StartCom
Private company | |
Industry | Internet security, Public key infrastructure |
Founded | 1999 |
Founder | Eddy Nigg |
Headquarters | Beijing, China |
Area served | Worldwide |
Key people | Iñigo Barreira (CEO), Tan Xiaosheng (Chairman), Yang Qing |
Owner | Qihoo 360 Group |
Parent | StartCom CA Ltd. (UK), StartCom CA Ltd. (HK) |
Website | www.startssl.com |
StartCom is a certificate authority based in Eilat, Israel, that has three main activities: StartCom Linux Enterprise (Linux distribution), StartSSL (certificate authority) and MediaHost (web hosting). StartCom has set up new branch offices in China, Hong Kong, the United Kingdom and Spain.[1]
StartCom was acquired in secrecy[2] by WoSign Limited (Shenzen, China), through multiple companies,[lower-alpha 1] which was revealed by the Mozilla investigation[2] related to the root certificate removal of WoSign and StartCom in 2016. Due to the sanctions of both Mozilla and Apple[3][4] the companies will be restructured (within 2016) by the owner company of WoSign: Qihoo 360 Group (Beijing); the new structure will detach StartCom from the scandal-affected WoSign and put it under Qihoo 360 as a 100% subordinate company.[lower-alpha 2][5]
StartSSL
StartCom offers the free Class 1 X.509 SSL certificate "StartSSL Free", which works for webservers (SSL/TLS) as well as for E-mail encryption (S/MIME). It also offers Class 2 and 3 certificates as well as Extended Validation Certificates, where a comprehensive validation (with costs) is mandatory.
In June 2011, the company suffered a network breach which resulted in StartCom suspending issuance of digital certificates and related services for several weeks.[6] The attacker was unable to use this to issue certificates (and StartCom was the only breached provider, of six, where the attacker was blocked from doing so).[7]
Trustworthiness
The StartSSL certificate is included by default in Mozilla Firefox 2.x and higher, in Apple Mac OS X since version 10.5 (Leopard), all Microsoft operating systems since 24 September 2009,[8][9] and Opera since 27 July 2010.[10] Since Google Chrome, Apple Safari and Internet Explorer use the certificate store of the operating system, all major browsers include support for StartSSL certificates.
On 30 September 2016, during the investigation on WoSign, Apple announced that their software will not accept certificates issued by one of the WoSign certificates after 19 September 2016, and said they will take further action on WoSign/StartCom trust anchors as the investigation progresses.[4]
On 24 October 2016, Mozilla announced on its security blog that, following its discovery of the purchase of StartCom by another Certificate Authority called WoSign during its investigation on numerous issues with that CA, and that both have failed to disclose this transaction,[11] Mozilla will stop trusting certificates that are issued after 21 October 2016 starting with Firefox 51.[12] On 1 November 2016, Google announced that it too would stop trusting certificates issued after 21 October 2016 starting with Chrome 56.[13]
Limitations of StartSSL Unlimited Free Certificates
While certificates are free and unlimited for certain uses, there are limitations imposed unless an upgrade is purchased:
- Three-year certificate validity
- Certificate revocation requires a fee
Response to Heartbleed
On 13 April 2014, StartCom announced[14] a FAQ page[15] related to Heartbleed, a critical bug in OpenSSL estimated to have left 17% of the Internet's secure web servers vulnerable to data theft.
StartCom's policy is to charge $25 for each revoked certificate, and it refused to waive this fee in lieu of certificates compromised due to Heartbleed, though some paying customers were granted a single free revocation.[16][17][18][19] This caused many to doubt StartCom's status as a certificate authority.[20] When provided with proof of a compromised certificate, StartCom refused to revoke the certificate for free, providing trust even after StartCom had learned that the certificate had been compromised.[21]
Criticism
In August 2016 it was reported that StartCom was sold to WoSign, a Chinese CA.[11][22][23] The original disclosure was taken down for legal reasons.[24] However, repostings of the original articles are still available.[22] The relationship is unclear, but it seems as if the StartCom technical infrastructure was being used by WoSign when they were caught issuing about a hundred[25] improperly validated SSL certificates, including a certificate for github.com.[11][26]
See also
Footnotes
- ↑ Structure as of October 2016: WoSign CA Limited Hong-Kong → StartCom CA Limited (HK) → StartCom CA Limited (UK))
- ↑ Planned restructure as of October 2016, o be implemented throughout the end of 2016: through the company chain Qihoo 360 → Qifei Int'l Development Ltd. (HK) → StartCom CA Ltd. (HK), which owns 100% of StartCom (CH) and StartCom CA Ltd. (UK), which in turn owns StartCom Ltd. (Israel) and StartCom CA Ltd. (Spain)
References
- ↑ "About StartCom". The Register. Apr 26, 2016. Retrieved June 7, 2016.
- 1 2 Mozilla (2016-10-10). "WoSign and StartCom". Retrieved 2016-10-25.
- ↑ apple (2016-09-30). "Blocking Trust for WoSign CA Free SSL Certificate G2 (IOS)".
- 1 2 apple (2016-09-30). "Blocking Trust for WoSign CA Free SSL Certificate G2 (MacOS)".
- ↑ Qihoo 360 Group (2016-10-14). "StartCom Remediation Plan" (PDF). Retrieved 2016-10-25.
- ↑ "Web authentication authority suffers security breach". The Register. June 26, 2011. Retrieved January 14, 2012.
- ↑ "How StartCom Foiled Comodohacker: 4 Lessons". InformationWeek. September 8, 2011. Retrieved December 20, 2012.
- ↑ "Microsoft Adds Support for StartCom Certificates" (Press release). StartCom.org. September 24, 2009. Retrieved 2011-01-14.
- ↑ "Microsoft updates trusted root certs to include StartCom". Sophos.com Naked Security blog. September 27, 2009.
- ↑ "New Roots, new EV, and a new Public Suffix file". Opera.com Rootstore blog.
- 1 2 3 "CA:WoSign Issues - MozillaWiki". Retrieved 2016-10-25.
- ↑ "Distrusting New WoSign and StartCom Certificates". October 24, 2016. Retrieved 2016-10-25.
- ↑ "Distrusting WoSign and StartCom Certificates". Google Online Security Blog. Retrieved 2016-11-02.
- ↑ "Twitter / startssl: We released a small FAQ page ...". StartCom. 13 April 2014.
- ↑ "Heartbleed F.A.Q.". StartCom. 13 April 2014.
- ↑ "I use StartCom, and I revoked and re-keyed yesterday. In the revocation reason, ... Hacker News". Geoff. 9 April 2014.
- ↑ "Twitter / codeawe: @tonylampada @startssl ...". J. Breitsprecher. 11 April 2014.
- ↑ "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". Jan. 9 April 2014.
- ↑ "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". arnowelzel. 10 April 2014.
- ↑ "Most StartSSL certs will stay compromised". 9 April 2014.
- ↑ "StartSSL, please revoke me!". 12 April 2014. Archived from the original on April 12, 2014.
- 1 2 "Thoughts and Observations: WoSign's secret purchase of StartCom; WoSign threatened legal actions over the disclosure". www.percya.com. Retrieved 2016-09-08.
- ↑ "Thoughts and Observations: StartCom operated solely by WoSign in China - an analysis of the new StartCom website". www.percya.com. Retrieved 2016-09-08.
- ↑ https://letsphish.org
- ↑ https://groups.google.com/d/topic/mozilla.dev.security.policy/k9PBmyLCi8I/discussion
- ↑ "The story of how WoSign gave me an SSL certificate for GitHub.com".