Now validated with StartSSL

So while I was putzing around with my SSL sites and getting some grief with mod_gnutls, I realized that my life really would be much easier with a valid wildcard SSL cert.

So naturally I went to StartSSL and went through the process for a Class 2 Validation. I had meant to do it for a long time and have been using their free Class 1 certificates for ages.

The process was easy and once I logged in, I uploaded some documentation and waited for the administrative work to complete. I used PayPal and shortly afterwards I received a phone call from Startcom. It was Eddy Nigg personally calling me to ask me the control questions.

I couldn’t help myself and I laughed out loud. I have been long admiring what he and his company have been doing with affordable SSL certs. I regard what other CAs charge as quite a successful scam and StartSSL’s efforts have been well on par with the other “Big names”.

So now I’m successfully validated, using a wildcard SSL cert for my entire domain, and I am officially a satisfied customer. I can’t recommend them enough.

20 Replies to “Now validated with StartSSL”

  1. Hi!

    Thanks for your review on StartSSL. It seems more and more developers are switching to this company. I will follow your recommendation and tomorrow will start the validation process!

    Regards

    1. Hi Inigo,

      I think you will be pleasantly surprised at how simple the process is. If you have any issues, just use StartSSL’s page and I’m sure they’ll help you out.

  2. I can see that you can admire their pricing strategy. Please be very careful, though, the information they require is very sensitive and they have a strongly flawed policy about this. It makes you wonder: do they have a second cash stream that they ‘forget to mention’?

    My 2 cents:

    For validation they require a scanned passport and drivers license. Information like this is very sensitive as it can easily be used for identity theft, for instance to acquire a loan in your name.

    As a principle, I watermark these documents with the name of the company I supplied them to. They are still perfectly legible but this way, they can no longer be used for identity theft.

    Startcom is unwilling to process these watermarked documents because they ‘could be forged’ (not because they were unreadable or anything like that). Imagine that. Any digital image I send ‘could be forged’, of course. Adding or not adding a watermark changes little on that account.

    And where is the business case on their end? Why do they need (or even want) documents that can be used for Identity Theft? And why won’t they process documents that are clearly suited for their purpose of identification?

    The only reasons I can think of is that they are either very naive in their security thinking or worse, that they have plans for your documents where the watermark would get in the way. Makes me wonder…

    Also please take note that they have been hacked in the past (and admitted to that) so why trust them with you identity in this way?
    http://www.theregister.co.uk/2011/06/21/startssl_security_breach/

    Bas

    1. Each of those are good and pertinent questions and statements, and there are also valid and legitimate replies.

      However, as I am currently traveling on a commuter train and can’t really get into a comprehensive reply.

      The price is definitely a consideration for me, but I think I’ll invite StartSSL to possibly explain why their process is the way it is as well why maintaining those process standards is important.

      I understand and agree with the reasoning and rationale for it and hope a good reply will be forthcoming.

    2. I totally agree with Bas!

      Unfortunately, I am not that impressed by Startcom. Sure, in theory, they have a brilliant offering.

      But in the Netherlands, identity theft is a hot item and the government is providing all kinds of hints and things you can do to minimize the risk of having your identity copied.

      There is really no legal need whatsoever for a company other than an employer or government agency to have a 100% accurate (and prone to abuse) ocpy of an ID. Especially the “SO/FI / BSN” (social security) number if of no company’s business.

      Too bad Startcom. I think you will be out of business regarding the Netherlands soon.

      1. See my reply below to Bas.

        You can obtain free Class 1 certificates from StartSSL without those identification requirements.

        But for Class 2 or greater certificates you need to validate your identity and that requires documentation. Just someone online saying “Validate me, you can trust me” is frankly pretty worthless.

        Any SSL certificate provider that places identity information in those certs without validating who they are issuing that certificate to only manages to diminish their service.

        Too bad Startcom. I think you will be out of business regarding the Netherlands soon.

        That may be true and there are many other SSL certificate vendors out there. I encourage you to use the one that you are comfortable with.

        But as a Startcom customer I would prefer that they do not compromise their services just to cater some market share that does not want to acknowledge what and why they do what they do.

      2. @Jan: Thanks for your extensive and sincere reply on this. Before writing my reply, I already read your reply to Bas.

        Of course, in essence, I do acknowledge Startcom’s point of view and why they have this policy. Being serious about checking if a person really is the person he/she claims to be is fundamental to the trust that the whole concept of SSL certificates is based on.

