Hacker News new | ask | show | jobs
by rhizome 4397 days ago
Not to mention their inscrutable information and documentation. I was caught out trying to renew a StartSSL cert 6mos ago and could not even access the renewal site. Apparently they use personal certs (or the cert I got?) as authentication? I don't know, because there was no explanation, anywhere. I had no idea whether this is security by obscurity or what, but f-them. I wound up paying $5 to Comodo and having a somewhat more comfortable experience, at least to the degree that there's a standard user control panel and payment flow.

Looks like maybe StartSSL filled out their FAQ a little since then, but only a little:

https://www.startssl.com/?app=25#10
1 comments
Spittie 4396 days ago
They use browser certificates (I'm not sure if this is the right name), which is actually pretty cool. When you create an account, a certificate is generated in your browser, and then you can login with it.

The big problem is that since it's almost not used, browsers implement it but haven't done any job in making it user friendly (for example, you can see the certificates currently stored in your browser in Firefox by going in preferences > Advanced > Certificates > View Certificates > "Your certificates" tab, not exactly user friendly). Also (if I remember correctly) StartSSL implementation is not the nicest one as well, as you have to keep your tab open while they validate your account.

link
webhat 4396 days ago
It's non-repudiation, it's so they can be sure that the person who received the email is also the person who requested the email.

  Proof of data integrity is typically the easiest of these requirements to accomplish.
  A data hash, such as SHA2, is usually sufficient to establish that the likelihood
  of data being undetectably changed is extremely low. Even with this safeguard, it is
  still possible to tamper with data in transit, either through a man-in-the-middle
  attack or phishing. Due to this flaw, data integrity is best asserted when the
  recipient already possesses the necessary verification information.
https://en.wikipedia.org/wiki/Non-repudiation
link
rhizome 4396 days ago
Yeah, I got that far, but I had reinstalled, not backed this up, and there was less than zero information about what to import. I tried installing and/or converting every chunk of certificate-type data I could find. No joy, no help, no nothing.
link