|
|
|
|
|
|
by chollida1
4450 days ago
|
|
|
TL/DR from the Mozilla bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=994033)
There doesn't appear to be a definitive argument as to should they or should they not waive their revocation fee. On the side of StartCom an extremly resonable point as to why they should not waive their fee: > Every other certificate provider requires payment for certificates. StartCom is the one provider offering free certificates, which goes a long way to spreading TLS and https more broadly, and the complaint here is that they're daring to charge a fee to maintain their revocation list? Removing them over that would do more harm than good to security. And the also very reasonable counter point: > The problem is that thanks to Heartbleed we now have potentially leaked private keys (leaked due to circumstances outside of the control of anyone) and thus insecure sites.
Now with StartSSL charging for every single revoked certificate they are encouraging people to "eh, the chance my key got leaked is so low, I'll just stay with my old certificate" thinking and behaviour.
This is actively compromising the security of SSL and consumers (no one I know checks the SSL vendor on certificates of sites they visit if there's the lock icon and it says it is trustworthy). Therefor customers and site users expose themselves to potential security risks while the browser ensures them they are communicating securely with the website. At the very least its refreshing to see that people aren't just jumping on the rage bandwagon of, "OMG you mean I have to pay for something that you said I'd have to pay for. You are evil". It's nice to see some even handed analysis of the situation! |
|
|
" Revocations carry a handling fee of currently US$ 24.90. Class 1 subscribers may use a different sub domain in order to create additional certificates without the need to revoke a previously created certificate. Alternatively it's possible to upgrade to Class 2 level which allows to create the same set of certificates once again (besides all the other benefits), because different levels are issued by different issuers, making revocation unnecessary."
I understand where Mozilla's coming from here, but I also see it from StartCom's side. StartCom requires manual verification for certain sensitive CA operations, so they've set up their (quite reasonable) fee schedule accordingly. Likewise, I'm sure that the terms and conditions of other CAs states that in the case of a key compromise, sure, they'll revoke the certificate for free, but the user must buy a new certificate to replace the compromised one - which is basically the same thing as StartCom charging for revocation.