[lstamour]

I've used these guys in the past and quite like them, but yeah, this is poor PR and I hope they get pulled for not paying attention to, you know, the overall security of the trust product they're selling. I don't want lock-in on my SSL cert but it's effectively a contract if I have to pay a fee to break it and the SSL padlock on my domain is held hostage if I don't. Maybe someone should open a bug report on Bugzilla...

[higherpurpose]

There are arguments about this being "their right" to not give free cert revocation, since that's how their business model works. They give you free certificates, but then you must pay quite a bit to revoke them.

That being said, PR wise, this was a pretty dumb move by them. It should've been a great PR opportunity for them, by submitting a blog post on HN about how serious this issue is and how they're going to allow everyone to revoke their certificate, say for the next 7 days, or even 48h. Everyone would've had their hands in the air cheering for StartSSL, about what an awesome company it is for doing this, and they would've gained a lot of good will and trust from the community for many years to come.

Instead, they saw this as an opportunity to make as much as money as possible in the short term, regardless of how catastrophic this vulnerability was. In a way, it's like stores raising the price of food and water in a time of crisis (natural disaster, war, etc) because they know they can get away with it then, since so many people need it, and they're the only source in the area.

Bottomline is, they could've made a judgement call to "not make" some extra cash in this period, while gaining a lot of long-term trust from its current and potential customers, but instead they decided to take the money, and have a PR scandal on their hands. Not a great move at all.

[guan]

I am a paid StartCom customer with a Class 2 certificate, and they’re charging us the fee too.

[saurik]

So, to verify, would you rather pay a (smaller) fee upfront for every registration (effectively, insurance against revocation), rather than pay a (larger) fee if and only if you ever need to revoke? (Or, are you saying that StartSSL is somehow evil, because they refuse to do everything you ever wished they could do for you with no compensation of any kind?) (Is the issue simply that they won't revoke without a fee, even if you don't have your key reissued? I thought that it was just a charge for reissue, but if they won't let you even revoke the key without reissue, then I agree that sucks; but that doesn't seem to be what you are complaining about.)

[A_COMPUTER]

I think Startcom are morally in the right about the payment issue and to have whatever business model they want. But at the same time that's a separate issue from their responsibilities as a CA and if that's compatible with their business model. I got burned by Heartbleed and I was proactive about getting my certs revoked because it never occurred to me that I should beg for a free revoke because it wasn't my fault or something. But now I see that Startcom is in a tought position because they should be revoking the guy's cert and just billing him, but his backlash is not atypical and free cert offers probably select for the type of person who will avoid paying for things at all costs.

[lstamour]

Hmm. Would I rather pay a fee every year for my domain name or only if I happen to need to change my name servers, contact info or account password. Perhaps more realistically, pay the host before a transfer or early termination. Yes, getting started might be free, but that just makes accidental lock in easier. Life happens, changes happen. Free should be free, is all I'm saying. Makes for a better internet. Maybe browser vendors should offer free SSL certs, or promote pinning self-signed ones somehow? ;-)

[__david__]

What I would rather have is a %$#@! CA cert signed by my registrar valid for *.my-domain.com for free. In what world should I have to pay annually for some asshole to run "openssl ca" on my behalf? Our whole CA system is bullshit.

[claudius]

No, they are evil because they are lying to me.

When Mozilla put them in my browser, they promised “we will make sure that only people who own the domains get certs for them”. Now there are a bunch of people with leaked private keys and StartSSL is apparently doing nothing about them.

Note that I don’t care what StartSSL wants their “customers” to do, nor do I care what these “customers” want StartSSL to do, but I do care about private keys with associated valid StartSSL certificates floating around the internet, and it is not the responsibility of the owners of these keys to revoke the certs ASAP but StartSSL’s. Given that they don’t seem willing to do so, I’ll have to remove their CA from my browser.

One easy way out for “free certs” would be a clause like “If we have reasonable evidence that your certificate is compromised, we will revoke it immediately and you agree to pay a handling fee of 25 € for that.” in their Terms and Conditions. If such a clause would be illegal, I guess free certificates are just not feasible.