Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


IMPORTANT! Wildcard SSLs from issl.asia,sslcertificate.cn, ssl.so etc. revoked - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

IMPORTANT! Wildcard SSLs from issl.asia,sslcertificate.cn, ssl.so etc. revoked

2»

Comments

  • NeoXiDNeoXiD Member
    edited March 2015

    As promised guys, here's the official statement from AlphaSSL / GlobalSign:

    Good afternoon censored,

    Thank you for contacting GlobalSign’s Support team.

    Unfortunately the reseller you have purchased the certificate from was in breach of their contract with GlobalSign and in result certificates associated to this account have been revoked. We understand that you have been affected and we’re going to pass your details on to our Product Specialist team who will be able to assist you with your available options.

    Apologies for the inconvenience and you will be contacted soon.

    Please don’t hesitate to contact us if you have any further queries.

    Kind regards,

    censored

    GlobalSign Support Team

    So, that's it, if you bought your certificate from sslcertificate.cn, you won't get it back and your money is lost. No idea if ISSL is going to refund customers or what they're going to do, this might be interesting to know, maybe someone can shed in some light about that. For reference, I originally bought my certificate via Bitcoin.

    To cut a long shory short: DO NOT BUY THOSE CERTIFICATES

  • IIRC some SSL resellers bascially have an SSL certificate "flatrate" but are by contract bound to some minimum price to prevent price dumping. Those chinese resellers might have ignored such a contract clause

  • rm_rm_ IPv6 Advocate, Veteran
    edited March 2015

    gsrdgrdghd said: bound to some minimum price to prevent price dumping

    These CA f*ckers really ought to be put to answer to anti-trust regulatory bodies in their corresponding jurisdictions. Starting right with the fact that there's no technical reason whatsoever for a wildcard cert to be tenfold more expensive than a non-wildcard one.

  • RazzaRazza Member

    @rm_ said:
    These CA f*ckers really ought to be put to answer to anti-trust regulatory bodies in their corresponding jurisdictions. Starting right with the fact that there's no technical reason whatsoever for a wildcard cert to be tenfold more expensive than a non-wildcard one.

    So true it's not like a wildcard is costing the ca more to issue personally I just think ca's are a bunch of robbing basta*ds

  • @rm_ you're suggesting to not buy vps for long periods, so that rules applies to ssl certs too?

  • NeoXiDNeoXiD Member
    edited March 2015

    I think in the future people which only need SSL for private or not-that-important sites no longer buy any certificates at all, thanks to Startcom and other CAs that followed.

    I'm not quiet sure though if the prices of those business certificates are going to decrease soon, as most bigger companies usually don't really care about the current prices, as long ad they're getting trustworthy and reliable certificates.

    Some of the prices might be actually okayish, as maintaining a root or sub-root CA is a huge PITA which involves a sh*tload of bureacracy, speaking from my own experience. Also those bigger companies usually give out certificates with really high insurances, you shouldn't forget about that.

    Don't get me wrong now ~ some costs are imho justified, but I'm also against ripping of customers for setting some additional flags. Somewhere between LET and mafia-like pricing should be good.

    Thanked by 1dragon2611
  • rm_rm_ IPv6 Advocate, Veteran
    edited March 2015

    alexvolk said: you're suggesting to not buy vps for long periods, so that rules applies to ssl certs too?

    I am suggesting not to buy SSL certs at all at the moment.
    1) WoSign is free for 100-domain certs, really, make a list of subdomains that you use, and you can get by without a wildcard cert; https://www.ohling.org/blog/2015/02/wosign-free-2y-ssl-certificate.html
    2) LetsEncrypt.org launches very soon, wait and see, use WoSign for now; https://letsencrypt.org/
    3) if you use CloudFlare you can already enable free wildcard SSL, but you probably already knew that. (And use StartSSL or WoSign certs on the actual server)

    Thanked by 2alexvolk hotsnow
  • zeitgeistzeitgeist Member
    edited March 2015

    Hm, to summarize... Globalsign has a business agreement with a reseller who sells their certificates (like AlphaSSLs) on their behalf to end-users. The reseller is in breach of the contract between Globalsign and the reseller; as a result of this contract breach (again: between Globalsign and the reseller), Globalsign revokes certificates purchased through the reseller by end-users? I am not a lawyer, but that looks not right to me. If Globalsign chooses to work with less than reputable resellers, how is it this end-user's fault? As far as I'd be concerned, I never had a business with Globalsign, and I legitimately purchased a certificate from a company who was an official reseller at that time.

  • FalzoFalzo Member

    zeitgeist said: from a company who was an official reseller at that time

    are you sure about this and are you able to back up this point in any way?

