Any customers of StartCom SSL certs pre October 21, 2016 ?
I have just seen that the last Chrome, v. 57, doesn't trust StartCom certificates at all, even the ones issued before october 21, 2016. With Mozilla/Firefox no problem, only certs issued after october 21, 2016 are untrusted.
Google was unclear about the status of these older certificates:
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
I contacted StartCom about that:
From Chrome 57, all our SSL certs are not trusted in it. Even the certs issued before 21st Oct 2016. We raised issue with Google about it and did get any response why they distrusting certificates issued even before StartCom was bought. So now there is no solution to solve this problem. We wish we could do more for you, but unfortunately, we can do nothing because of the sanction of Chrome until we will be back in trusts. We will take several months to regain trust.
I find the behavior of Google a bit silly. For WoSign itself ok, but StartCom was in the SSL certs business for a long time, without problems until the new owner WoSign (now out) did fuck them up.
I think customers with pre-21.10.16 EV and OV certs should complain at Google.
For the time being, in order to get working certs on Chrome also, I went to buy at gogetssl.com
Comments
I'd say Google was fairly clear about the status of all StartCom certificates:
The above looks like a warning that StartCom customers needed to get certs from elsewhere to replace their StartCom certs. While I'd agree that not waiting for the certs to expire is annoying, StartCom is an untrusted root at this point; the fact that Google didn't pull their trust in them completely and instead chose to wait almost 5 months is impressive by itself.
That is absolutely not true.
30 seconds - Install LetsEncrypt, run certbot, done.
Thank you for compiling this list. I had started to do similar, but then gave up and decided that I trusted nobody.
in 2008, former StartCom owner (Eddy Nigg) didn't misbehave, but exposed a flaw:
https://blog.startcom.org/?p=145
the Mozilla guy who was not even able to name correctly StartCom (wrote SmartCom), interpreted this as a fraud
https://bugzilla.mozilla.org/show_bug.cgi?id=471702
when critiziced he then qualified it as "unprofessional bashing of his competitors.". Well...
the wrong doing has been since the WoSign ownership, somewhere in 2014/2015, and in the first place by not announcing it. It seems the (former...) new boss taking over aftwer Nigg did approve the backdating of SHA-1 certificates:
http://news.softpedia.com/news/chinese-https-provider-wosign-fires-ceo-after-back-dating-certificate-fiasco-509140.shtml
what a coincidence! See the troubles of Symantec now...
I don't understand what this thread is about: did you have a question you wanted answered? I clicked it because I used a startcom certificate some years back, but don't see any issue here.
I was wondering if there would be reactions from StartCom customers here, about Google policy. That's all. Nevermind.
Oh I see. My startcom certificate expired before the wosign acquisition so I wasn't affected by the trust revocation. It was a free certificate anyway and as I remember, there was some lead time to get other certificates between when the distrust was announced and when it actually went into effect. So I'd have just shrugged my shoulders and gotten another one somewhere.
Startcom was crap in various ways long before getting with Wosign. I don't miss them. Symantec getting clobbered may convince sketchy CA's to take this stuff more seriously.
All Wosign certificates, even issued before Oct 2016 are not being trusted by them. Let's Encrypt all the way.
The WoSign acquisition of StartCom happened on November 1, 2015 (source). The ca-incidents list I provided lists multiple incidents before that date.
StartCom was absolutely misbehaving before the WoSign acquisition, and I'm not just referring to the 2008 incident.