StartSSL, Lost Authentication Certificate; What to do ?

Mahfuz_SS_EHL

Hi,

I heard the name of StartSSL in Q1 of 2014. I didn't try it then. But, 2 Days ago, with My utter curiousness, I opened an Account with them. They verified it. Then, it tried to import a Certificate.

The thing is that I was using My LG Optimus G Pro to do these. It couldn't import the certificate. But, for the cookies, it worked well. However, later on, the cookies got expired & Now I get SSL Protocol or Cipher Mismatch and their authentication link doesn't open up.

I issued a Certificate yesterday. But, I have to login to get that. Is there any way to login now ??

Wouldn't the Password work which I used to sign up? Then, why this complex method has been implemented ??

Thanks,
Mahfuz.

cassa

Register a new account and ask the staff to add the SSL certificate to your account

TACServers

The password will no longer work at this point, you are going to need to have that personal cert. It is what identifies you as the verified account owner. Usernames and passwords are easier to figure out than an entire certificate, which is why it is required.

Sadly, all you can do is create a new account from a computer, and issue a new SSL cert on a different sub-domain. You'll have to wait for the certs that were created on your phone to expire, as you cannot log into the original account to revoke them.

socials

Contact them.

They'll tell you to register a new account and after that they can merge the two.

TACServers

@cassa said:
Register a new account and ask the staff to add the SSL certificate to your account

I would not trust StartSSL if they do this for the OP. Cert's are validated against the user, real personal identification, then business documentation, depending on the level. If they change the SSL owner after validation, it would seem SSL is a joke. How would StartSSL be able to verify you were the owner of the last cert, and that you should have it transferred?

4n0nx

cncking2000 said:

I would not trust StartSSL if they do this for the OP. Cert's are validated against the user, real personal identification, then business documentation, depending on the level. If they change the SSL owner after validation, it would seem SSL is a joke. How would StartSSL be able to verify you were the owner of the last cert, and that you should have it transferred?

Eh? It's only domain/email validation soo...

TACServers

@4n0nx said:
Eh? It's only domain/email validation soo...

Strictly speaking, the domain has already been validated against his original email account. They should revoke and reissue the cert, which as far as I know, is not free. His original account email will be in the subject on the first cert, and will not be accurate if his account is being used with a different email address. Editing anything should require reissuing the SSL cert.

cassa

@cncking2000 said:
I would not trust StartSSL if they do this for the OP. Cert's are validated against the user, real personal identification, then business documentation, depending on the level. If they change the SSL owner after validation, it would seem SSL is a joke. How would StartSSL be able to verify you were the owner of the last cert, and that you should have it transferred?

Same email domain is needed and you remember, an SSL certificate needs a private key?

TACServers

@cassa said:
Same email domain is needed and you remember, an SSL certificate needs a private key?

Sure. But an SSL provider should require revocation and reissuing, not just moving to a new account. Subject of the SSL cert would not be correct in that case. I am not worried about the lack of security, just doesn't feel right. I can't be the only one that feels that validated secure data should not be shared outside of the validated account?

4n0nx

cncking2000 said: Sure. But an SSL provider should require revocation and reissuing, not just moving to a new account.

Oh pls. Anyone can just get Cloudflare to get "valid" SSL.

TACServers

@4n0nx said:

Sure... Free CF SSL is a valid SSL. Thanks for stating the obvious. Now, let's think about that. How does the CF SSL cert prove that I am connecting to the company that I intended to, and not some hacked server someone pointed CF to? Sure the SSL works, but it's intention is greatly diminished when all you can use it for is to verify that someone is not wanting to pay for CF Pro, or unable to setup their own valid SSL. CF SSL does not work to validate ownership of the domain your purchasing from, sharing information with, or whatever your needing to have encrypted.

4n0nx

cncking2000 said: Sure... Free CF SSL is a valid SSL. Thanks for stating the obvious. Now, let's think about that. How does the CF SSL cert prove that I am connecting to the company that I intended to, and not some hacked server someone pointed CF to? Sure the SSL works, but it's intention is greatly diminished when all you can use it for is to verify that someone is not wanting to pay for CF Pro, or unable to setup their own valid SSL. CF SSL does not work to validate ownership of the domain your purchasing from, sharing information with, or whatever your needing to have encrypted.

https://www.ssllabs.com/ssltest/analyze.html?d=tacservers.net&s=104.28.0.109&hideResults=on&latest

TACServers

@4n0nx said:
https://www.ssllabs.com/ssltest/analyze.html?d=tacservers.net&s=104.28.0.109&hideResults=on&latest

Sweet! Got an A. Your point being? I use CF for most, but not all of my domains and associated subdomains. As there is nothing really needing security on this domain, as there is no login fields, or any sensitive data, I don't have an issue with it. Important domains are bypassing CF and using their own SSL. With the amount of folks running ApacheBench or some other L7 Stressor against posted offers, I'd rather keep the static site online during the nonsense.