[creshal]

StartSSL is very much "you get what you pay for", though. Their web interface is sporadically unreachable, and their validation is rather sloppy – as long as you pay up, you can happily break their terms of service and still be re-validated.

[StavrosK]

I never understood how that matters, though. My visitors will see a green bar, job done. Breaking the ToS or not, I don't care as long as my address bar is green. How is Verisign any different from StartSSL, in that regard?

[creshal]

> I never understood how that matters, though.

It will matter if StartCom is abused to print certificates for foreign domains. Even if your domain isn't targeted, browsers and OS vendors will probably react by invalidating all StartCom CA certs. That means no green bar.

[nosefrog]

Has this ever happened before? I'm genuinely curious, as I've heard this warning often but it seems more like FUD than anything else.

[zymhan]

Google just removed CNNIC as a trusted CA from Chrome because of their sloppy security and trust.

[WorldWideWayne]

CNNIC had provided "unauthorized digital certificates for several Google domains" and in an update on April 1st Google said that "To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist" - http://googleonlinesecurity.blogspot.ro/2015/03/maintaining-...

So, I doubt they would treat StartSSL any worse than they treated China.