[bmelton]

Either this request is naive, or I am.

As I understand it, not all StartCom certificates are necessarily vulnerable. I have a number of StartSSL certificates issued before 4/7 that, according to the HeartBleed checker here[1] are not vulnerable.

Is it wrong for me to assume that the tool is correct, or is it wrong to assume that all StartCom certificates are necessarily vulnerable?

[1] - http://filippo.io/Heartbleed/

[ef4]

What that tool says is irrelevant to the question of whether those certs have been compromised.

The risk is that before the vulnerability was patched, somebody used it to grab the private keys associated with the certs.

[singlow]

But what if the key was never used with openssl or heartbeat?

[andreasvc]

Obviously that would be great, but a tool cannot check that.

[Guvante]

> is it wrong to assume that all StartCom certificates are necessarily vulnerable?

They aren't claiming all StartCom certificates are vulnerable, they are saying some StartCom certificates may be vulnerable because they impose a fee on revocation.

[DangerousPie]

I don't think the certificates are vulnerable at all. Their private keys may have been stolen if people were using them with a vulnerable version of OpenSSL, but that has nothing to do with StartSSL certificates themselves.

[sigzero]

That is exactly right and exactly why the bug report was insane.