Good morning, the desaster with StartSSL is well known and a pity. They were the ancestor of let’s encrypt somehow. As far as I know there is nothing new to report. They are banned by all well-known Browsers (Safari, Mozillla, Chrome). Can’t tell something about Edge or IE11. I hope Lets encrypt won’t make the same mistakes.
Most ISP offer simple SSL certs (no wildcards, no authentification). I am using AlphaSSL for my main domain and lets encrypt for my servers and WebApps. For some Websites I am using CloudFlare CDN SSL but actually I am thinking to move them back to my servers , again.
And Apple did the same thing except they had a erlier Cut-Off Date. Apple’s response to the WoSign Incident
(They don’t Explicit name StartCom in this post - only that some sanctions against StartCom may be also applied)
and Google also said about distrusting NEW Certs after a specified Date (don’t hav a link handy at this Point) and they Required the “Valid Certs” to have been submited to CT Logs (2 CT Logs not maintained by StartCom / WoSign themself) bevor a CutOff-Date (also no Link ready now).
If your Certs are from bevor that Date (like mine are) there should be no problems for your customers.
Well my Certs still Validate correctly against all browsers (except if somebody distrusted startcom manually )
They are from March 2016 and are still Valid till March 2018
I’ve not tried mine from November on xojo yet as I’ve just got it for a personal email server.
I’ve just rebuilt my pc (so no trusts installed) and my site works in chrome without any issues that I can see. I’ll try it in Firefox and IE when I get home.
Were you able to get a StartSSL cert to work with Xojo Web App? I just tried and could not get it to work. :([/quote]
It worked first time using reverse proxy.
I got the site working on http first, just to be sure everything was set up ok, added a new binding for https with the cert and its went straight through, no problems.
Hmmm, Ive just tried it externally (turning wifi off on phone) and it would seem that Chrome in IOS doesnt like the cert and tries to move from https to http. So its an ok testing CERT for PC/LAN but I wouldnt use StartSSL in the wild.
As I mentioned its just to secure a personal mail server for web access so I’m not really worried at the moment,
However, I would definitely use something commercial for a commercial app though, cost be damned, I wouldnt want to lose visitors due to possible cert issues with StartSSL or Let’s Encrypt for that matter. If hackers and spammers use Let’s Encrypt because its free and it gets blocked by companies it just wont be worth the trouble imho, which is a shame.
[quote=309569:@]Hmmm, Ive just tried it externally (turning wifi off on phone) and it would seem that Chrome in IOS doesnt like the cert and tries to move from https to http. So its an ok testing CERT for PC/LAN but I wouldnt use StartSSL in the wild.
As I mentioned its just to secure a personal mail server for web access so I’m not really worried at the moment,
However, I would definitely use something commercial for a commercial app though, cost be damned, I wouldnt want to lose visitors due to possible cert issues with StartSSL or Let’s Encrypt for that matter. If hackers and spammers use Let’s Encrypt because its free and it gets blocked by companies it just wont be worth the trouble imho, which is a shame.[/quote]
As I have said before, all major browsers blocking StartSSL. It shouldn’t be used. If something’s broken, get rid of it. Don’t fool yourself with availability bias.
And Let’s Encrypt is well supported. Browsers which don’t support it are too old to use modern encryption anyway, and your server shouldn’t be talking to them. Somebody blocking LE because some malicious sites got certificates is like blocking GoDaddy or Verisign for the same reason. The certificate does not imply trust, merely domain ownership. Only EV certificates provide any kind of actual verification of the business, and even then, you still can’t just trust the website blindly. This rule is not exclusive to LE. “Secure” does not equal “safe.”
as Thom said here and myself in another thread: A cert is just a cert. I would say it’s just a brick in a wall with the name “security concept”. Regarding to this source there are still minor issues in combination with HSTS: https://timkadlec.com/2016/01/hsts-and-lets-encrypt/
as far as i know - and because i am involved, i am tracking that StartCOM / StartSSL problem. - No Browser has anounced that they do a general blanked Distrust of StartCOM / StartSSL / WoSign. They will Distrust (or will Distrust in case of FireFox) StartCOM SSL Certs which have been SIgned and Created after the 21. Oct. 2016).
And the Certs which have been Problematic (of the Valid Certs) have been Added to the OneCRL (in the Case of FireFox)
If you have other Info i would certanly like to see the Links for that.
And StartCOM / StartSSL is working with Mozilla and the others to get that trust restored ( StartCom / WoSign even had a metting with Mozilla and others about this).
Best Regards,
R. Landscheidt
(who will run with his StartSSL Cert till its no longer Valid. )
Let’s Encrypt is nice and i have used it already (in Testing) for my Private Testing Domains and some Web - Test Projects.
“Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted. Certificates issued before this date may continue to be trusted, for a time, if they comply with the Certificate Transparency in Chrome policy or are issued to a limited set of domains known to be customers of WoSign and StartCom.”
For a Time IF they comply with the CT! and there is no time Limit said. - So i think if there is not a grave mistake made again by StartCOM which would made them Distrust al Certs in general - i think that my Certs will be valid till there end Time (Valid till).
We will see - I’m am Working with the DevBuild in one of my VMs so i think i will see the Problems in Time and can then switch to a Let’s Encrypt Cert when it happens.
Like i said StartCOM is activly working with the Browsers to resolve that isuee.
PS: I’m working with the Chrome Dev Channel and my Certs are Still Valid.
)
as Thom said here and myself in another thread: A cert is just a cert. I would say it’s just a brick in a wall with the name “security concept”. Regarding to this source there are still minor issues in combination with HSTS: