... does nobody here understand what StartSSL is doing?

Guys, they're giving you a certificate to identify yourself with. You add it in your browser. You go to their website, and you don't need a username or password to login. This certificate is much more secure than normal credentials.

Is the concept of authentication without a username+password that lost on you? It's like an SSH key except your username is embedded in it, too.

I fear for the future of internet security.

Huh, I missed that. Thanks for pointing this out.

I had used StartSSL years ago and forgot about this. Not reading all the text, I expected the usual login/password prompt and hoped for a "reset password" form. Getting a browser SSL error interrupted that flow.

Now that I know, it makes more sense, but I'm going to take the position that this is a UX fail. Whether the browser's (which didn't even prompt me for a cert) or StartSSL (who could've made this clearer), I don't know.

Any input action that you do on their site will direct you to SSL. Though they should probably use HSTS and redirect all their users before hand.

>I get a TLS fail (ssl_error_handshake_failure_alert)

That happens to me when I am on one particular provider myself. It concerns me that those providers are doing something with https connections causing them to break on their site.