StartSSL: finally, a trustworthy certifier*

Matt Brown writes about StartCom, the Israeli issuer providing basic SSL certificates for nothing.

In fact I’ve been using StartSSL certificates for about three years now, but I get them issued to Level 2 verification which incurs a fee. (It’s more expensive now than when I was first validated, but still good value.)

StartCom are the only issuer I’ve ever dealt with who work like this. They validate the individual, using:

  • two forms of government ID
  • third-party background checks
  • telephone verification at a number of their choosing, based on the checks

This makes me trust them far more than other issuers, who don’t bother with any meaningful validation at all. Their approach is to establish identity, then allow you to:

  • validate domains and issue as many certificates as you wish, valid for two years, including SAN and wildcard certificates
  • validate email addresses and issue X.509 certificates in your name
  • issue code signing and XMPP certificates
  • undertake stringent Organisation Validation, and then issue certificates in a company name as well as an individual
  • validate other individuals with a web-of-trust arrangement, like CACert
  • undergo Extended Validation and issue EV certificates
  • if you have an unspecified amount of money, become a private CA yourself

Although this doesn’t make up for trust (the presence of an SSL certificate doesn’t guarantee the data you send is safe upon arrival) it does make me much happier to see a CA taking proper verification measures instead of just handing out certificates at random – and it’s much cheaper for me too, being verified once and then issuing as many certificates as I need. Highly recommended.

*that is, more trustworthy

7 Comments

  1. “Being verified once and then issuing as many certificates as I need” seems really useful to me. Can you explain more about the process for doing that?

    I tried to find it on the StartCom website, but actually had some trouble.

    1. Jon says:

      Asheesh, sure. The process is:
      – undergo Class 2 identify verification and pay the fee
      – for each domain, verify it by getting a code by email
      – within thirty days issue one or more certificates for that domain (you can mix domains on the same certificate)

      Repeat steps 2 and 3 for a year.

  2. Philipp Kern says:

    But I’d really need to pay 60 USD every year? Mhhh… ):

    (Yes, I know that’s much less than other CAs want, given enough certificates issues. Except for CAcert…)

  3. Ben says:

    To clarify a bit what Jon said, you only need to verify a domain in order to get a certificate for that domain, and you may wait up to 30 days after verifying a domain before requesting a certificate. After 30 days you will need to re-verify your domain if you haven’t gotten a certificate for it yet, but you don’t need to if you already got one.

    From what I could tell, you can only get one certificate per (verified) domain, e-mail address…but I may have missed something.

  4. Corsac says:

    Hmhm, advertising StartSSL might not have been a good idea, they’ve just been compromised:

    Due to a security breach that occurred at the 15th of June, issuance of digital certificates and related services has been suspended. Our services will remain offline until further notice.

    Subscribers and holders of valid certificates are not affected in any form.

    Visitors to web sites and other parties relying on valid certificates are not affected.

    We apologize for the temporary inconvenience and thank you for your understanding.

  5. Brad says:

    They’re back up, no false certs issued or private keys stolen. more info here.

    http://www.theregister.co.uk/2011/06/21/startssl_security_breach/

    amazing to me how little the company bothered to communication their situation. I have a class2 cert with them and would certainly want their assurance that docs I provided them were not compromised / stolen etc.

Comments are closed.