[Karunamon]

Now that Let's Encrypt is a thing, there's no reason to do business with these greedy losers.

That's not just an off the cuff insult either - I find very few charitable words to describe a company that charges $25 to rekey a certificate for reasons outside the user's control, i.e. heartbleed.

More to the point, in my arrogant opinion, now that a good, free alternative exists, users in the know should pressure the browser makers to come down a lot harder on companies that let this kind of issue fly. There's no need to work through the CAB bureaucracy when, say, Google and Mozilla are probably a lot more amenable to dealing with bad (be that by ignorance or malice) actors by refusing to recognize their crappily-validated certificates.

[kevinoconnor7]

Just to play devil's advocate, maintaining a CRL is quite expensive. Cloudflare detailed those costs here: https://blog.cloudflare.com/the-hard-costs-of-heartbleed/

Let's Encrypt avoided this by partnering with Akamai. Though StartCom really should have made an exception for Heartbleed.

[gist]

> there's no reason to do business with these greedy losers

What makes them greedy? That they are charging for what they do? (Serious question I am curious why you label them "greedy" and further "losers").

[mynameisvlad]

https://www.startssl.com/Support?v=43

They're the CA that wanted to charge $25 to revoke free certificates that were potentially compromised due to Heartbleed. Yes, it wasn't their fault, so they wouldn't be legally responsible for it, but they're acting in bad form by not offering those revocations for free for such a major issue.

[IgorPartola]

Until LE, StartSSL was the cheapest option all around. Note that with their $59/year option you would get unlimited wildcard certs, amongst other things. I am not happy about this bug, and am glad I moved to LE a few weeks ago, but in the past StartSSL has saved me a ton of money, even though their website had been godawful at the time.

[mynameisvlad]

Sure, and all that may be true, but I was specifically responding to what makes them greedy. Recommending people revoke their certificate and then hitting them with a $25 fee when they try to do so is practically the definition of such. They knew it was a serious problem, they knew all certificates could be affected (and even called it out) but then they didn't care to waive their policy in this one case even with all that taken into account. A CA who actually cared about the integrity of the system as a whole would have made a one time exception for this serious bug.