Mozilla.org removing StartCom cert root

Important announcements about updates, additions, news or other issues. Also read StartCom Press Releases.
neilgunton
Posts: 7
Joined: Wed Mar 15, 2017 4:48 am
Location: Albany, OR
Contact:

Re: Mozilla.org removing StartCom cert root

Postby neilgunton » Mon Mar 20, 2017 8:03 pm

stimpy wrote:I use e.g. Sophos UTMs with Let's Encrypt, so I do not see why there is any problem?
If it's the 90 day lifetime limit, then there are several reasons for that. If you have a problem with re-issuing a cert every 90 days, there are plenty solutions to automate this.
And if you need a longer lifetime, pay for a cert. Simple as that.
(Funny enough that you use a Let's Encrypt cert for your business website. Or is it a "toy site"? :mrgreen: )


Let's Encrypt doesn't support wildcard certificates.

https://letsencrypt.org/docs/faq/

Let’s Encrypt offers Domain Validation (DV) certificates. We do not offer Organization Validation (OV), Extended Validation (EV), or wildcard certificates, primarily because we cannot automate issuance for those types of certificates.


So if you need those (as I do) then that is a showstopper. I'm not aware of any other CA that provides multi-domain, OV, wildcard certs for as low a price as StartSSL. I really hope they get their problems sorted out soon, but in the meantime they have the workaround which I posted about above, i.e. do the Class 3 OV verification, pay $120 and then request a Camerfirma cert. This works with all the browsers, allows for 100 domains/subdomains/wildcards, and is valid for two years, by which time hopefully the current trust issues with StartSSL will be resolved.

Neil

samspin
Posts: 3
Joined: Mon Mar 20, 2017 10:18 pm

Re: Mozilla.org removing StartCom cert root

Postby samspin » Mon Mar 20, 2017 10:35 pm

I have gone through the above steps, in my case I already had a dormant non-trading company that I'd registered some time ago to protect my online moniker from being used as a company name. So I used that one to obtain Class 3 Validation, I've made the request and paid the validation fee to hopefully get a Camerfirma based certificate, I will post again if the request is successful. I have the same reasons: I need wildcard support. I was hoping to continue using my Startcom cert that I had signed just before the cut-off date but then Google Chrome "upped the game" and cut off any certificates for sites not in the top 1 million alexa rank. Only *one* of the websites I run is on that list, namely PlanetVampire.com, and that's only because it has a quite a cult following. All others are now blocked, thus necessitating a replacement cert. I am currently relying on Let's Encrypt in the interim but this isn't practical long term in my case because I also tend to use dynamically changing hostnames for machines that need a verified certificate for remote desktop usage. It's so much easier to configure a long term wildcard certificate onto each machine than to replace so many all the time (not to mention the 90 day limits), especially when they are behind a closed LAN and Let's Encrypt tends to want to connect from the outside for verification. If Let's Encrypt allowed wildcards and longer lifetimes, things wouldn't be so bad, but their philosophy is to encourage automated issuance by mandating short lived certificates. Not really something I am keen on doing when all certificates are logged to CT servers and wildcards at least give you the option of *some* privacy, not just the convenience. I do appreciate the concept behind CT as a *very* useful tool for tracking mis-issued certificates, but perhaps more needs to be done in the balance of privacy. I tend to think of it as similar to the early DNSSEC implementations that required all hostnames in a DNS zone to be fully public. Most people would like zone data to be private, much the same as you'd rather have an operator answer the phone and say "yes, something dot that exists" one at a time, than give the public your entire corporate phonebook.

neilgunton
Posts: 7
Joined: Wed Mar 15, 2017 4:48 am
Location: Albany, OR
Contact:

Re: Mozilla.org removing StartCom cert root

Postby neilgunton » Tue Mar 21, 2017 12:42 am

samspin wrote:I was hoping to continue using my Startcom cert that I had signed just before the cut-off date but then Google Chrome "upped the game" and cut off any certificates for sites not in the top 1 million alexa rank.


This leapt out at me, because it might explain why one of my sites wasn't having a problem, but another was. Do you happen to have a source? I was mystified, because the users on my main site (crazyguyonabike.com) were not having any issues, but another newer website (topicwise.com) was getting the "untrusted" error on Chrome 57. The weird thing is, they both use the exact same StartSSL cert. I put all my domains into one cert for ease of configuration, and it also makes SNI (Server Name Indication) work even on older browsers. The Alexa rank would explain the difference, because crazyguyonabike.com appears to be around the 200,000 mark globally, whereas topicwise is more like 4,500,000. So if you have any links to this, I'd be interested...

Thanks!

Neil

samspin
Posts: 3
Joined: Mon Mar 20, 2017 10:18 pm

Re: Mozilla.org removing StartCom cert root

Postby samspin » Tue Mar 21, 2017 1:17 am

neilgunton wrote:
samspin wrote:I was hoping to continue using my Startcom cert that I had signed just before the cut-off date but then Google Chrome "upped the game" and cut off any certificates for sites not in the top 1 million alexa rank.


