9 April 2014. 
  15. ^ a b "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". arnowelzel. 10 April 2014. 
  16. ^ "Most StartSSL certs will stay compromised". 9 April 2014. 
  17. ^ "StartSSL, please revoke me!". 12 April 2014. 
  18. ^ "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". arnowelzel. 9 April 2014. 
  19. ^ "Avoid StartCom / StartSSL. Like. The. Plague.". Retrieved 7 October 2014. 

External links[edit]