|
There are arguments about this being "their right" to not give free cert revocation, since that's how their business model works. They give you free certificates, but then you must pay quite a bit to revoke them. That being said, PR wise, this was a pretty dumb move by them. It should've been a great PR opportunity for them, by submitting a blog post on HN about how serious this issue is and how they're going to allow everyone to revoke their certificate, say for the next 7 days, or even 48h. Everyone would've had their hands in the air cheering for StartSSL, about what an awesome company it is for doing this, and they would've gained a lot of good will and trust from the community for many years to come. Instead, they saw this as an opportunity to make as much as money as possible in the short term, regardless of how catastrophic this vulnerability was. In a way, it's like stores raising the price of food and water in a time of crisis (natural disaster, war, etc) because they know they can get away with it then, since so many people need it, and they're the only source in the area. Bottomline is, they could've made a judgement call to "not make" some extra cash in this period, while gaining a lot of long-term trust from its current and potential customers, but instead they decided to take the money, and have a PR scandal on their hands. Not a great move at all. |