[ale] Oct News: StartCom, WoSign distrusted by Mozilla, Google, Apple
Jeremy T. Bouse
jeremy.bouse at undergrid.net
Mon Jan 30 16:11:45 EST 2017
On 1/30/2017 4:04 PM, Lightner, Jeffrey wrote:
>
> +1
> We started using Digicert instead of Verisign a few years back and
> other than the need to install new root certificates on some of our
> stuff that didn’t know about Digicert early on we haven’t had any
> issues.
>
>
>
> *From:*ale-bounces at ale.org [mailto:ale-bounces at ale.org] *On Behalf Of
> *James Sumners
> *Sent:* Monday, January 30, 2017 3:41 PM
> *To:* Atlanta Linux Enthusiasts
> *Subject:* Re: [ale] Oct News: StartCom, WoSign distrusted by Mozilla,
> Google, Apple
>
>
>
> We use DigiCert at work and haven't ever had any issues. I actually
> really like their support and information they have in their help section.
>
>
>
> Personally, I use letsencrypt.org <http://letsencrypt.org>. The
> official client is awful, but this one is great
> -- https://github.com/hlandau/acme
>
>
>
> On Mon, Jan 30, 2017 at 3:08 PM, Brian W. Neu <ale at advancedopen.com
> <mailto:ale at advancedopen.com>> wrote:
>
> Randomly logged into my StartCom account today to see all kinds of red
> text about free verifications and expirations and workarounds.
>
> Through a little reading, it's clear that the Mozilla Foundation and
> Google have both announced that they are distrusting the StartCom and
> WoSign CA's due to deceptive practices unbecoming of a certificate
> authority. The short story is that WoSign, a Chinese company claiming
> 70% of the certificate market in China, was allowing for the
> backdating of new SHA1 signings to avoid some kind of sunset imposed
> by Microsoft and others. WoSign also acquired StartCom in 2015, and
> purposely hid this from the public, even denied it to the Mozilla
> Foundation until irrefutable evidence surfaced.
>
> Looks like StartCom is trying to mitigate damage by spinning off as a
> separate entity, but what a disaster! Any alternative CA's led by
> non-shady businessmen? Comodo?
>
> https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
>
>
> https://en.wikipedia.org/wiki/StartCom
>
> https://www.thesslstore.com/blog/wosign-startcom-separated/
>
> https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
>
Yeah, I'd probably use DigiCert over Verisign if I had $299 for each
multi-SAN certificate I needed vs the $120/year I pay to StartCom for
unlimited multi-SAN certificates and I only need to pay that every 2-3
years honestly if I don't need to issue any new certificates between
expirations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20170130/367161d8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4521 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.ale.org/pipermail/ale/attachments/20170130/367161d8/attachment.p7s>
More information about the Ale
mailing list