What was once the web’s best source for free SSL/TLS certificates and affordable-by-normal-humans wildcard certs is dead, killed by shitty unethical behavior by a shitty company called WoSign. So thanks, WoSign—thanks for wrecking StartCom and their StartSSL service. You destroyed something wonderful and useful to millions of people. Hope it was worth it, dicks.
If there’s an upside to this mess, it’s that Let’s Encrypt has mostly made StartSSL redundant. Where StartSSL was once the only place to go if you wanted free certificates, LE now fills that gap—very successfully, too. And LE will begin offering free wildcard certificates starting in 2018, so that’s another need fulfilled.
But man, I am going to miss the hell out of StartCom and StartSSL.
The one who was
I’ve been a happy paying StartCom customer since 2010, when I set up the first version of my dumb homepage. An article on Ars Technica by Glenn Fleishman on how to get free certificates piqued my interest, and StartCom proved to be everything the article promised—fast, friendly, and extremely affordable if you wanted to move off the free option and into class 2 validation-dependent certificates (like wildcards). They also offered a code signing certificate for a ludicrously cheap rate.
Things were great for years. I unequivocally recommended StartCom to anyone and everyone because there were basically no downsides. A single $60 identity validation got you unlimited wildcard certs for as many domains as you wanted.
There’s a line in Fight Club, when Jack is talking to Tyler, that really sort of captures this situation very well:
For folks unable or unwilling to watch the scene, here’s the quote:
When you buy furniture, you tell yourself, “That’s it—that’s the last sofa I’m ever gonna need. Whatever else happens, I’ve got that sofa problem handled.”
StartSSL was that good—it felt like I had my SSL/TLS problem definitively handled with an endgame solution, and I’d never need to deal with shopping for certs or paying gross and usurious rates for the things.
Enter WoSign.
Fucking it up for the people in the streets
Through a complicated set of hidden backroom dealings, Startcom was purchased (apparently in secret) by shady Chinese certificate authority WoSign. According to a detailed investigation by Mozilla, WoSign had been backdating the issue dates of some SSL/TLS certificates in order to skirt around the then-looming deadline for SHA-1 certificate deprecation.
In response to these shenanigans, Mozilla announced it was responding with the almost-nuclear option: Mozilla browsers would cease trusting WoSign (and StartSSL) SSL/TLS certificates issued after a certain date (the full nuclear option would have been to simply stop trusting all WoSign and StartCom certificates). Google, Microsoft, and Apple quickly followed.
Mozilla further outlined a proposed remediation plan they would accept from WoSign/StartCom; failure to follow the plan and demonstrate improvement would lead to a removal of WoSign and StartCom from the trusted root certificate authority store of every major browser on every major operating system. Perhaps unsurprisingly, WoSign was unable to demonstrate sufficient remediation and reform, and the deadlines were set. The full nuclear option had been deployed.
You can’t always get what you want
The effect has been total. StartCom struggled to come up with some alternatives, but the company’s death was inevitable—what good is a root certificate authority that no one can trust?
The following email showed up in my inbox this morning, marking the end of an era.
The last service I had still using my old StartSSL wildcard certificate was BigDinosaur.org’s email, and immediately prior to penning this blog post I cut that over to Let’s Encrypt, too.
It’s depressing, watching so wonderful a service being brought down by a few greedy assholes. Thanks, assholes.
But don’t judge StartCom by the actions of the rambling zombie corpse the company became after it was bought by WoSign. Recent bad behavior doesn’t erase the good of so many years of excellence, even if it does mean that the company has to take a bullet to the head.
Farewell, StartCom and StartSSL. You were well-loved, and you will be well-missed. The Internet is less without you.