1. 36
  1.  

  2. 20

    Woah, the dinosaur grew some teeth. I stand corrected.

    I never thought they’d pull the plug on a big player like StartCom because it would break websites, so the way they’re doing it – only rejecting new certificates – isn’t a bad plan.

    I hope this will be the approach moving forward, so the next time Comodo does this or Symantec does this, they get the chop too. Suddenly, CAs screwing up might actually have consequences.

    1. 4

      Agreed. I hope browser developers and other packagers of cert bundles follow suit. SSL/TLS are imperfect but until we adopt something better we have to hold the certificate authorities to the highest standards of trust. The only way to do that is to penalize them when they break the trust.

      Ok, so how about Symantec next?

      1. 1

        I’m curious whether other browser vendors will follow suit or if they won’t have to because there won’t be a WoSign left to trust in a year or two.

      2. 5

        Incredibly disappointing. Irrespective of the consequences they suffer, and I think Mozilla’s proposal of a year-long ban on new certificates is both reasonably punitive without being disproportionate, I’ll be moving all the networks I manage off of StartCom. Which is a shame, as I did like their service, but integrity and security comes first, and they’ve failed.

        On a related note, across my half-dozen StartCom accounts, I have not received any notification of a change of business ownership at any point. That may not be legally required, but I’d certainly suggest it’s ethically important that customers are apprised of such a change, particularly given the business operates in the security industry.

        1. 4

          I’ll be moving all the networks I manage off of StartCom

          I’m surprised anyone is still, or even was using their service. I’m talking specifically here about the “free” certificates. If you had some other kind of business relationship with them, that may have been different of course. They sucked long before WoSign came in the picture as they charged you for revoking certificates (in case of a breach) and were lagging behind in the SHA256 adoption. Taking this in consideration they were more expensive than the competition. I’d call that pretty irresponsible, both of StartCom and anyone using their “free” service. So, the signs were already there for a long time…

          1. 3

            You aren’t alone in that transition. As a university student, I was using StartCom because it was fast, easy, and free to use. I, by chance, sparked curiosity in switching over to Let’s Encrypt over a month ago before this whole fiasco involving WoSign/StartCom emerged, so I have been lucky to avoid my website getting any negative certificate reputation.

            I would imagine that if Mozilla does take significant action, there will emerge a unique website to alert webmasters about the need to replace their certificates.

          2. 2

            Who makes final decision to adopt this plan? Doesn’t wosign just immediately file a law suit and tie this up in court forever?

            1. 5

              Lawsuit on what grounds?

              1. 5

                Tortious interference or promissory estoppel or detrimental reliance or something. I mean, Mozilla did set themselves up as gatekeepers, and they’re obviously aware their actions will have a detrimental effect on business…

                1. 1

                  So Wosign would sue Mozilla for not trusting companies (Wosign, Ernst & Young) which clearly have neglected and breached terms of the service they were supposed to provide? Wosign literally is the gatekeeper, Firefox/Chrome/me/you are just users of the gatekeeper service and we all have freedom to not to trust them anymore. I don’t see how any fair legal system could come to conclusion that Mozilla have done some harm to the Wosign: they operate in trust based business and they threw it all away by themselves in their short sighted greed.

                2. 4

                  The better question is, lawsuit where? Wosign is Chinese, StartCom is Israeli, and Mozilla is US-based. There’s no venue where any of them can sue each other.

                  1. 3

                    Foreign companies can sue US companies in the US. Happens all the time. Samsung sued Apple.

              2. 2

                some corporations work hard at providing free high quality services other corporations work hard at high quality bans on free services