출처: https://en.wikipedia.org/wiki/StartCom#StartSSL
(Redirected from StartSSL)
Jump to: navigation, search
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (April 2010)
StartCom Ltd.
Type
Private company
Industry
Internet security, Public key infrastructure
Founded
1999; 17 years ago
Headquarters
Eilat, Israel
Key people
CEO: Eddy Nigg
Website
www.startssl.com
StartCom is a company based in Eilat, Israel that has three main activities: StartCom Linux Enterprise (Linux distribution), StartSSL (certificate authority) and MediaHost (web hosting).
Contents [hide]
1 StartSSL 1.1 Trustworthiness
1.2 Limitations of StartSSL Unlimited Free Certificates
1.3 Response to Heartbleed
2 Criticism
3 See also
4 References
5 External links
StartSSL[edit]
StartCom offers the free Class 1 X.509 SSL certificate "StartSSL Free", which works for webservers (SSL/TLS) as well as for E-mail encryption (S/MIME). It also offers Class 2 and 3 certificates as well as Extended Validation Certificates, where a comprehensive validation (with costs) is mandatory.
In June 2011, the company suffered a network breach which resulted in StartCom suspending issuance of digital certificates and related services for several weeks.[1] The attacker was unable to use this to issue certificates (and StartCom was the only breached provider, of six, where the attacker was blocked from doing so).[2]
Trustworthiness[edit]
The StartSSL certificate is included by default in Mozilla Firefox 2.x and higher, in Apple Mac OS X since version 10.5 (Leopard), all Microsoft operating systems since 24 September 2009,[3][4] and Opera since 27 July 2010.[5] Since Google Chrome, Apple Safari and Internet Explorer use the certificate store of the operating system, all major browsers include support for StartSSL certificates.
Limitations of StartSSL Unlimited Free Certificates[edit]
While certificates are free and unlimited for certain uses, there are limitations imposed unless an upgrade is purchased:
One-year certificate validity.
Certificate revocation requires a fee
Response to Heartbleed[edit]
On 13 April 2014, StartCom announced[6] a FAQ page[7] related to Heartbleed, a critical bug in OpenSSL estimated to have left 17% of the Internet's secure web servers vulnerable to data theft.
StartCom's policy is to charge $25 for each revoked certificate, and it refused to waive this fee in lieu of certificates compromised due to Heartbleed, though some paying customers were granted a single free revocation.[8][9][10][11] This caused many to doubt StartCom's status as a certificate authority.[12] When provided with proof of a compromised certificate, StartCom refused to revoke the certificate for free, providing trust even after StartCom had learned that the certificate had been compromised.[13]
Criticism[edit]
Customers have reported[14] with StartSSL infrastructure, a certificate must be revoked before a new certificate can be generated, and as StartSSL does not state how long it takes to revoke and reissue a certificate, a site can be inaccessible securely for an undetermined amount of time, with one customer reporting about 5 hours of downtime.[11]
See also[edit]
Cryptography
Public key certificate
Public Key Infrastructure
References[edit]
1.Jump up ^ "Web authentication authority suffers security breach". The Register. June 26, 2011. Retrieved January 14, 2012.
2.Jump up ^ "How StartCom Foiled Comodohacker: 4 Lessons". InformationWeek. September 8, 2011. Retrieved December 20, 2012.
3.Jump up ^ "Microsoft Adds Support for StartCom Certificates" (Press release). StartCom.org. September 24, 2009. Retrieved 2011-01-14.
4.Jump up ^ "Microsoft updates trusted root certs to include StartCom". Sophos.com Naked Security blog. September 27, 2009.
5.Jump up ^ "New Roots, new EV, and a new Public Suffix file". Opera.com Rootstore blog.
6.Jump up ^ "Twitter / startssl: We released a small FAQ page ...". StartCom. 13 April 2014.
7.Jump up ^ "Heartbleed F.A.Q.". StartCom. 13 April 2014.
8.Jump up ^ "I use StartCom, and I revoked and re-keyed yesterday. In the revocation reason, ... Hacker News". Geoff. 9 April 2014.
9.Jump up ^ "Twitter / codeawe: @tonylampada @startssl ...". J. Breitsprecher. 11 April 2014.
10.Jump up ^ "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". Jan. 9 April 2014.
11.^ Jump up to: a b "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". arnowelzel. 10 April 2014.
12.Jump up ^ "Most StartSSL certs will stay compromised". 9 April 2014.
13.Jump up ^ "StartSSL, please revoke me!". 12 April 2014. Archived from the original on April 12, 2014.
14.Jump up ^ "Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")". arnowelzel. 9 April 2014.