Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    IMPORTANT! Wildcard SSLs from issl.asia,sslcertificate.cn, ssl.so etc. revoked
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    IMPORTANT! Wildcard SSLs from issl.asia,sslcertificate.cn, ssl.so etc. revoked

    theqkashtheqkash Member
    edited March 2015 in General

    Hello,

    Today my issl certificate has been revoked.

    Error code: sec_error_revoked_certificate

    I have contacted issl and they have me to do refund. I'm waiting now for the cash. FYI.

    «1

    Comments

    • Message from ISSL:

      Sorry for the trouble. Our upstream reseller's system had a problem.

      Whatever it means, probably all those 5year wildcard SSLs have been revoked and will not work on most browsers except Chrome.

    • the deal was too good to be true, i knew it

    • namhuy said: the deal was too good to be true, i knew it

      The question is what will happen to all those who have paid using bitcoin or some another AliPay thing. I have paid using PayPal to ISSL and I feel secure at this time.

    • Another message from Neil from issl:

      Actually, Only some of the orders were revoked, we are still working on fixing it for now.

      FYI.
      Check your SSL certs.

    • I've bought mine from sslcertificate.cn (knewing that there's a risk that it might lead to trouble) via Bitcoin and it is now also revoked. :/

      SnapServ Mathis - Your cheap and reliable RIPE Sponsoring LIR. Use coupon code LET2017 to get a recurring discount of 10% on our products!

    • I have got cash back from ISSL so if somebody will have problem with certificate, should not be aware

    • if the cert still not use, any method can check if it was revoked?

    • Mahfuz_SS_EHLMahfuz_SS_EHL Member, Provider

      If anyone would need PositiveSSL for Free, I may give some away (About 15-20 SSL's). You can message Me with your CSR, Make sure that, you have an admin email ([email protected]) opened and fully configured because the Verification would go there :)

      While Generating CSR, Use the Email where you want the Final Certificate with Email.

      Keep In Mind, I can't reissue them, so keep them safe along with Private Key which you generated for the SSL Issuance :-)

      AlphaSSL Revocation Issue is being investigated.

    • Thanked by 1hotsnow
    • Mahfuz_SS_EHLMahfuz_SS_EHL Member, Provider

      @rm_ @Razza This will be single Domain SSL's and for 1 Year right Now.

      AlphaSSL Revocation Issue is being investigated.

    • WilliamWilliam Member, Provider

      Quick, Free, Working alternative:

      http://lowendtalk.com/discussion/41289/free-chinese-2-year-ssl-certificate-dv-kuaissl-by-wosign-com#latest

      Up to 100 Subdomains, order system works by now fine and even the chinese sent domain validation emails arrive quickly.

    • still good yet

    • ClouviderClouvider Member, Provider

      Clouvider Limited - Leading EU Hosting Solution Provider || UK Dedicated Server Sale - True HA Cloud VPS - Latest LET Offer

      Cloud Web Hosting | SSD & SAS HA VPS on OnApp | Dedicated Servers | Colocation | Managed Services

    • I just wrote an email to @xoxo, let's see what he's going to reply (if at all). If someone needs a lot of certificates, use that site which William posted OR get Class 2 verified at Startcom, they're trustworthy.

      SnapServ Mathis - Your cheap and reliable RIPE Sponsoring LIR. Use coupon code LET2017 to get a recurring discount of 10% on our products!

    • raza19raza19 Member
      edited March 2015

      This will be an epic loss ! But I have just checked few other websites which were using alphassl , they have had their revoked too and they didnt buy from @xoxo.
      Could it be something else ? a revocation list being unreachable , etc ?

      We are star-stuff. We are the Universe, made manifest, trying to figure itself out.

    • tommytommy Member

      and everyone will learn his lesson

      Let's bet which dot-name will collapse first ;)

    • yywudi said: still good yet

      raza19 said: This will be an epic loss ! But I have just checked few other websites which were using alphassl , they have had their revoked too and they didnt buy from @xoxo. Could it be something else ? a revocation list being unreachable , etc ?

