Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I distrusted all StartCom certificates anyway after 2014; StartCom is a rogue CA who certify the authenticity of sites which they know have been compromised. Read the story here: https://web.archive.org/web/20140412085458/https://revokame.... (the original page disappeared mysteriously a few days after the story was published). And the HN thread about the incident: https://news.ycombinator.com/item?id=7577290


That publicity stunt by some over-zealous guy cannot be called a "compromised key".

Intentionally publishing something is diametrically opposed to having something compromised.

That was simply an attempt to shirk his contractual obligations with StartCom and get internet points at the same time.


Yeah, IMO it would have been entirely reasonable for StartCom to revoke the cert for free and cancel the account.

Also, the flip side of this is that occasionally (but very rarely), people want their private key to be a publicly accessible. See http://readme.localtest.me/, where everything else .localtest.me resolves to 127.0.0.1, and they tried to post a wildcard, but it got revoked.


And that's before we get into their mafia-like tactics when it comes to the mass-leak fiasco that was Heartbleed.

Startcom is unsafe, unethical, and the kiss of death for a CA, cannot be trusted.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: