As of October, 2016, Google and Mozilla agree with me that StartSSL/StartCom is not secure and are now distrusting their certificates in their browser bundles. Sweet, sweet affirmation. Read on for my original account of why I came to distrust them...
That time came around yet again... time to renew the SSL certs for one of my businesses online. Since launching the number of subdomains inched upwards from one to three and I thought... hey maybe a wildcard cert is in order?
I poked around on the sysadmin subreddit and in various forums and found StartSSL. StartSSL claims to allow buffet-style cert creation for one price - the price of identity verification. People generally seemed to like them. "Hey", I thought, "I like people who buck the norm and try something different. I'll give it a shot."
I signed up on their site and walked through some somewhat confusing and unintuitive UI. I shrugged it off. I've used some pretty wonky UI for web infrastructure companies before. It had all the negatives of a flash application - no browser history - strange custom UI primitives, etc. Huh. As long as it gets the job done, right? I forked over the $60 for identity verification. It told me to submit 2 forms of ID.
* The cover of your passport * The first pages of the passport * The picture of your personal detail of your passport and * Both sides of your driving license or identity card or similar
Okay - I came this far.
I uploaded a snapshot of my passport and my driver's license. The weirdo UI wouldn't tell me what files I'd uploaded. In fact pretty much all data went into a black hole of obscurity - I couldn't find the address I gave them anywhere either. I was a little concerned because my billing address is different than my residential address, which is different than my corporate address. Well, I pressed on and uploaded my corporate Articles of Incorporation and signed statement indicating I'm the CEO, plus the EIN for the company.
I got an email saying that my account needed to be approved and that it would take 24 hours. Harumph. Well, I guess that makes some sense since they have to check the ID.
Next up I got an email from someone at StartSSL:
Thank you for your Class 2 Identity Validation request. In order to help with the verification process, do you perhaps have a recent invoice of your phone or mobile provider, showing your name, address and phone number?
Uh, what? You didn't mention anything like that. No, my phone is pay-as-you-go. There's no contract. So I said:
My mobile provider is somewhat odd in that they don't provide paper statements in the traditional sense. You pay month-to-month. Enclosed are a couple of screen shots from their website's report showing my address.
Thank you for that. Unfortunately we can't use screen shots. We must create a successful match between your name, a documents you provided us, a third party source and by validating those details. Typically we do this by confirming with our sources or phone bills and by calling the phone number we found. We can also send you a registered postal mail with a verification code. It might take some 5 - 10 business days. That's what we usually do when we can't validate through phone.
Derp. I'm getting annoyed. This is all happening over email, by the way.
So my passport, driver's license, articles of incorporation, and EIN from the IRS are not sufficient?? (I am going to apply for an org Class 2)
We can try to make the validation faster by calling you on your company phone. We can do this if your name appears in the Articles of incorporation of the company you are trying to validate. Please let us know if this is the case. Where is the company actually incorporated? Do you have some evidence for phone numbers owned by that company? Also you are located in Vancouver and this is a US company, it might not work and we'll have to send a verification code by postal mail. BTW, which is your mobile provider? Don't they provide PDF invoices?
You've gotta be shitting me. This is a tech startup, it doesn't have a phone number. Don't be stupid. This is 2013 - is it really that weird that I live in a different country than the one where my company is located?
The company is incorporated in Delaware. Yes, I am residing in Vancouver right now. I am a US Citizen. No, the company does not own any phone numbers - it's a new tech company and does not require a 'business phone'. My *personal* mobile provider is Mobilicity. Oddly enough, no, they don't provide PDF invoices nor paper invoices. They provide Excel spreadsheets of billing numbers and little reports generated on their site.
Alright - thanks for all the information so far. After reviewing everything, it appears that we have to use an alternative verification method and send a registered postal mail with a verification code to you. Let me know if this works for you.
Sure whatever. Mail me some wood pulp if that makes you happy.
Okay. Thanks, Dan
Turns out it was mailed from Israel. 35 days later I receive the piece of wood pulp with a cryptographic hash on it that I typed into my computer and sent to their servers. Yay! FINALLY THIS WILL BE OVER.
Nope. I got this from them:
Thank you for the verification code, please send us some evidence only with your name and home address, I think that we sent you the letter to your company address and not to your residence address.
I've sent you: 1. My passport. 2. My driver's license. 3. My company's articles of incorporation. 4. A credit card that cleared payment with a valid address. 5. A digital security code that you mailed to me on a piece of wood pulp from another continent. This is more evidence than was required for me to move to another country. This is too much and ridiculous and not worth it. I will use another organization. Please refund my money and destroy all information you have on file. Sincerely, Dan Connor
To which they replied...
I'm sorry about that, I didn't saw the last two documents, we can approve the validation right away, is that OK with you?
Sure, fine. They approved my verification. Sweet Jesus that sucked. Now 38 days later I can finally get some work done!!I logged into their weird-ass control panel and made myself a cert.
Then I was told that the cert would have to be manually approved by a staff member, which would take *no more than* 3 hours. It took ten hours. And it was declined. I was livid.
I can't seem to figure out how to close my account from your control panel. Please delete my account and destroy all my personal information. Thanks, Dan
Turns out this is "not really possible".
It's not really possible as the retention period is at least seven years (according to the various requirements we are subjected to).
You're going to hold on to my passport photo, EIN, and driver's license for SEVEN YEARS!? I hope to god your database never gets hacked.
You really have to retain my data even if you never actually issue a certificate on my behalf? My account was only verified yesterday. Basically I am really unhappy with the communication and UI provided by your company and I would just much rather work with some other organization moving forward.
No response so far. StartCom is joke and I am ashamed that I sent them anything at all.
Despite my intentionally colorful, unprofessional language in this post I'd like to make a real point: I am OK with due diligence but I want to know what I'm getting into. If a company is going to be rigid it needs to say "you do X, Y, Z and you'll expect A, B, C". If they stick to that I can deal with it; but each time I sent data to StartCom we'd go further into the rabbit hole with more wasted time. I never had any idea how deep it would go. That's unacceptable customer service in my book.
It appears that I'll be getting a refund but that my person data will be locked in their purgatory for years to come.
> I'm most concerned with the private data - namely my passport information. Would you please make sure that is destroyed? Not at this stage - we have to clearly document all steps we perform for auditing purpose. > And, once due diligence is exercised, I expect a company to "get out of my way" so I can get work done. The idea of manual interventions by staff in every little detail is too much friction for me. Even though I can understand your point, our interests and tasks are not always aligned with that. More than once this manual intervention saved the day for us and if we lose one customer once in a while, that's fine with us. > Honestly this has been some of the worst customer service I've encountered in my life. I'm sorry that you feel this way, but StartCom is not by chance today the 6th largest certificate provider worldwide and with a fairly good reputation at that. My apologies if we made a mistake - in any case I'll go ahead and cancel your validation now.
Yeah well Walmart is the largest corporation in the world and I don't do business with them, either.
Still no refund to this day.