  • @zeitgeist said:
    Hm, to summarize... Globalsign has a business agreement with a reseller who sells their certificates (like AlphaSSLs) on their behalf to end-users. The reseller is in breach of the contract between Globalsign and the reseller; as a result of this contract breach (again: between Globalsign and the reseller), Globalsign revokes certificates purchased through the reseller by end-users? I am not a lawyer, but that looks not right to me. If Globalsign chooses to work with less than reputable resellers, how is it this end-user's fault? As far as I'd be concerned, I never had a business with Globalsign, and I legitimately purchased a certificate from a company who was an official reseller at that time.

    Sounds like a normal business relationship to me. The reseller has breached Globalsign conditions and so Globalsign revokes the certs. If it was a legitimate reseller its customers would be able to recover the cost of certificate and any damage to their business. The reseller would then foot the bill for real certs or pay damages. Globalsign has no obligations to the reseller's customers.

  • joepie91joepie91 Member, Patron Provider

    NeoXiD said: I think in the future people which only need SSL for private or not-that-important sites no longer buy any certificates at all, thanks to Startcom and other CAs that followed.

    Startcom refuses to revoke compromised certificates unless you pay them money - the certificates are not actually free. WoSign is an unknown quantity at this point, and Lets Encrypt isn't in full operation yet. I know of no other CAs giving out free certs.

  • NeoXiDNeoXiD Member
    edited March 2015

    @joepie91 said:
    Startcom refuses to revoke compromised certificates unless you pay them money - the certificates are not actually free. WoSign is an unknown quantity at this point, and Lets Encrypt isn't in full operation yet. I know of no other CAs giving out free certs.

    "Luckily" they're doing so. First of all, they also have to earn money somehow and they're doing so with the various Class X validations and revocations.

    I had once a security issue and they revoked three certs for the price of one. They're a nice bunch of guys, you just have to talk to them. If they wouldn't charge at all for that, many unexperienced people would revoke certs over and over again --> CRL grows enormously --> More traffic costs for them and the performance is also going to cease. Also, your CA reputation inofficially drops, as really big CRLs aren't a great sign.

    But you can't expect them to revoke all your certs for no reason or whatever. IMHO, if you need a person-validated SMIME, Code Signing and many wildcard and/or SAN certificates, it's currently the best deal. You can't get that anywhere else, fact.

    LetsEncrypt stated already on GitHub that they're not offering wildcard certs when they launch, so it's going to be similar like WoSign. I don't know about their revocation policy though, maybe it's mentioned somewhere in their CP draft.

    I don't say the way Startcom is doing it is the best one to resolve such problems, but assuming that your servers which host important sites won't get compromised all the time, the fees should be fine. You don't have to agree with me, it's just my own personal opinion, based on the 4 years during which I've operated the sub-root CA that my employer had.

  • BAKABAKA Member

    elwebmaster said: Sounds like a normal business relationship to me. The reseller has breached Globalsign conditions and so Globalsign revokes the certs. If it was a legitimate reseller its customers would be able to recover the cost of certificate and any damage to their business. The reseller would then foot the bill for real certs or pay damages. Globalsign has no obligations to the reseller's customers.

    Certificate is a good that you do a transaction with reseller while you get your cert signed directly from CA. The delivery of good is finished and the good is yours. How could CA take back (revoke) the good from a bona fide purchaser?

  • joepie91joepie91 Member, Patron Provider
    edited March 2015

    NeoXiD said: "Luckily" they're doing so. First of all, they also have to earn money somehow and they're doing so with the various Class X validations and revocations.

    I had once a security issue and they revoked three certs for the price of one. They're a nice bunch of guys, you just have to talk to them. If they wouldn't charge at all for that, many unexperienced people would revoke certs over and over again --> CRL grows enormously --> More traffic costs for them and the performance is also going to cease. Also, your CA reputation inofficially drops, as really big CRLs aren't a great sign.

    But you can't expect them to revoke all your certs for no reason or whatever. IMHO, if you need a person-validated SMIME, Code Signing and many wildcard and/or SAN certificates, it's currently the best deal. You can't get that anywhere else, fact.

    Revocations are a critical part of the SSL security model. If you cannot revoke your certificate, it is simply not secure. There's no discussion there - that is just how it is designed. Thus, Startcom certificates are not actually free.

    "They have to earn money somehow" is not an argument either. It is either free or it is not. Startcom is not.

    I don't say the way Startcom is doing it is the best one to resolve such problems, but assuming that your servers which host important sites won't get compromised all the time, the fees should be fine. You don't have to agree with me, it's just my own personal opinion, based on the 4 years during which I've operated the sub-root CA that my employer had.

    You might want to look into what Startcom's response was to Heartbleed.

    EDIT: And to clarify, revoking certificates when you only have a suspicion of them being compromised is the correct thing to do. It is absolute madness to try and prevent people from doing that. And traffic costs, are you being serious? It's 2015.

  • rm_rm_ IPv6 Advocate, Veteran

    joepie91 said: Startcom refuses to revoke compromised certificates unless you pay them money - the certificates are not actually free.

