When I first set up this blog I got an SSL certificate from StartCom’s StartSSL authority, simply because it was the
easy way to just get a site on HTTPS.
However, StartCom has recently fallen out of favour with browser vendors, starting with Mozilla and now Chrome. If
you haven’t been following the world of certificate authority politics, the story starts with a CA called WoSign. A
university sysadmin created a big tech news story earlier this year after revealing that WoSign gave him a
certificate for github.com. This is a pretty big deal, and Mozilla’s investigations into WoSign have raised even more concerns
about WoSign’s mistakes and handling of mistakes. One of those concerns is this:
[In November 2015] WoSign purchased the CA “StartCom” and did not disclose the transaction as a change of ownership,
which we believe violates section 5 of the Mozilla CA Certificate Maintenance Policy. Furthermore, when this clause was
brought to their attention, they denied that any changes fell under it, and they attempted to suppress further
information about the ownership transfer when it was brought to the community’s attention.
A couple of weeks ago Mozilla announced that Firefox will be
phasing out support for both WoSign and StartCom certificates. Chrome made a similar announcement a