What the Heartbleed bug revealed to me

Today, I made a really negative experience with the StartSSL certificate authority. This is the first time that this has happened to me. The problem is that it affects StartSSL’s reputation because it reveals that they value money much higher than security. Security however should be a CA’s primary concern. So, what happened?

It all started when I checked which of the certificates that were issued to me by StartSSL were potentially compromised by the OpenSSL Heartbleed bug. Fortunately, there were only a few of them and those that were possibly affected were all private ones (i.e. no FSFE certificates were affected). Since Hanno Böck stated in an article [1] that he was able to revoke a StartSSL Class 2 certificate for free and a friend of mine confirmed this [2], I immediately went ahead and sent revocation requests for the affected certificates. The first thing I realised was that the StartSSL website was under heavy load and this was not surprising given the severity of the Heartbleed bug and the number of certificates that StartSSL has probably issued. Nonetheless, I managed to send the revocation requests and received confirmation e-mails about them. Of course I stated the CVE number of the heartbleed bug as the reason for the revocation. Not much later, I was informed that one of the revocation requests had succeeded and I was able to create a new certificate. So far, so good. The trouble started, when I – after not having heard back from StartSSL about the other revocation requests for more than a day – contacted StartSSL to ask why those requests had not succeeded. I was advised to check the e-mail address behind the account I had formerly used for paying my fees to StartSSL. I followed the advise, and there they were: Three requests for USD 24.90 each with the note “revocation fee”. Quite a surprise for me after what I had read and heard. So I asked back, why I had to pay and others didn’t have to. Eddy Nigg’s answer came promptly:

First revocation is not charged in the Class 2 level – successive
revocations carry the fee as usual.

It’s obviously an unfortunate situation, but the revocation fee is
clearly part of the business model otherwise we couldn’t provide the
certificates as freely as we did and would have to charge for every
certificate a fee as all other issuers do.

This was rather shocking for me. This statement clearly reveals, that StartSSL only cares about money, not security. A responsible CA would try to revoke as many compromised certificates as possible. It definitely doesn’t help a CA’s reputation if they do not support their customers in a situation were the customer did not make a mistake and was affected by something I’d call “higher power”. The problem I see is the following: There are most probably many people like me who also care about security in their private life, but also want everything to be convenient. Unfortunately, CAcert has not managed to become part of the major browsers so far [3] and thus StartSSL is pretty much the only way to get cheap certificates for things like a private blog if you are not particularly rich – which is both true for me and also FSFE, for whose certificates I am responsible too. So my gut feeling is that many people who also saw StartSSL as their logical choice will think like me and rather not pay an mount of money that is higher than the fee you have to pay to become Class 2 validated just to revoke a certificate. They will rather stop using the compromised certificate and simply create a new one with a different CN field (which is doesn’t cost them extra). The logical result is that there will be loads of possibly compromised certificates out there that are not on StartSSL’s certificate revocation list. Would *you* trust a CA that doesn’t care about such an issue? Well, I don’t.

So what should I make out of all this? First of all, it seems that all the people who distrust commercial CAs have a good point. Second, CAcert becomes more important than ever. I have been a CAcert assurer for years, but made the mistake to go the convenient way for my private blog and such. Knowing quite a few things about CAcert, I can assure you that they *do* care about security. They care for it quite a bit. I will definitely have to increase my participation in this organisation – the problem is that my involvement in FSFE, my job and my family do not leave me with a particularly big amount of spare time. Maybe those of you who read this will also jump on the train for a Free (as in Freedom and free beer) and secure CA. But even with CAcert in the major browsers, the whole CA system should actually be questioned. For the whole certificate chain, they will always be a single point of failure, no matter if they are called CAcert, StartSSL, VeriSign or you name it. Maybe it’s time for something new to replace or complement what we have now. For example, I have been pointed to TACK [4] by Hanno, which really sounds interesting.

Ah, and of course the rumors that StartSSL is part of Mozilla’s products solely because they paid for it sound much more reasonable to me than a week ago.

For now, I will stop using StartSSL certificates and will recommend the same to FSFE. I will also remove StartSSL from the trust store in my browser. It seems that others agree with me [5-6]. And of course, I will stop recommending StartSSL immediately.

[1] http://www.golem.de/news/openssl-wichtige-fragen-und-antworten-zu-heartbleed-1404-105740.html
[2] StartSSL usually charges USD 24.90 for certificate revocations, which is understandable because it normally only becomes necessary when the certificate owner makes a mistake and StartSSL certificates are really cheap.
[3] Even the opposite: Debian dropped them from their ca-certificates package, a choice which I am still not sure what to think about.
[4] http://tack.io/
[5] https://www.mirbsd.org/permalinks/wlog-10_e20140409-tg.htm#e20140409-tg_wlog-10
[6] https://bugzilla.mozilla.org/show_bug.cgi?id=994033