        But like Bas also already pointed out, just scanning my ID document and uploading it right away is also still no guarantee that it has not been tampered with. At the same time, if my document gets compromised, it can be used for all kinds of identity Theft purposes in my country right away. Giving it a watermark really does not impact the ability to verify my identity.

        Of course I will also have to criticize my own government for putting such sensitive information like social security numbers on a document that is mainly to be used for ID purposes by companies other than government agencies. And Startcom certainly is not the only company insisting on having a 100% un-altered copy. Even car rental companies, data centers or parcel pickup points want to make a copy.

        For now, I will indeed have to choose another SSL certification reseller. Which is a pitty, not only because they often ask unfair fees but also because I like the StartSSL concept of what you can do with the level 2 personal certification.

        But I do hope that with posting my concerns here and there (and if other people do the same), it might open up a more broader debate on providing a means to verify one’s ID versus keeping too much details of a person in any digital archive whatsoever, while the only purpose was to verify one’s ID.

        1. Of course, in essence, I do acknowledge Startcom’s point of view and why they have this policy. Being serious about checking if a person really is the person he/she claims to be is fundamental to the trust that the whole concept of SSL certificates is based on.

          I’m glad we agree on that part. 😉

          But like Bas also already pointed out, just scanning my ID document and uploading it right away is also still no guarantee that it has not been tampered with.

          So what alternative can you recommend? We both agree that validation is critical.

          Where I disagreed with Bas was the concept of altering or uploading even easier to forge documentation such just posting a form. If there was a method to validate your identity that was foolproof and tamperproof then that would be wonderful.

          Passports can be validated to a point. Obtaining a scanned image of that passport page can and is used for that purpose. I do agree that it may not be an attractive method for everyone. That’s why I recommend that people do their research and use a provider that meets their needs.

  3. Okay, I have time now. 🙂 Please be aware that I’m not a representative of StartSSL. I’m just another customer who happens to be a fan.

    This is only my 2 cents too and you shouldn’t do business with anyone that you don’t want to. There are other CAs available and you do have many choices.

    As a principle, I watermark these documents with the name of the company I supplied them to.

    See, that’s a problem. You are intentionally altering the image from the original and that just invalidates it. It’s as if you are saying “I watermarked it, but trust me, that’s the only modification I made.”

    Trust works both ways and if any certificate authority accepted that then frankly they would not be very good. It’s critical that they are able to validate who you are or they can’t issue you an extended certificate.

    They are still perfectly legible but this way, they can no longer be used for identity theft.

    If the information was all that was required then you could just send them all the data on your drivers license in ASCII format.

    That would not be useful and doesn’t provide any guarantee that you’re not enacting identity theft yourself.

    The only reasons I can think of is that they are either very naive in their security thinking

    Not at all, it actually means that they know what they are doing. If they just accepted certificate requests from anyone at face value then that would hurt their business.

    As to attributing to them suspicious motives, that’s not the case. Identity theft comes from your information and not an image, watermarked or otherwise.

    Also please take note that they have been hacked in the past (and admitted to that)

    Yes. So has my bank. My bank has been hacked, they’ve lost customer data, and they’ve dealt with it. It happens.

    How can I be nonchalant about that? Because I understand that while a security breach is a very bad thing what is more important is how the company responds once they’ve discovered the breach. I’m confident that they’ve dealt with the situation.

  4. Jan, did you pay the additional fee to have the Class 2 Organization Validation? When I look at your cert, it’s in your website’s name, not your personal name.

    I like the features of StartSSL but from what I gather, the Class 2 certs will be in the individual’s name and not the website’s name unless you they are for registered businesses, you are able to provide tax/registration info so StartCom can validate the business and you pay for Organizational Validation. I own several domains but none of them are registered businesses so that means my personal name will be displayed in the cert and not the websites’ names???

    I want to give StartSSL a try but I do not want my personal name on the certs for anyone on the internet to see. The certs should be in the name of the website. I currently use GeoTrust Quick SSL Premium on all of my websites but since adding a couple more sub-domains, I can no longer afford to buy GeoTrust certs for all. The GeoTrust certs are in my websites’ names so my personal name does not show up anywhere.

    Please clue me in 🙂

    1. Jan, did you pay the additional fee to have the Class 2 Organization Validation? When I look at your cert, it’s in your website’s name, not your personal name.

