Shameful Security: StartCom Charges People To Revoke SSL Certs Vulnerable To Heartbleed

from the and-fuck-you-all-too dept

It's upon the subscriber to take appropriate action since the certificate authority can't enforce which software to use. The terms of service and related fees will not change due to that.

We do understand the situation very well, thanks.... This is not our fault as well. We do not see any reason to provide this paid service for free. We have enough other free services already if you didn't mentioned it.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Yesterday, we wrote about just how terrible the Heartbleed bug in OpenSSL is. It's been generating plenty of discussion, with folks like Bruce Schneier calling it "catastrophic" and saying that "on the scale of 1 to 10, this is an 11." It's a pretty big deal. So you'd think that everyone would be scrambling to help plug the vulnerability as painlessly as possible. And most companiesbeen doing that. But one -- StartCom -- apparently sees this as an opportunity to rake in cash and to screw over those most vulnerable.StartCom is aSSL Cert authority, and on the company's website, it claims it offers this service for free "because we believe in the right to protect and secure information between two entities without discrimination of race, origin and financial capabilities." Except, that's not quite how things are playing out in reality. As is being actively discussed over at HackerNews and via the StartSSL Twitter fee , the company is trying to charge people to revoke the vulnerable certs : And, yes, they're even charging those who are on their premium paid service tiers as well -- and often charging exorbitant rates.While the company has generally charged for revoking certs, many people pointed out that with a vulnerability of this magnitude, that's both ridiculous and dangerous. However, the company doesn't seem to care.When it was pointed out to the company how serious a vulnerability issue the company started to get snotty with its own uses:People began challenging the company on Twitter, and it's taken that same snotty "we don't give a fuck" attitude to them as well:Yes, this is part of StartCom's business model. Free certs, pay to revoke (: but that doesn't explain why they're doing this for paying customers too...). But this is clearly a case where that model should be suspended to keep the internet safe. The amount of ill-will this move is generating is pretty clear. Furthermore, it highlights what a bullshit claim it is that its goal is to better protect communications. If that were true, it would allow emergency revocations for an issue like Heartbleed.

Filed Under: heartbleed, openssl, revocation, secure certs, security, startssl, vulnerability

Companies: startcom