[Discuss] Who sells the least expensive SSL certs right now?
John Abreau
abreauj at gmail.com
Mon Dec 22 11:25:16 EST 2014
I think you're missing the point. More quotes from the bugzilla discussion:
> The problem is not them charging for revocations. If someone has lost
their key
> or got hacked, okay fine. Their own fault.
>
> The problem is that thanks to Heartbleed we now have potentially leaked
private
> keys (leaked due to circumstances outside of the control of anyone) and
thus
> insecure sites.
>
> Now with StartSSL charging for every single revoked certificate they are
> encouraging people to "eh, the chance my key got leaked is so low, I'll
just stay
> with my old certificate" thinking and behaviour.
>
> This is actively compromising the security of SSL and consumers (no one I
know
> checks the SSL vendor on certificates of sites they visit if there's the
lock icon and
> it says it is trustworthy). Therefor customers and site users expose
themselves to
> potential security risks while the browser ensures them they are
communicating
> securely with the website.
and another:
> Spreading **** certificates all over the place for free and then forcing
people to
> pay for the revocation of those certificates is certainly not doing any
good for
> security. I can't see any reason why startssl.com should be in the
truststore while
> cacert.org (which do not charge for revocation nor for anything else) are
denied
> the same status.
Now granted, these arguments are about whether slartssl should be in the
firefox keystore,
not about whether Bill should consider using startssl's free tier. But I
disagree that the
arguments are weak.
On Mon, Dec 22, 2014 at 10:55 AM, Edward Ned Harvey (blu) <blu at nedharvey.com>
wrote:
>
> > From: John Abreau [mailto:abreauj at gmail.com]
> >
> > As for StartSSL, a quick google search turns up some disturbing issues
with it.
>
> Bah. That's a weak argument. There is nothing secret about charging for
revocation, and I don't expect any other CA's to reissue certs for free
either.
--
John Abreau / Executive Director, Boston Linux & Unix
Email: abreauj at gmail.com / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23 C2D0 E885 E17C 9200 63C6
More information about the Discuss
mailing list