      To be honest, in all the excitement I forgot! I did pay the fee and the part that I’m concerned about is this in my SSL cert.

      O=Jan Dembowski/CN=*.dembowski.net

      That’s what I expected to see. You can check a web server’s SSL certificate with openssl s_client or (if you’re not CLI savy 🙂 ) with the SSL Certificate Tester web page.

      Head over to the StartSSL FAQ, they might have something that explains it better than I can.

      I want to give StartSSL a try but I do not want my personal name on the certs for anyone on the internet to see.

      I understand your concern, but part of any issued SSL certificate contains information to certify that there is a real person behind that certificate. That’s part of the standard, both encryption and authentication. In this case, the person the certificate was issued to.

      If you’re concerned about it and really just want encryption, you can use a self-signed SSL certificate. That will cause error messages in your browser but if you accept and install the certificate then that should get rid of those messages.

  5. Is dembowski.net registered as a business with tax records? Is that what you provided to StartCom as Organizational Verification? Is that why I see this: http://i.imgur.com/0Te8s.jpg Instead of this: http://i.imgur.com/pDkRU.jpg

    This is where I’m confused since I’m not a business owner. Lets say I set up a social networking site or whatever and I want to have a cert in it’s name but it’s not a registered business. According to the StartSSL site, I cannot get a cert in that domain’s name. This is not a problem with other cert providers but they are way more expensive.

    If a domain is not set up to bring in revenue, I would not want to go to the trouble of registering it as a business which would most certainly make filing taxes more difficult. If I’m not mistaken, I would have to verify each domain (if it were a registered business) in order to get a StartSSl cert in each of their names.

    1. Is dembowski.net registered as a business with tax records?

      Nope! Although my consulting company has a similar name, my domain is not registered as part of any business and is not on any tax records.

      I verified using my personal details and documentation. I have no issue with my name being on the SSL certificate, so it’s not a problem for me.

      If a domain is not set up to bring in revenue, I would not want to go to the trouble of registering it as a business

      That makes sense. Registering a business is a pain and why incur the expense if you don’t have to?

      But I think rather than the two of us guessing, you may want to just contact StartSSL directly. They have an email as well as a New York number, this can probably get sorted out quickly.

      1. I contacted them already but there explanation was not clear at all. I guess English is not their first language. I’m not concerned that my name is tied to the cert or that anyone with the knowhow can find my name. What I’m trying to determine is if my name will be displayed (as in the second image) or will the domain name be displayed (as in the first image) since I do not have a registered business to verify.

  6. I realise I’m resurrecting an old post, but I wanted to check in to see how your relationship with StartSSL is going?

    I notice that your certificate expired late last year, is there a reason you’ve not renewed?

    1. It’s fine to bring back this old post. I have “get new SSL certs” on my to do list for a long time now. I do intend to use StartSSL but it’s just a matter me making the time to do it.

      One of the things that I feel I did wrong was how I assigned additional names to my SSL certs. So planning that a little better would make my Apache http configuration file simpler.

    1. I am currently using a DigiCert cert but I plan to renew with StartSSL when this one expires.

      DigiCert had a remarkably generous offer and I wanted to see how effective it was.

      https://blog.dembowski.net/2015/digicert-sha-1-sunset-tool-find-replace-sha-1-certificates/

      It was very effective and the customer experience with DigiCert was fantastic. But I believe that StartSSL may offer me a better value (read that as “less expensive”) and that for me that is a good reason to renew with them.

      Also I like StartSSL. I like what they are doing and how they do it.

  7. I’m very disappointed about verification.
    I’ve send two documents (both sides) issued by government, valid until 2018:
    1. My citizen ID card with photo 2. My driver license with photo
    and a photo of me holding my ID.
    They said my address during registration was different and they want more. Maybe I made a typo? or I wrote short version of my street name? Don’t know.
    I sent two pdf’s generated from my bank accounts showing my address and my phone bill. Unfortunately it’s registered to me and to my company both, because we do it like that in Poland. My car is also registered to me and to my company both – it’s half private/company.
    I also send them a link to Government site which shows: My, my address, is running a one person company at the same address. It’s enough to get a big loan in bank, but it wasn’t enough for StartSSL to check my address with my ID.
    They said they will send me a post message and it will take another 5-10 days (I doubt).
    Now the best thing: My brother bought a certificate with digital signature and usb with cryptocard with only ONE ID document! Yes he paid more, but he’s identity is checked with one document…

Comments are closed.