Good god. I knew StartSSL was bad, but not this bad.
I usually buy certs either through Gandi.net (which has a good "free certificate" program with its own domains), or COMODO through Namecheap as a reseller.
What would you expect if you are not paying for the cert? For me revocation was not an issue. I just got a new cert under a different subdomain as I don't use subdomains on my personal site and the main domain is added as an alt name.
What I would expect is for every CA to comply with the CAB/Forum Baseline Requirements, § 10.2.4:
>If the CA or any of its designated RAs become aware that a Subscriber’s Private Key has been communicated to an unauthorized person or an organization not affiliated with the Subscriber, then the CA SHALL revoke all certificates that include the Public Key corresponding to the communicated Private Key.
There is no "if you pay them" condition to that. CAs are not supposed to make, or allow to stand, any signature on a compromised key—period.
Startcom's refusal to revoke all compromised public keys communicated to them after Heartbleed, and in fact their practice of charging for any revocation in general, is not in compliance with the baseline requirements for a CA.
As a result, Startcom should be removed from all browsers as a trusted CA. Let's Encrypt would be a very good replacement, especially if they also offer keys using ECC P-256 (and perhaps a subsequent replacement ECC algorithm).
That's not a correct response to Heartbleed... It could have been easily exploited to get your private key and certificate, and not revoking it leaves it valid.
It's quite reasonable pricing. It's less than most CAs does for a one year certificate, and revoking it is more work than issuing it in the first place.
They are not without fault, but they've much good for open source project and the like, and don't deserve the bad rap thrown at them in every thread that mentions SSL.
There was no bad rap in the thread until btreecat decided to be an ass. The only other subthread mentioning startssl is https://news.ycombinator.com/item?id=8904105 which only notes that as far as he can see letsencrypt is similar to startssl's delivery/validation process and seems to be vulnerable to mitm.
And also, you'll need IP addresses for each subdomains hosted, which can rack up costs. Though most of "modern" browsers and OS support SNI, this is less of a problem now.
False. I was able to get two certs issued for different sub domains for free. This was how I got around them charging $25 for revocation during heartbleed. I use the alt name in the certs as is.
I meant for hosting providers. If you are on any type of a hosting provider that doesn't have dedicated IP assigned to them, such as in case of "shared" hosting. If the service support SNI (Server Name Indication) then dedicated IP is not necessary, only complication is that if your site needs to support older browsers and/or OS, SNI may not work.
StartCom (or any of CA) doesn't care about IP address.
So what you are saying is that because you can get an SSL cert free from startcom, that your hosting provider is paying you?
https://www.startssl.com/?app=1