StartSSL is blocked by Chrome & Firefox and they didn’t notified their customers

The SSL certificates issued by Israel based Certificate Authority StartSSL (https://www.startssl.com/) are blocked by Google Chrome and Mozilla Firefox since March 2017. Behind what could be just a technical issue, there is some disturbing facts:

First, the reason why Google and Mozilla have decided to progressively block StartSSL (and more importantly WoSign) is the issuance by WoSign, a chinese Certificate Autority,  of multiple SSL certificate for Domains for which they didn’t received any mandate and didn’t validate the ownership of the domain by the requester. The first case to be reported to Google was GitHub, the famous Source Code repository. As WoSign had « secretely » bought StartSSL and integrated its infrastructure in its own, StartSSL has been « sentenced » to the similar distrust by most browser than its owning company.

As DNS CAA records are not used by browsers to check if the Certificate Authority of an SSL certificate for a domain is the correct one, it could have allowed someone to impersonate GitHub or at least to lure some users to a fake GitHub site (anyway, GitHub didn’t set his CAA record). Such behavior is unacceptable for any certificate issuer as trust is the cornerstone of the entire SSL certificate paradigm. Google and Mozilla’s reaction seems then proportionate. However, you can imagine the impact of such sentence. For any CA, being withdraw from the list of trusted certificates of the two main browsers is like a death penalty for the CA.

The second disturbing fact is that StartSSL failed (or decided not) to properly inform its customers. Worse, it continues to sell its Class 1 certificate despite the fact they are basically useless. That’s not the kind of commercial decision that will help restore the trust to the Israeli company, even if WoSign has defined a remediation plan aiming at giving more autonomy to StartSSL (see below).

Customers who had paid for the Enterprise Validation have lost their money and are now using blocking certificates. The only cheap and rapid solution to restore access to their website (and keeping the SSL/TLS active) is likely to use LetsEncrypt free certificates.

I don’t know what the future is but I wouldn’t recommend StartSSL to anyone anymore and I doubt any security aware person would. That’s not a good indicator for a bright future.

References: