Press release from their website.
IMO, they tried to make it sound like they were the victim and the browser vendors (especially Mozilla) were "picking on them". They were trying to shirk responsibility and minimize/downplay their own actions and "fuck ups" that got them in the position they found themselves in.
As an outsider reading along on m.d.s.p. as events unfolded, I got the impression that they thought they were going to quickly and easily "fix" everything just by saying "oops, sorry" and making a few changes. As they discovered, it doesn't work like that.
Let this be a lesson to the other CAs.
"No, we can't take a shortcut here. See what happened to StartCom after they bent the rules a bit too much".
But even before then StartSSL was a hinky CA. Three times I contacted support, I got direct responses from Eddy. Each time he managed to make me feel like I'd personally insulted him. Abrasive.
All that said, he was providing well trusted free certificates at a time nobody else was.
On the other hand… I really won't miss 'em.
Can you elaborate on that?
So we said "fuck that" and shared the account. When we were caught, they would have had the right to terminate our account and revoke all our certs. Instead, they offered to look the other side as long as we paid the authentication fee again.
That was terrific, as you could verify your identity, get a code signing cert, one for the website, and one for s/mime or digital document signing all for $60. I like Let's Encrypt and have used it since, but it's nowhere near as full featured of an offering.
Yet.
I think they'll begin offering a non-free service inthe next two years or so. The free DV certs will remain but eventually they'll need actual income (as opposed to donations and/or corporate sponsorhips). EV certs may be one way that heppens, I don't know.
For the longest time, we heard they wouldn't be offering wildcart certificates. Then, I just happened to be looking at their (recently updated) CPS one day (I was working on building out an intenral PKI at the time) and saw mention of issuance of wildcard certificates. They announced those shortly after.
Anyways, like I said, st some point they'll need actual income. I'm not sure what they'll offer in order to do that, though. Maybe EV certs, maybe longer issuance periods after more in-depth organizational verification, maybe some subscription-based "manage all your certs easily" tool, who knows. But I expect them to follow the same "automated == free", "manual intervention/work == not free" business model.
I'm pretty sure they get sponsored by lots of big vendors. i.e. google has letsencrypt support in gcoud. I'm pretty sure that big vendors need to pay to query their API more often.
I quit after 6 months when I learned that the equity based contracts were designed to scam the engineers that I hired. Also I dared to raise concerns over bringing StartCom founder Eddy Nigg back into the company for advise on how to build a sound infrastructure (fit for ETSI & WebTrust certification).
Management there has a thing for "hiring struggling entrepreneurs" and then phishing them for their ideas with promise of equity which is never paid out. There were also a range of other issues such as racist coworkers (which I fired in my first week) and a refusal from the founder to face up to these issues.
One applicant was made promises, then stalled on the contract and when she quit her original job was told on her first day of work that her salary negotiation hasn't even started. I was let go (or I quit with a bang depending who you ask) because I dared to point out they're all crooks.
I personally don't see how trust can every be implemented in systems when it is owned by a company which can be acquired with M&A and the same bad apples who cash out from projects are then investing in similar companies.
I once contacted their support and was barraged with unprovoked aggressiveness. Things like asking an innocent question with no snarkiness and getting a response like "Next time you should read the page :)".
Nowadays I use Let's Encrypt and I'm really happy with it. I haven't even thought about an SSL certificate in about a year and all of my sites have auto renewing certificates for free.
If anyone is curious how to set all of that and just want to see how all of the pieces of hosting a secure site come together (from hosting, domain purchasing and automated SSL integration with Let's Encrypt) then you can check out a course I put together that demonstrates everything at https://httpswithletsencrypt.com/.
Let's Encrypt and AWS cover my cert needs now.
https://groups.google.com/forum/#!msg/mozilla.dev.security.p...
Good read on what not to do.
