On 04/23/2014 10:32 PM, Radu Hociung wrote:
What will you do do avoid this? Check what's behind the (now meaningless) green
lock? what if the site replaced its certificate with a new one, non-startcom ?
You can still be MITM'd using the existing, valid cert, so you can't even be
certain that you're safe.
I do have a few questions to you! How can you know that a site using a
certificate from ANY CA isn't or wasn't affected by the Heartbleed bug?
Do you know how many certificates from CAs other than StartCom have NOT
been revoked? And can you tell me which of the currently installed
certificates no matter who the issuer is were issued after a revocation
of a previous certificate?
Once you can answer me these questions I have an interesting surprise
for you....
Consider also that the presence of Startcom in this market is a barrier to
entry to other, honest and potentially inexpensive CAs.
No, it's not, otherwise StartCom would own 100% of the market share
which it doesn't. The offerings of StartCom suite certain users and
others not.
How can they compete with the perceived "free" certificates that Startcom
floods the SSL space with?
They are free of charge no matter what - and under normal circumstances
will not cost anything. Approximately 17% might be affected by this bug,
another 87% are not. This means users are getting year after year a free
service for 0.00 US$ from StartCom and keep getting it now and in the
future, the rare exception which isn't even under our control are
revocations. And if it wouldn't be necessary to raise a fee for that we
wouldn't either.
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: [email protected] <xmpp:[email protected]>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