      A few time ago Ubisoft have blocked people who have bought their games from resellers because resellers have used codes bought using stolen CC's. Something is telling me that we have same thing here, but I do not want to accuse anyone.

    • I have tried to get in contact with @xoxo on qq but so far there have been no replies.....

      We are star-stuff. We are the Universe, made manifest, trying to figure itself out.

    • Mahfuz_SS_EHLMahfuz_SS_EHL Member, Provider

      Why don't you people Email AlphaSSL Directly ??

      AlphaSSL Revocation Issue is being investigated.

    • BAKABAKA Member

      @raza19 said:
      I have tried to get in contact with xoxo on qq but so far there have been no replies.....

      xoxo's last appearance on v2ex was 45 days ago. But I believe he just changed account and still stays on v2ex and LET.

    • XIAOSpider97XIAOSpider97 Member, Provider

      I am a Chinese and I want to say...

      It seems that he hacked into one of a reseller's system.

      Pump Cloud has been sold on Sep 1 2018.

    • @Mahfuz_SS_EHL said:
      Why don't you people Email AlphaSSL Directly ??

      I've just asked AlphaSSL for a statement - I'll post the reply here as soon as I've got one.

      Thanked by 1hotsnow

      SnapServ Mathis - Your cheap and reliable RIPE Sponsoring LIR. Use coupon code LET2017 to get a recurring discount of 10% on our products!

    • Shocking.

    • XIAOSpider97 said: It seems that he hacked into one of a reseller's system.

      Would like to know which "reseller" exactly.

      ●● Xeepi Hosting Solutions - West Coast Managed Shared, Virtual Servers, Dedicated Servers Hosting Solutions.

      ●● 7*24 Online Smiling Face Support | 99.9% Uptime Guarantee Covered by SLA

    • SplitIceSplitIce Member, Provider

      Sigh... hmph

      X4B - DDoS Protection: Affordable Anycast DDoS protection including Layer 7 mitigation with PoPs in the US, EU and Asia.
      Latest Offer: Black Friday 2019 Offer
    • BAKABAKA Member

      XeepiHosting_Joe said: Would like to know which "reseller" exactly.

      I'm also wondering.

      xoxo has been giving away free cert in Chinese forums since Jan 2014.
      https://v2ex.com/t/95769

      He claimed to have sold 1024 certs on 2014/10/24. So let's assume he has sold 8k alphassl and 1k globalsignssl so far. Also assume that reseller's bulk price is U$10 for alphassl and U$40 for globalsign, then that reseller has suffered U$120k loss. Such thing lasted for one year without being noticed...

      Or, more reasonably, the hacked reseller is a buddy with globalsign who can issue unlimited certs (both alphassl and globalsign ssl) or its main sub-reseller (because small resellers only have alphassl). Then who is that reseller?

    • @BAKA

      Very aptly put! This doesn't seem like a hack scenario. There is more than meets the eye.

      We are star-stuff. We are the Universe, made manifest, trying to figure itself out.

    • NeoXiDNeoXiD Member
      edited March 2015

      As promised guys, here's the official statement from AlphaSSL / GlobalSign:

      Good afternoon censored,

      Thank you for contacting GlobalSign’s Support team.

      Unfortunately the reseller you have purchased the certificate from was in breach of their contract with GlobalSign and in result certificates associated to this account have been revoked. We understand that you have been affected and we’re going to pass your details on to our Product Specialist team who will be able to assist you with your available options.

      Apologies for the inconvenience and you will be contacted soon.

      Please don’t hesitate to contact us if you have any further queries.

      Kind regards,

      censored

      GlobalSign Support Team

      So, that's it, if you bought your certificate from sslcertificate.cn, you won't get it back and your money is lost. No idea if ISSL is going to refund customers or what they're going to do, this might be interesting to know, maybe someone can shed in some light about that. For reference, I originally bought my certificate via Bitcoin.

