[dan1234]

This seems to an incredibly basic error for a company trusted to issue SSL certificates.

How long has this vulnerability existed? Can we trust any StartSSL certificates? Will they charge for revocation, as they did with Heartbleed?

[pfg]

If someone has fraudulently issued a certificate for a domain you own using this (or any other) vulnerability, you're not actually a client of theirs and I don't see how they could force you to pay for revocation. Issuing such a certificate would obviously be a violation of CA/B Baseline Requirements.

Then again, I'm not exactly sure how one would go about reporting such a thing. Browser vendors have done most of the blacklisting for cases like this in the past (either by blacklisting individual certificates, or removing the root certificate completely for massive breaches). I guess I'd try my luck on one of their mailing lists or bug trackers.

If you have a regular certificate from StartSSL, there are no security implications for you because of this. (As in: for you specifically. For the CA system as a whole, this is a "Set-Your-Hair-On-Fire-And-Run-Around-Screaming-Loudly"-scenario.)

[kevincox]

Well it was originally found 5 years ago. However StartSSL redesigned their site less then a year ago where I would guess the vulnerability came back (not that I have any knowledge to back that up).