remove StartSSL from the browser's trust store

 Wed, 23 Apr 2014 12:03:06 +0200 last edited: Wed, 23 Apr 2014 12:03:37 +0200  
#^What the Heartbleed bug revealed to me | gollo's blog

Today, I made a really negative experience with the StartSSL certificate authority. This is the first time that this has happened to me. The problem is that it affects StartSSL’s reputation because it reveals that they value money much higher than security. Security however should be a CA’s primary concern. So, what happened? It all started whe...

Indeed, but do not all CA pay for it?

Ah, and of course the rumors that StartSSL is part of Mozilla's products solely because they paid for it sound much more reasonable to me than a week ago.

Very interesting statistics from ISC about CRL activity after #heartbleed.
#^SSL CRL Activity - Internet Security | SANS ISC

Certificate Revocation Lists ("CRLs") are used to track revoked certificates. Your browser will download these lists to verify if a certificate presented by a web site has been revoked. The graph above shows how many certificates were revoked each day by the different CRLs we are tracking.

The most interesting number I think is from CAcert.org, especially the total size. Interesting would be a number of total active certificates per CA, too.

But this all is a bit ridiculous. There are thousand of compromised certificates out there, that get not revoked and even if they get revoked there is no working solution to check against revoked certificates. Downloading CRLs does not scale. OCSP is too unreliable so that there is a soft fail fallback and silenty accepts everything. Some browsers even don't use OCSP at all.


 Wed, 16 Apr 2014 15:30:28 +0200 
Current news: 2014-04-09: Are you probing my network for OpenSSL exploits? No!

We are currently working on a survey on the OpenSSL CVE-2014-0160 bug. This means that you will receive malicious looking traffic from this machine. This traffic is, however, of academic nature to assess the extend of the bug from a Internet security perspective. We do not retrieve private data from any of your system and do not intend to exploit your system.

 Tue, 15 Apr 2014 17:42:24 +0200 last edited: Tue, 15 Apr 2014 17:42:25 +0200  
One of the best explanations I have seen about #heartbleed.

xkcdxkcd wrote the following post 4 years ago

Heartbleed Explanation


Are you still there, server? It's me, Margaret.