      To cut a long shory short: DO NOT BUY THOSE CERTIFICATES

      SnapServ Mathis - Your cheap and reliable RIPE Sponsoring LIR. Use coupon code LET2017 to get a recurring discount of 10% on our products!

    • IIRC some SSL resellers bascially have an SSL certificate "flatrate" but are by contract bound to some minimum price to prevent price dumping. Those chinese resellers might have ignored such a contract clause

    • rm_rm_ Member
      edited March 2015

      gsrdgrdghd said: bound to some minimum price to prevent price dumping

      These CA f*ckers really ought to be put to answer to anti-trust regulatory bodies in their corresponding jurisdictions. Starting right with the fact that there's no technical reason whatsoever for a wildcard cert to be tenfold more expensive than a non-wildcard one.

    • RazzaRazza Member

      @rm_ said:
      These CA f*ckers really ought to be put to answer to anti-trust regulatory bodies in their corresponding jurisdictions. Starting right with the fact that there's no technical reason whatsoever for a wildcard cert to be tenfold more expensive than a non-wildcard one.

      So true it's not like a wildcard is costing the ca more to issue personally I just think ca's are a bunch of robbing basta*ds

    • @rm_ you're suggesting to not buy vps for long periods, so that rules applies to ssl certs too?

      Please don't cry.

    • NeoXiDNeoXiD Member
      edited March 2015

      I think in the future people which only need SSL for private or not-that-important sites no longer buy any certificates at all, thanks to Startcom and other CAs that followed.

      I'm not quiet sure though if the prices of those business certificates are going to decrease soon, as most bigger companies usually don't really care about the current prices, as long ad they're getting trustworthy and reliable certificates.

      Some of the prices might be actually okayish, as maintaining a root or sub-root CA is a huge PITA which involves a sh*tload of bureacracy, speaking from my own experience. Also those bigger companies usually give out certificates with really high insurances, you shouldn't forget about that.

      Don't get me wrong now ~ some costs are imho justified, but I'm also against ripping of customers for setting some additional flags. Somewhere between LET and mafia-like pricing should be good.

      Thanked by 1dragon2611

      SnapServ Mathis - Your cheap and reliable RIPE Sponsoring LIR. Use coupon code LET2017 to get a recurring discount of 10% on our products!

    • rm_rm_ Member
      edited March 2015

      alexvolk said: you're suggesting to not buy vps for long periods, so that rules applies to ssl certs too?

      I am suggesting not to buy SSL certs at all at the moment.
      1) WoSign is free for 100-domain certs, really, make a list of subdomains that you use, and you can get by without a wildcard cert; https://www.ohling.org/blog/2015/02/wosign-free-2y-ssl-certificate.html
      2) LetsEncrypt.org launches very soon, wait and see, use WoSign for now; https://letsencrypt.org/
      3) if you use CloudFlare you can already enable free wildcard SSL, but you probably already knew that. (And use StartSSL or WoSign certs on the actual server)

      Thanked by 2alexvolk hotsnow
    • zeitgeistzeitgeist Member
      edited March 2015

      Hm, to summarize... Globalsign has a business agreement with a reseller who sells their certificates (like AlphaSSLs) on their behalf to end-users. The reseller is in breach of the contract between Globalsign and the reseller; as a result of this contract breach (again: between Globalsign and the reseller), Globalsign revokes certificates purchased through the reseller by end-users? I am not a lawyer, but that looks not right to me. If Globalsign chooses to work with less than reputable resellers, how is it this end-user's fault? As far as I'd be concerned, I never had a business with Globalsign, and I legitimately purchased a certificate from a company who was an official reseller at that time.

