Refute the FUD


In my capacity it’s my job to counter a few baseless claims which some use in order to try to spread Fear, Uncertainty and Doubt (FUD) regarding the digital certificates which StartCom issues for free without charge. This is a response to Sebastián Bortnik, David Harley and Dan Raywood regarding their articles I found recently on the web.

First of all I must note that I basically agree with the two former reporters that SSL secured web sites and their digital certificates don’t say anything about the trustworthiness and intend of the web site operator. I have been saying the same for a long time already, this isn’t news. Even the Extended Validation certificates, which StartCom also issues, can’t provide any guaranties about the intentions or even if the organization will be around tomorrow (think Lehman Brothers).

SSL certificates in the low-assurance or also called domain-control validation settings are intended to provide secure end-to-end encryption, they don’t say anything about the identity of the web site owner and operator. The Class 1, free certificates of StartCom belong to this category as well. StartCom however offers also other certificates which are either identity, organization or extended validated. In the higher validated levels, a relying party may also know who the site operator is, making it less likely as a source for spreading malicious content or other niceties. Obviously there is no warranty attached in either case that such an operator may not fall victim himself to a breach of their own servers or do something nasty themselves.

It’s however utterly important for me to state a few facts here which have been entirely ignored by all the reporters from above. Domain control validated certificates - which StartCom provides without charge - are not the invention of StartCom. Scores of various public Certification Authorities have been issuing digital certificates for years  according to the same or very similar criteria as StartCom does and even before the founding of the StartCom Certification Authority. This includes Comodo, Godaddy, GeoTrust (Verisign), but also CACert just to mention a few. Specially the myth that CACert has better verifications than others can be put to rest, because this CA - which isn’t trusted so far by any browser and might have far bigger issues - has provided domain validated certificates for years already.

Netcraft today identifies over half a million domain control validated certificates on the web. Yeah right, that’s more than 500,000! All of them issued exactly to the same or very similar validation procedures as those of StartCom. Needless to say that most authorities will happily charge you a fee for their services as opposed to StartCom which provides the same for free.

StartCom has implemented various safe-guards and layers of defenses, makes a reasonable effort to prevent any misuse by third parties. Obviously that’s within limits too, however StartCom has been participating, guiding and leading the industry for a while and today competing CAs are following and implementing some of the policies and procedures StartCom implemented. StartCom is one of leaders  trying to strengthen and improve the requirements for public certification authorities, being it with my participation at Mozilla and the CAB Forum or by defining and recognizing problematic practices and demonstrating responsibility with our own policies and practices.

The claim that StartCom - and the support by Microsoft and other software vendors like Apple and Mozilla - would in any form weaken the ability to use HTTPS is absolutely baseless. Quite the opposite is true, because today more people will be able to reduce certain risks and secure their forums, blogs, webmail and portals due to our free offerings. Indeed today there is no reason whatsoever to submit a password unsecured or use fake certificates - except in case StartCom will not issue one……and that would be probably for a good reason.

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Other Posts
Beat the Drum: Open Web needs to be Secure!
Faster, Longer, Better and…Cheaper

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

Well put, lets hope that people read and understand it.

I’m sure the thought process is that, in the event of fraud, there’s at least the method of payment to trace.

The bleating sounds a lot like the tired, old argument, “If crypto is widely available, terrorists and child pornographers (or phishers and malware writers) might use it, so we should burden everyone.”

Interestingly, payments (and the ability to trace stolen credit cards) is not a known criteria of the WebTrust audit. I wonder why? ;-)

Dear,

In our post at any time we oppose the use of free certificates. Also, it is not our intention to criticize the quality of StartCom as a company.

However, it is our duty to alert the community if a certain technology can be used maliciously. The problem in question it is not free certificates, but users false belief that a site with HTTPS is enough to be safe.

When we report, for example, that the attackers use social networks to spread malware, we are not opposed to social networks, but simply inform users of potential risks that may occur, to just make use of the technology but being aware of threats.

We are not opposed to the use of free certificates, but the news was the moment to explain our readers what it is HTTPS and what not. The false users belief that HTTPS guarantee total security is not our responsibility or not StartCom, but we must warn and inform to avoid them to be exposed to unnecessary risks.

Hoping to have clarified the doubts, and thanking the communication and response, I leave a warm greeting.

Regards.

Sebastián Bortnik
Security Analyst for ESET

Thanks Sebastián! Digital certificates and SSL/TLS are indeed sometimes not understood correctly. Unfortunately you brought this problem up in the context of the certificates offered without charge by StartCom, so I had to counter this a little bit ;-)

StartCom makes a 100% effort to prevent any misuse for all certificates (paid and free), I believe the success rate is pretty good as well. Obviously any CA may fail to completely prevent misuse in some form or the other and at some point. But I don’t think this depends on the amount a subscriber paid for the certificate. StartCom is very committed to provide the best services and security in the appropriate level to the Internet community, I hope for the benefit of all. Cheers!