    Surely charging for revocations may not be the white-and-fluffiest move ever, but that doesn't give you any right to exaggerate your point until it becomes industrial-grade bullshit. The certificates are indeed actually free. The additional services you may never ever need (I didn't), maybe not.

    WoSign is an unknown quantity at this point

    They give a valid 2 year certificate trusted by all major browsers and OSes, what more do you need to know? Don't start with "Are they trustworthy" and all that, your browser already trust them (as well as a million of other CAs).

  • joepie91joepie91 Member, Patron Provider

    Surely charging for revocations may not be the white-and-fluffiest move ever, but that doesn't give you any right to exaggerate your point until it becomes industrial-grade bullshit. The certificates are indeed actually free. The additional services you may never ever need (I didn't), maybe not.

    Again, revocation is not an "additional service". It is a vital part of the design of SSL. If you do not understand that, perhaps you should read up on the architecture and threat models of SSL...

    Startcom's certificates are just as free as a mobile game that is near-unplayable without paid 'optional' microtransactions - 'free' in name only.

  • NeoXiDNeoXiD Member
    edited March 2015

    @joepie91 said:
    Again, revocation is not an "additional service". It is a vital part of the design of SSL. If you do not understand that, perhaps you should read up on the architecture and threat models of SSL...

    I'm sure both rm_ and I do know that, but if they'd open up revocations for free, they'll be facing exactly the issues I described, as there's no way to check if the certificate got really compromised. You can't get everything for nothing.

    @joepie91 said:
    And traffic costs, are you being serious? It's 2015.

    GlobalSign revoked all certificates when that Heartbleed thingy came up. Their CRL grew up to 4.7MB and they had a lot of issues to host such a big CRL properly, so they've partnered up with CloudFlare:

    https://blog.cloudflare.com/the-hard-costs-of-heartbleed/

    Read that article and rethink your statements, you can't expect Startcom to handle such cases like those big players, stabilized by millions of dollars.

  • BAKABAKA Member

    Got some hint from GlobalSign support team's reply.

    The problem seems to relate to GlobalSign's accounting. The actual meaning of "in breach of their contract" would be "they are not paying for the certificates they have ordered".

    Sounds like xoxo exploited billing system bug and was noticed after more than 1 year...

  • raza19raza19 Veteran

    @GlobalSign: we’re going to pass your details on to our Product Specialist team who will be able to assist you with your available options.

    does this mean they might reissue the certs or do something similar?

  • BAKABAKA Member

    @raza19 said:
    does this mean they might reissue the certs or do something similar?

    Just a guess - they will offer discount to purchase new cert - which would still be expensive considering the original price.

  • @raza19 said:
    does this mean they might reissue the certs or do something similar?

    I think they meant that they're going to send a special offer, but I guess it would be still really expensive.

  • raza19raza19 Veteran

    @BAKA said:
    Just a guess - they will offer discount to purchase new cert - which would still be expensive considering the original price.

    I would want nothing less than reissues or my money back ! I have spent over $300 on these damn certs

  • joepie91joepie91 Member, Patron Provider

    @NeoXiD said:
    Read that article and rethink your statements, you can't expect Startcom to handle such cases like those big players, stabilized by millions of dollars.

    You do understand that Startcom is a business that also sells other types of certificates, right? If they are not capable of serving CRLs - and let's not forget they're a good bit smaller than GlobalSign - then they simply have a poor business model.

    Do realize that the alternative to revoking the certificates on request, is to leave potentially vulnerable certificates out in the wild, thereby literally breaking the SSL security model. Frankly, it amazes me that browser vendors do not require free revocation yet, for CAs to be included in the certificate store.

  • @joepie91 said:
    Do realize that the alternative to revoking the certificates on request, is to leave potentially vulnerable certificates out in the wild, thereby literally breaking the SSL security model. Frankly, it amazes me that browser vendors do not require free revocation yet, for CAs to be included in the certificate store.

    My quote was related to your "traffic costs? it's 2015" statement. I know exactly what they're offering and I do agree that it's not the best way to do revocations - but everyone should decide for him/herself if Startcom fits their needs.

  • Falzo said: are you sure about this and are you able to back up this point in any way?

    It says so in the reply from Globalsign. That they were a reseller, that they had a contract with Globalsign, and that they were in breach of that contract.

    Thanked by 1Falzo
  • FalzoFalzo Member

    @zeitgeist said:

    thanks for clarifying! must have missed that, if stated earlier somewhere ;-)

  • raza19raza19 Veteran

    I was asked to pay $849 for a 2 year wildcard cert, apparently it's a discounted price! GlobalSign sucks.

  • adxnadxn Member, Host Rep
    edited March 2015

    Lost my SSL

  • khavkhav Member

    Anyone having same issue with IPXcore Alpha SSL wildcard

  • raza19 said: I was asked to pay $849 for a 2 year wildcard cert, apparently it's a discounted price! GlobalSign sucks.

    Looks like great promo

Sign In or Register to comment.