This leapt out at me, because it might explain why one of my sites wasn't having a problem, but another was. Do you happen to have a source? I was mystified, because the users on my main site (crazyguyonabike.com) were not having any issues, but another newer website (topicwise.com) was getting the "untrusted" error on Chrome 57. The weird thing is, they both use the exact same StartSSL cert. I put all my domains into one cert for ease of configuration, and it also makes SNI (Server Name Indication) work even on older browsers. The Alexa rank would explain the difference, because crazyguyonabike.com appears to be around the 200,000 mark globally, whereas topicwise is more like 4,500,000. So if you have any links to this, I'd be interested...

Thanks!

Neil

Yes, there is a filing about this for Chromium's source code (as I'm sure you're aware, Chrome is based off of Chromium) here:
https://codereview.chromium.org/2613833002
As well as a bug filing where the decision appears to have been documented: https://bugs.chromium.org/p/chromium/is ... ?id=685826
These appear to show that Google intend on phasing out trust for all certs for Startcom/Wosign completely, and cutting to the top 1 million mark was the next ratchet up.
I had the same issue, planetvampire.com would work but no other sites would, even though they all used the same end entity certificate via SANs. Planetvampire.com was a SAN name and worked fine, but the default CN name was *.samspin.net, yet anything under samspin.net was blocked as untrusted. Ah yes, that's another motive I had for wanting to keep one cert for as many as possible: supporting non-SNI browsers for as long as possible. I have to say, I do kinda see it from both sides here: browser vendors have to give out the message that breaking the rules is intolerable, attempting to cover up only makes things worse. But for us customers who rely on small firms like Startcom, which had grown in it's own right long before Wosign came to town, it really does make life difficult. Having said that, I did notice that Google is taking a much harsher line than Mozilla even in their initial announcement: https://security.googleblog.com/2016/10 ... rtcom.html "In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs. This staged approach is solely to ensure sites have the opportunity to transition to other Certificate Authorities that are still trusted in Google Chrome, thus minimizing disruption to users of these sites." I did try to keep an eye on things after that annoucement, but the outside-top 1 million blockage hit me in the teeth.

stimpy
Posts: 3
Joined: Sun Mar 12, 2017 10:24 pm

Re: Mozilla.org removing StartCom cert root

Postby stimpy » Tue Mar 21, 2017 11:15 am

ssl@croweb.host wrote:Let's Encrypt is great project for non-commercial websites, personal projects etc.
For any kind of a serious business - definitely not.


Well, I would have never used StartCom Certs in a professional use either. ¯\_(ツ)_/¯
For business customers and really important projects I tend to use Comodo certs. For other stuff there's Let's Encrypt. Whoever thought StartCom certs were a good idea to use for important projects... well, have you looked at their website before?

If it's reputation, anything cheap and free shouldn't be the way to go anyways, should it?

neilgunton
Posts: 7
Joined: Wed Mar 15, 2017 4:48 am
Location: Albany, OR
Contact:

Re: Mozilla.org removing StartCom cert root

Postby neilgunton » Tue Mar 21, 2017 9:57 pm

samspin wrote:
neilgunton wrote:
samspin wrote:I was hoping to continue using my Startcom cert that I had signed just before the cut-off date but then Google Chrome "upped the game" and cut off any certificates for sites not in the top 1 million alexa rank.


This leapt out at me, because it might explain why one of my sites wasn't having a problem, but another was. Do you happen to have a source? I was mystified, because the users on my main site (crazyguyonabike.com) were not having any issues, but another newer website (topicwise.com) was getting the "untrusted" error on Chrome 57. The weird thing is, they both use the exact same StartSSL cert. I put all my domains into one cert for ease of configuration, and it also makes SNI (Server Name Indication) work even on older browsers. The Alexa rank would explain the difference, because crazyguyonabike.com appears to be around the 200,000 mark globally, whereas topicwise is more like 4,500,000. So if you have any links to this, I'd be interested...

Thanks!

Neil

Yes, there is a filing about this for Chromium's source code (as I'm sure you're aware, Chrome is based off of Chromium) here:
https://codereview.chromium.org/2613833002
As well as a bug filing where the decision appears to have been documented: https://bugs.chromium.org/p/chromium/is ... ?id=685826
These appear to show that Google intend on phasing out trust for all certs for Startcom/Wosign completely, and cutting to the top 1 million mark was the next ratchet up.
I had the same issue, planetvampire.com would work but no other sites would, even though they all used the same end entity certificate via SANs. Planetvampire.com was a SAN name and worked fine, but the default CN name was *.samspin.net, yet anything under samspin.net was blocked as untrusted. Ah yes, that's another motive I had for wanting to keep one cert for as many as possible: supporting non-SNI browsers for as long as possible. I have to say, I do kinda see it from both sides here: browser vendors have to give out the message that breaking the rules is intolerable, attempting to cover up only makes things worse. But for us customers who rely on small firms like Startcom, which had grown in it's own right long before Wosign came to town, it really does make life difficult. Having said that, I did notice that Google is taking a much harsher line than Mozilla even in their initial announcement: https://security.googleblog.com/2016/10 ... rtcom.html "In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs. This staged approach is solely to ensure sites have the opportunity to transition to other Certificate Authorities that are still trusted in Google Chrome, thus minimizing disruption to users of these sites." I did try to keep an eye on things after that annoucement, but the outside-top 1 million blockage hit me in the teeth.


