StartSSL: finally, a trustworthy certifier*

Published by Jon on June 13th, 2011 in Debian, Tech

Matt Brown writes about StartCom, the Israeli issuer providing basic SSL certificates for nothing.

In fact I’ve been using StartSSL certificates for about three years now, but I get them issued to Level 2 verification which incurs a fee. (It’s more expensive now than when I was first validated, but still good value.)

StartCom are the only issuer I’ve ever dealt with who work like this. They validate the individual, using:

This makes me trust them far more than other issuers, who don’t bother with any meaningful validation at all. Their approach is to establish identity, then allow you to:

Although this doesn’t make up for trust (the presence of an SSL certificate doesn’t guarantee the data you send is safe upon arrival) it does make me much happier to see a CA taking proper verification measures instead of just handing out certificates at random – and it’s much cheaper for me too, being verified once and then issuing as many certificates as I need. Highly recommended.

*that is, more trustworthy

Flattr this!



7 Responses to “StartSSL: finally, a trustworthy certifier*”

  1. Asheesh Laroia Says:

    “Being verified once and then issuing as many certificates as I need” seems really useful to me. Can you explain more about the process for doing that?

    I tried to find it on the StartCom website, but actually had some trouble.

  2. Jon Says:

    Asheesh, sure. The process is:
    – undergo Class 2 identify verification and pay the fee
    – for each domain, verify it by getting a code by email
    – within thirty days issue one or more certificates for that domain (you can mix domains on the same certificate)

    Repeat steps 2 and 3 for a year.

  3. Philipp Kern Says:

    But I’d really need to pay 60 USD every year? Mhhh… ):

    (Yes, I know that’s much less than other CAs want, given enough certificates issues. Except for CAcert…)

  4. Ben Says:

    To clarify a bit what Jon said, you only need to verify a domain in order to get a certificate for that domain, and you may wait up to 30 days after verifying a domain before requesting a certificate. After 30 days you will need to re-verify your domain if you haven’t gotten a certificate for it yet, but you don’t need to if you already got one.

    From what I could tell, you can only get one certificate per (verified) domain, e-mail address…but I may have missed something.

  5. Kint Says:

    http://www.h-online.com/security/news/item/Attack-on-Israeli-Certificate-Authority-1264008.html

  6. Corsac Says:

    Hmhm, advertising StartSSL might not have been a good idea, they’ve just been compromised:

    Due to a security breach that occurred at the 15th of June, issuance of digital certificates and related services has been suspended. Our services will remain offline until further notice.

    Subscribers and holders of valid certificates are not affected in any form.

    Visitors to web sites and other parties relying on valid certificates are not affected.

    We apologize for the temporary inconvenience and thank you for your understanding.

  7. Brad Says:

    They’re back up, no false certs issued or private keys stolen. more info here.

    http://www.theregister.co.uk/2011/06/21/startssl_security_breach/

    amazing to me how little the company bothered to communication their situation. I have a class2 cert with them and would certainly want their assurance that docs I provided them were not compromised / stolen etc.