[justinclift]

Ugh. September 19th is poor date to choose.

When this came up, the first thing I did was generate wildcard certs for our StartCom domains, as Mozilla is going to stop trusting things at some point.

But that was on ~26th September.

Choosing the 19th is giving existing customers of StartCom no chance to manage the problem in a sensible way. :(

[cptskippy]

    When this came up, the first thing I did was generate wildcard certs for our StartCom domains

A vendor you used comes under scrutiny so your response is to double down on them? Did you have prepaid credits or something? It seems like that would have been a opportune time to migrate away from them since you'd have to redeploy certs anyways.

[justinclift]

With StartCom, once you've gone through the personal verification procedure you don't need to pay more money for new certs, nor wildcard ones.

So, no "doubling down" involved. Just a desire to have actually working certs before Mozilla's "to be announced" cut off date happens.

And then Apple comes along and (unless I'm misunderstanding) all of our certs will be useless. :(

[NetStrikeForce]

You should get a refund from your cert provider.

[stephenr]

> So, no "doubling down" involved

Continuing to use a CA that has a recognised history of fucking abysmal security and wilfully deceptive actions, whether you're paying money or not, is still "doubling down" IMO.

If you're getting a wildcard cert, you aren't getting EV, so why not just make the switch to LetsEncrypt?

[rblatz]

That seems like an odd move, doubling down on the CA after news of them doing shady stuff? Why not take that opportunity to switch to something else like let's encrypt?

[justinclift]

Really not sure why you'd think this is "doubling down"?

We've already gone through the StartCom verification process, but had only generated a few specific cert's for subdomains.

However, we're right now in the process of launching a new online project. No idea what subdomains will be needed in very near future.

It costs us no extra to generate wildcard ones, which obviously is the right move to do as they'll be valid while StartCom's new ones are no longer trusted (when Mozilla stops accepting new certs).

There's literally no way we could afford to pay for new certs from an alternative registrar instead.

[tho9Ohx1eo]

> There's literally no way we could afford to pay for new certs from an alternative registrar instead.

If ~$100 is that much for you (as a company of some sort) why don't you use Letsencrypt?

[justinclift]

Good point, that might be the better solution for the public HTTPS part of things.

Lets Encrypt doesn't provide MS Authenticode signing certs (eg to validate our downloads are legit) though. Hopefully this whole mess doesn't scope creep to include those too.

[marcosdumay]

You bet it will. If MS does not revoke them, it will reflect very badly on the security of their program.

[duskwuff]

If anything, I'd expect code signing certificates to be at more risk. Usage of these certificates is inherently much more difficult to track, as signed executables are much harder to discover than web servers. As such, even if there were a "certificate transparency" process for code signing certificates (which I don't believe there is), it'd be difficult to prove it was being operated honestly.

[pfg]

This announcement only pertains to the "WoSign CA Free SSL Certificate G2" intermediate CA and does not affect any StartCom-issued certificates.

They might announce similar steps for StartCom in the future, but nothing as of yet.

[justinclift]

Thanks. Glad I misunderstood it. :)

Hopefully if it expands to include StartCom certs, they use a later date.