    • FalzoFalzo Member

      zeitgeist said: from a company who was an official reseller at that time

      are you sure about this and are you able to back up this point in any way?

      most recommended Provider: First-Root KVM Power-Edition /w SSD
      UltraVPS.eu KVM in US/UK/NL/DE: 15% off first 6 month | Netcup VPS/rootDS - 5€ off: 36nc15279180197 (ref)

    • @zeitgeist said:
      Hm, to summarize... Globalsign has a business agreement with a reseller who sells their certificates (like AlphaSSLs) on their behalf to end-users. The reseller is in breach of the contract between Globalsign and the reseller; as a result of this contract breach (again: between Globalsign and the reseller), Globalsign revokes certificates purchased through the reseller by end-users? I am not a lawyer, but that looks not right to me. If Globalsign chooses to work with less than reputable resellers, how is it this end-user's fault? As far as I'd be concerned, I never had a business with Globalsign, and I legitimately purchased a certificate from a company who was an official reseller at that time.

      Sounds like a normal business relationship to me. The reseller has breached Globalsign conditions and so Globalsign revokes the certs. If it was a legitimate reseller its customers would be able to recover the cost of certificate and any damage to their business. The reseller would then foot the bill for real certs or pay damages. Globalsign has no obligations to the reseller's customers.

    • joepie91joepie91 Member, Provider

      NeoXiD said: I think in the future people which only need SSL for private or not-that-important sites no longer buy any certificates at all, thanks to Startcom and other CAs that followed.

      Startcom refuses to revoke compromised certificates unless you pay them money - the certificates are not actually free. WoSign is an unknown quantity at this point, and Lets Encrypt isn't in full operation yet. I know of no other CAs giving out free certs.

    • NeoXiDNeoXiD Member
      edited March 2015

      @joepie91 said:
      Startcom refuses to revoke compromised certificates unless you pay them money - the certificates are not actually free. WoSign is an unknown quantity at this point, and Lets Encrypt isn't in full operation yet. I know of no other CAs giving out free certs.

      "Luckily" they're doing so. First of all, they also have to earn money somehow and they're doing so with the various Class X validations and revocations.

      I had once a security issue and they revoked three certs for the price of one. They're a nice bunch of guys, you just have to talk to them. If they wouldn't charge at all for that, many unexperienced people would revoke certs over and over again --> CRL grows enormously --> More traffic costs for them and the performance is also going to cease. Also, your CA reputation inofficially drops, as really big CRLs aren't a great sign.

      But you can't expect them to revoke all your certs for no reason or whatever. IMHO, if you need a person-validated SMIME, Code Signing and many wildcard and/or SAN certificates, it's currently the best deal. You can't get that anywhere else, fact.

      LetsEncrypt stated already on GitHub that they're not offering wildcard certs when they launch, so it's going to be similar like WoSign. I don't know about their revocation policy though, maybe it's mentioned somewhere in their CP draft.

      I don't say the way Startcom is doing it is the best one to resolve such problems, but assuming that your servers which host important sites won't get compromised all the time, the fees should be fine. You don't have to agree with me, it's just my own personal opinion, based on the 4 years during which I've operated the sub-root CA that my employer had.

      SnapServ Mathis - Your cheap and reliable RIPE Sponsoring LIR. Use coupon code LET2017 to get a recurring discount of 10% on our products!

    • BAKABAKA Member

      elwebmaster said: Sounds like a normal business relationship to me. The reseller has breached Globalsign conditions and so Globalsign revokes the certs. If it was a legitimate reseller its customers would be able to recover the cost of certificate and any damage to their business. The reseller would then foot the bill for real certs or pay damages. Globalsign has no obligations to the reseller's customers.

      Certificate is a good that you do a transaction with reseller while you get your cert signed directly from CA. The delivery of good is finished and the good is yours. How could CA take back (revoke) the good from a bona fide purchaser?

    • joepie91joepie91 Member, Provider
      edited March 2015

      NeoXiD said: "Luckily" they're doing so. First of all, they also have to earn money somehow and they're doing so with the various Class X validations and revocations.

      I had once a security issue and they revoked three certs for the price of one. They're a nice bunch of guys, you just have to talk to them. If they wouldn't charge at all for that, many unexperienced people would revoke certs over and over again --> CRL grows enormously --> More traffic costs for them and the performance is also going to cease. Also, your CA reputation inofficially drops, as really big CRLs aren't a great sign.

