Yesterday, we wrote about just how terrible
the Heartbleed bug in OpenSSL is. It's been generating plenty of discussion, with folks like Bruce Schneier calling it "catastrophic"
and saying that "on the scale of 1 to 10, this is an 11." It's a pretty big deal. So you'd think that everyone would be scrambling to help plug the vulnerability as painlessly as possible. And most companies have
been doing that. But one -- StartCom -- apparently sees this as an opportunity to rake in cash and to screw over those most vulnerable.
StartCom is a free
SSL Cert authority, and on the company's website, it claims it offers this service for free "because we believe in the right to protect and secure information between two entities without discrimination of race, origin and financial capabilities." Except, that's not quite how things are playing out in reality. As is being actively discussed over at HackerNews
and via the StartSSL Twitter fee
, the company is trying to charge people to revoke the vulnerable certs
: And, yes, they're even charging those who are on their premium paid service tiers as well -- and often charging exorbitant rates.
While the company has generally charged for revoking certs, many people pointed out that with a vulnerability of this magnitude, that's both ridiculous and dangerous. However, the company doesn't seem to care.
It's upon the subscriber to take appropriate action since the
certificate authority can't enforce which software to use. The terms of service and related fees will not change due to that.
When it was pointed out to the company how serious a vulnerability issue the company started to get snotty with its own uses:
We do understand the situation very well, thanks.... This is not our fault as well. We do not see any reason to provide this
paid service for free. We have enough other free services already if you
didn't mentioned it.
People began challenging the company on Twitter, and it's taken that same snotty "we don't give a fuck" attitude to them as well:
Yes, this is part of StartCom's business model. Free certs, pay to revoke (Update
: but that doesn't explain why they're doing this for paying customers too...). But this is clearly a case where that model should be suspended to keep the internet safe. The amount of ill-will this move is generating is pretty clear. Furthermore, it highlights what a bullshit claim it is that its goal is to better protect communications. If that were true, it would allow emergency revocations for an issue like Heartbleed.