The total cost of the certificate is not $0. Total cost would include issuance, re-issuance and any revocations.
But consider this, when you go about your daily browsing business, for some of the forums and sites you visit, someone other than the site's owner also holds a private key and a valid startcom certificate. On these sites, you can be MITM'd. What will you do do avoid this? Check what's behind the (now meaningless) green lock? what if the site replaced its certificate with a new one, non-startcom ? You can still be MITM'd using the existing, valid cert, so you can't even be certain that you're safe. Instead of forum, you can also think IMAP mailbox, or other services which are not browser based (jabber, vpn, SVN repo, etc), so there is no green lock that you can click on to investigate. How can you prevent being owned? 1. You can avoid putting your private info anywhere. 2. You can right click the lock before clicking "submit", and double check if you're not trusting a startcom certificate, or if you are, figure out if this particular certificate has ever been susceptible to being heartbled? 3. Edit the certificate store and Untrust StartCom? What is a typical person to do? I do feel that discussing this further is pointless, as Mozilla still tells us to trust CNNIC, and a few other highly questionable CA's. It's probably unwise to trust Mozilla. Consider also that the presence of Startcom in this market is a barrier to entry to other, honest and potentially inexpensive CAs. How can they compete with the perceived "free" certificates that Startcom floods the SSL space with? BTW, I cannot find any discussion on Microsoft/Apple's position WRT Startcom? Please share a link if you have one. Also, where can one buy some of those pkeys? Any links? On Tuesday, April 22, 2014 11:04:05 AM UTC-4, Pontus Engblom wrote: > So, getting a certificate for free, isn't free? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