      But you can't expect them to revoke all your certs for no reason or whatever. IMHO, if you need a person-validated SMIME, Code Signing and many wildcard and/or SAN certificates, it's currently the best deal. You can't get that anywhere else, fact.

      Revocations are a critical part of the SSL security model. If you cannot revoke your certificate, it is simply not secure. There's no discussion there - that is just how it is designed. Thus, Startcom certificates are not actually free.

      "They have to earn money somehow" is not an argument either. It is either free or it is not. Startcom is not.

      I don't say the way Startcom is doing it is the best one to resolve such problems, but assuming that your servers which host important sites won't get compromised all the time, the fees should be fine. You don't have to agree with me, it's just my own personal opinion, based on the 4 years during which I've operated the sub-root CA that my employer had.

      You might want to look into what Startcom's response was to Heartbleed.

      EDIT: And to clarify, revoking certificates when you only have a suspicion of them being compromised is the correct thing to do. It is absolute madness to try and prevent people from doing that. And traffic costs, are you being serious? It's 2015.

    • rm_rm_ Member

      joepie91 said: Startcom refuses to revoke compromised certificates unless you pay them money - the certificates are not actually free.

      Surely charging for revocations may not be the white-and-fluffiest move ever, but that doesn't give you any right to exaggerate your point until it becomes industrial-grade bullshit. The certificates are indeed actually free. The additional services you may never ever need (I didn't), maybe not.

      WoSign is an unknown quantity at this point

      They give a valid 2 year certificate trusted by all major browsers and OSes, what more do you need to know? Don't start with "Are they trustworthy" and all that, your browser already trust them (as well as a million of other CAs).

    • joepie91joepie91 Member, Provider

      Surely charging for revocations may not be the white-and-fluffiest move ever, but that doesn't give you any right to exaggerate your point until it becomes industrial-grade bullshit. The certificates are indeed actually free. The additional services you may never ever need (I didn't), maybe not.

      Again, revocation is not an "additional service". It is a vital part of the design of SSL. If you do not understand that, perhaps you should read up on the architecture and threat models of SSL...

      Startcom's certificates are just as free as a mobile game that is near-unplayable without paid 'optional' microtransactions - 'free' in name only.

    • NeoXiDNeoXiD Member
      edited March 2015

      @joepie91 said:
      Again, revocation is not an "additional service". It is a vital part of the design of SSL. If you do not understand that, perhaps you should read up on the architecture and threat models of SSL...

      I'm sure both rm_ and I do know that, but if they'd open up revocations for free, they'll be facing exactly the issues I described, as there's no way to check if the certificate got really compromised. You can't get everything for nothing.

      @joepie91 said:
      And traffic costs, are you being serious? It's 2015.

      GlobalSign revoked all certificates when that Heartbleed thingy came up. Their CRL grew up to 4.7MB and they had a lot of issues to host such a big CRL properly, so they've partnered up with CloudFlare:

      https://blog.cloudflare.com/the-hard-costs-of-heartbleed/

      Read that article and rethink your statements, you can't expect Startcom to handle such cases like those big players, stabilized by millions of dollars.

      SnapServ Mathis - Your cheap and reliable RIPE Sponsoring LIR. Use coupon code LET2017 to get a recurring discount of 10% on our products!

    • BAKABAKA Member

      Got some hint from GlobalSign support team's reply.

      The problem seems to relate to GlobalSign's accounting. The actual meaning of "in breach of their contract" would be "they are not paying for the certificates they have ordered".

      Sounds like xoxo exploited billing system bug and was noticed after more than 1 year...

    • @GlobalSign: we’re going to pass your details on to our Product Specialist team who will be able to assist you with your available options.

      does this mean they might reissue the certs or do something similar?

      We are star-stuff. We are the Universe, made manifest, trying to figure itself out.

    • BAKABAKA Member

      @raza19 said:
      does this mean they might reissue the certs or do something similar?

      Just a guess - they will offer discount to purchase new cert - which would still be expensive considering the original price.

    Sign In or Register to comment.