That's fantastic, thanks! :-)

marc.reitz@kreativstrecke.de
Posts: 5
Joined: Wed Feb 15, 2017 10:12 pm

Re: Mozilla.org removing StartCom cert root

Postby marc.reitz@kreativstrecke.de » Wed Mar 22, 2017 8:37 am

stimpy wrote:Well, I would have never used StartCom Certs in a professional use either. ¯\_(ツ)_/¯
For business customers and really important projects I tend to use Comodo certs. For other stuff there's Let's Encrypt. Whoever thought StartCom certs were a good idea to use for important projects... well, have you looked at their website before?

If it's reputation, anything cheap and free shouldn't be the way to go anyways, should it?


Maybe you can give us a explanation why a Commodo cert is more "worth" than an StartSSL-Cert. Because of their website design? :-D Wow, hopefully there are no "important projects" in your range.

samspin
Posts: 3
Joined: Mon Mar 20, 2017 10:18 pm

Re: Mozilla.org removing StartCom cert root

Postby samspin » Wed Mar 22, 2017 4:22 pm

neilgunton wrote:
samspin wrote:
neilgunton wrote:
This leapt out at me, because it might explain why one of my sites wasn't having a problem, but another was. Do you happen to have a source? I was mystified, because the users on my main site (crazyguyonabike.com) were not having any issues, but another newer website (topicwise.com) was getting the "untrusted" error on Chrome 57. The weird thing is, they both use the exact same StartSSL cert. I put all my domains into one cert for ease of configuration, and it also makes SNI (Server Name Indication) work even on older browsers. The Alexa rank would explain the difference, because crazyguyonabike.com appears to be around the 200,000 mark globally, whereas topicwise is more like 4,500,000. So if you have any links to this, I'd be interested...

Thanks!

Neil

Yes, there is a filing about this for Chromium's source code (as I'm sure you're aware, Chrome is based off of Chromium) here:
https://codereview.chromium.org/2613833002
As well as a bug filing where the decision appears to have been documented: https://bugs.chromium.org/p/chromium/is ... ?id=685826
These appear to show that Google intend on phasing out trust for all certs for Startcom/Wosign completely, and cutting to the top 1 million mark was the next ratchet up.
I had the same issue, planetvampire.com would work but no other sites would, even though they all used the same end entity certificate via SANs. Planetvampire.com was a SAN name and worked fine, but the default CN name was *.samspin.net, yet anything under samspin.net was blocked as untrusted. Ah yes, that's another motive I had for wanting to keep one cert for as many as possible: supporting non-SNI browsers for as long as possible. I have to say, I do kinda see it from both sides here: browser vendors have to give out the message that breaking the rules is intolerable, attempting to cover up only makes things worse. But for us customers who rely on small firms like Startcom, which had grown in it's own right long before Wosign came to town, it really does make life difficult. Having said that, I did notice that Google is taking a much harsher line than Mozilla even in their initial announcement: https://security.googleblog.com/2016/10 ... rtcom.html "In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs. This staged approach is solely to ensure sites have the opportunity to transition to other Certificate Authorities that are still trusted in Google Chrome, thus minimizing disruption to users of these sites." I did try to keep an eye on things after that annoucement, but the outside-top 1 million blockage hit me in the teeth.


That's fantastic, thanks! :-)


Just posting here again to confirm that my Camerfirma request has been successful, I am now deploying the certificate and it is working well so far :) Thanks for the information Neil, it has proved invaluable in making my life a lot easier.

trev@acrovoice.ca
Posts: 6
Joined: Mon Dec 19, 2016 9:44 pm

Re: Mozilla.org removing StartCom cert root

Postby trev@acrovoice.ca » Tue Apr 11, 2017 6:02 pm

Something to be cautious about with the Camerfirma certs is if you order an EV certificate, they'll convert your name to ALL CAPS which looks tacky.

I'd recommend sticking with Class 3 certs for that reason.

javi200482@gmail.com
Posts: 6
Joined: Tue Nov 29, 2016 12:38 am

Re: Mozilla.org removing StartCom cert root

Postby javi200482@gmail.com » Tue Apr 11, 2017 11:03 pm

While new cert CA will store in all browser starssll need external certificate and it use Camerfirma provider. Now the new CA is created and validated, only need Chrome, Mozilla and Edge update in next release the stored certificates or you can to setup manually from https://www.startcomca.com/index/root

New website: https://www.startcomca.com


Return to “StartCom Announcements”