Shameful Security: StartCom Charges People To Revoke SSL Certs Vulnerable To Heartbleed
from the and-fuck-you-all-too dept
Yesterday, we wrote about just how terrible the Heartbleed bug in OpenSSL is. It’s been generating plenty of discussion, with folks like Bruce Schneier calling it “catastrophic” and saying that “on the scale of 1 to 10, this is an 11.” It’s a pretty big deal. So you’d think that everyone would be scrambling to help plug the vulnerability as painlessly as possible. And most companies have been doing that. But one — StartCom — apparently sees this as an opportunity to rake in cash and to screw over those most vulnerable.
StartCom is a free SSL Cert authority, and on the company’s website, it claims it offers this service for free “because we believe in the right to protect and secure information between two entities without discrimination of race, origin and financial capabilities.” Except, that’s not quite how things are playing out in reality. As is being actively discussed over at HackerNews and via the StartSSL Twitter fee, the company is trying to charge people to revoke the vulnerable certs. Update: And, yes, they’re even charging those who are on their premium paid service tiers as well — and often charging exorbitant rates.
While the company has generally charged for revoking certs, many people pointed out that with a vulnerability of this magnitude, that’s both ridiculous and dangerous. However, the company doesn’t seem to care.
It’s upon the subscriber to take appropriate action since the certificate authority can’t enforce which software to use. The terms of service and related fees will not change due to that.
When it was pointed out to the company how serious a vulnerability issue the company started to get snotty with its own uses:
We do understand the situation very well, thanks…. This is not our fault as well. We do not see any reason to provide this paid service for free. We have enough other free services already if you didn’t mentioned it.
People began challenging the company on Twitter, and it’s taken that same snotty “we don’t give a fuck” attitude to them as well: