[G3E9]

When prompting for "postmaster", "hostmaster" or "webmaster", the values in that form should be just those and StartSSL should then put the two together ($MASTER_EMAIL + "@" + $DOMAIN.) They shouldn't assume that the "sendToEmail" value wasn't tampered with or overridden. If the original poster didn't include his screenshots or his steps then I wouldn't believe such a stupid mistake, especially one made by a certificate authority.

Back before I found Gandi.net I came across StartSSL (I was looking for basic SSL certifications.) At the time StartSSL's website was horrible, and I mean ugly, it turned me away because it felt so unprofessional. I see now, even with a new flashy website, that they still remain unprofessional (maybe not in their looks, but obviously in their practices.)

[pfg]

Your solution is still vulnerable in cases where someone's able to control postmasterfoobar@example.com. Admittedly, that's a bit far-fetched, but the correct solution would be to have an enumeration of allowed emails and only accept those (or, more generally: whitelist things).

It's amazing that their web component is even allowed to dictate what verification addresses are permittable. That should be the concern of a completely separate component of their infrastructure. Says a lot of about their security architecture, I guess.

[G3E9]

Sorry, I made a bad implication that the backend would check to see if $MASTER_EMAIL was one of the three, as you called them, white-listed values ("postmaster", "hostmaster" or "webmaster") and if not then to stop processing the form.

[ivraatiems]

For a while, I ran a small non-profit gaming site. This was well before Let's Encrypt, so we looked to StartSSL for a free certificate. They denied us.

Why?

Because we had links to a Paypal account set up to take donations. Even though PayPal had its own security, and we were only providing a link to it, that was enough for them to deny us the cert. They refused to understand that WE would be conducting no financial transactions using their service; or that PayPal was a separate entity.

It was maddening, and we ended up abandoning the whole idea of having SSL. Would that LE had existed.

[vacri]

Conversely, when I went for an SSL cert for my company, they called me (from Israel) on a phone number for our company taken from public sources, in order to verify we were who we were. Compare this to some other SSL providers, whose certification process is "can you give us $600?"

[Buge]

Was that an EV certificate? EV and DV certificates certify different things.

[vacri]

No, it wasn't an EV cert. It was whatever their level above the first level is (can't recall, it's been a while, but it wasn't for EV)

[leni536]

From their policy:

> Class 1 certificates are limited to client and server certificates, whereas the later is restricted in its usage for non-commercial purpose only.

AFAIK simply taking donations counts as "commercial purpose". You are free to dislike their policy though.

[ivraatiems]

Sure, okay, but the certificate would never have been used to transact those donations. If you own a car, and you don't want dogs in your car, what does it matter if I put my dog in someone else's?

[damurdock]

I think they just care whether or not you're making money with the site period. As in, money that could potentially go towards a paid certificate.