When I first set up this blog I got an SSL certificate from StartCom’s StartSSL authority, simply because it
was the easy way to just get a site on HTTPS.
However, StartCom has recently fallen out of favour with browser vendors, starting with Mozilla and now
Chrome. If you haven’t been following the world of certificate authority politics, the story starts with a CA
called WoSign. A university sysadmin created a big tech news story earlier this year after revealing that
him a certificate for github.com. This is a pretty big deal, and Mozilla’s investigations into WoSign have raised even more
concerns about WoSign’s mistakes and handling of mistakes. One of those concerns is this:
[In November 2015] WoSign purchased the CA “StartCom” and did not disclose the transaction as a change of
ownership, which we believe violates section 5 of the Mozilla CA Certificate Maintenance Policy. Furthermore,
when this clause was brought to their attention, they denied that any changes fell under it, and they attempted
to suppress further information about the ownership transfer when it was brought to the community’s
A couple of weeks ago Mozilla announced that Firefox will be
phasing out support for both WoSign and StartCom certificates. Chrome made a similar
announcement a week later.