From Wikipedia, the free encyclopedia
Jump to: navigation, search
StartCom Ltd.
Private company
Industry Internet security, Public key infrastructure
Founded 1999; 17 years ago (1999)
Headquarters Eilat, Israel
Key people
CEO: Eddy Nigg

StartCom is a Certificate Authority based in Eilat, Israel that has three main activities: StartCom Linux Enterprise (Linux distribution), StartSSL (certificate authority) and MediaHost (web hosting). StartCom has set up new branch offices in China and UK.[1]


StartCom offers the free Class 1 X.509 SSL certificate "StartSSL Free", which works for webservers (SSL/TLS) as well as for E-mail encryption (S/MIME). It also offers Class 2 and 3 certificates as well as Extended Validation Certificates, where a comprehensive validation (with costs) is mandatory.

In June 2011, the company suffered a network breach which resulted in StartCom suspending issuance of digital certificates and related services for several weeks.[2] The attacker was unable to use this to issue certificates (and StartCom was the only breached provider, of six, where the attacker was blocked from doing so).[3]


The StartSSL certificate is included by default in Mozilla Firefox 2.x and higher, in Apple Mac OS X since version 10.5 (Leopard), all Microsoft operating systems since 24 September 2009,[4][5] and Opera since 27 July 2010.[6] Since Google Chrome, Apple Safari and Internet Explorer use the certificate store of the operating system, all major browsers include support for StartSSL certificates.

Limitations of StartSSL Unlimited Free Certificates[edit]

While certificates are free and unlimited for certain uses, there are limitations imposed unless an upgrade is purchased:

  • One-year certificate validity.
  • Certificate revocation requires a fee

Response to Heartbleed[edit]

On 13 April 2014, StartCom announced[7] a FAQ page[8] related to Heartbleed, a critical bug in OpenSSL estimated to have left 17% of the Internet's secure web servers vulnerable to data theft.

StartCom's policy is to charge $25 for each revoked certificate, and it refused to waive this fee in lieu of certificates compromised due to Heartbleed, though some paying customers were granted a single free revocation.[9][10][11][12] This caused many to doubt StartCom's status as a certificate authority.[13] When provided with proof of a compromised certificate, StartCom refused to revoke the certificate for free, providing trust even after StartCom had learned that the certificate had been compromised.[14]


Customers have reported[15] with StartSSL infrastructure, a certificate must be revoked before a new certificate can be generated, and as StartSSL does not state how long it takes to revoke and reissue a certificate, a site can be inaccessible securely for an undetermined amount of time, with one customer reporting about 5 hours of downtime.[12]

See also[edit]


  1. ^ "About StartCom". The Register. Apr 26, 2016. Retrieved June 7, 2016. 
  2. ^ "Web authentication authority suffers security breach". The Register. June 26, 2011. Retrieved January 14, 2012. 
  3. ^ "How StartCom Foiled Comodohacker: 4 Lessons". InformationWeek. September 8, 2011. Retrieved December 20, 2012. 
  4. ^ "Microsoft Adds Support for StartCom Certificates" (Press release). September 24, 2009. Retrieved 2011-01-14. 
  5. ^ "Microsoft updates trusted root certs to include StartCom". Naked Security blog. September 27, 2009. 
  6. ^ "New Roots, new EV, and a new Public Suffix file". Rootstore blog. 
  7. ^ "Twitter / startssl: We released a small FAQ page ...". StartCom. 13 April 2014. 
  8. ^ "Heartbleed F.A.Q.". StartCom. 13 April 2014. 
  9. ^ "I use StartCom, and I revoked and re-keyed yesterday. In the revocation reason, ... Hacker News". Geoff. 9 April 2014. 
  10. ^ "Twitter / codeawe: @tonylampada @startssl ...". J. Breitsprecher. 11 April 2014. 
  11. ^ "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". Jan. 9 April 2014. 
  12. ^ a b "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". arnowelzel. 10 April 2014. 
  13. ^ "Most StartSSL certs will stay compromised". 9 April 2014. 
  14. ^ "StartSSL, please revoke me!". 12 April 2014. Archived from the original on April 12, 2014. 
  15. ^ "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". arnowelzel. 9 April 2014. 

External links[edit]