Avoid StartCom / StartSSL. Like. The. Plague.

Posted on January 16, 2013

- Update -

As of October, 2016, Google and Mozilla agree with me that StartSSL/StartCom is not secure and are now distrusting their certificates in their browser bundles. Sweet, sweet affirmation. Read on for my original account of why I came to distrust them...


That time came around yet again... time to renew the SSL certs for one of my businesses online. Since launching the number of subdomains inched upwards from one to three and I thought... hey maybe a wildcard cert is in order?

I poked around on the sysadmin subreddit and in various forums and found StartSSL. StartSSL claims to allow buffet-style cert creation for one price - the price of identity verification. People generally seemed to like them. "Hey", I thought, "I like people who buck the norm and try something different. I'll give it a shot."

I signed up on their site and walked through some somewhat confusing and unintuitive UI. I shrugged it off. I've used some pretty wonky UI for web infrastructure companies before. It had all the negatives of a flash application - no browser history - strange custom UI primitives, etc. Huh. As long as it gets the job done, right? I forked over the $60 for identity verification. It told me to submit 2 forms of ID.

* The cover of your passport 
* The first pages of the passport 
* The picture of your personal detail of your passport and 
* Both sides of your driving license or identity card or similar

Okay - I came this far.

I uploaded a snapshot of my passport and my driver's license. The weirdo UI wouldn't tell me what files I'd uploaded. In fact pretty much all data went into a black hole of obscurity - I couldn't find the address I gave them anywhere either. I was a little concerned because my billing address is different than my residential address, which is different than my corporate address. Well, I pressed on and uploaded my corporate Articles of Incorporation and signed statement indicating I'm the CEO, plus the EIN for the company.

I got an email saying that my account needed to be approved and that it would take 24 hours. Harumph. Well, I guess that makes some sense since they have to check the ID.

Next up I got an email from someone at StartSSL:

 Thank you for your Class 2 Identity Validation request. In
order to help with the verification process, do you perhaps have a
recent invoice of your phone or mobile provider, showing your name,
address and phone number?  

Uh, what? You didn't mention anything like that. No, my phone is pay-as-you-go. There's no contract. So I said:

 My mobile provider is somewhat odd in that they don't
provide paper statements in the traditional sense.  You pay
month-to-month.

Enclosed are a couple of screen shots from their website's report
showing my address.  

Their response:

 Thank you for that.  Unfortunately we can't use screen
shots.

We must create a successful match between your name, a documents you
provided us, a third party source and by validating those details.
Typically we do this by confirming with our sources or phone bills and
by calling the phone number we found.

We can also send you a registered postal mail with a verification
code. It might take some 5 - 10 business days. That's what we usually
do when we can't validate through phone.  

Derp. I'm getting annoyed. This is all happening over email, by the way.

 So my passport, driver's license, articles of
incorporation, and EIN from the IRS are not sufficient?? (I am going
to apply for an org Class 2) 

They said:

 We can try to make the validation faster by calling you on
your company phone.  We can do this if your name appears in the
Articles of incorporation of the company you are trying to validate.
Please let us know if this is the case.

Where is the company actually incorporated? Do you have some evidence
for phone numbers owned by that company?

Also you are located in Vancouver and this is a US company, it might
not work and we'll have to send a verification code by postal
mail. BTW, which is your mobile provider? Don't they provide PDF
invoices?  

You've gotta be shitting me. This is a tech startup, it doesn't have a phone number. Don't be stupid. This is 2013 - is it really that weird that I live in a different country than the one where my company is located?

I said:

 The company is incorporated in Delaware.  Yes, I am
residing in Vancouver right now.  I am a US Citizen.  No, the company
does not own any phone numbers - it's a new tech company and does not
require a 'business phone'.  My *personal* mobile provider is
Mobilicity.  Oddly enough, no, they don't provide PDF invoices nor
paper invoices.  They provide Excel spreadsheets of billing numbers
and little reports generated on their site.  

They said:

 Alright - thanks for all the information so far. After
reviewing everything, it appears that we have to use an alternative
verification method and send a registered postal mail with a
verification code to you. Let me know if this works for you.

Sure whatever. Mail me some wood pulp if that makes you happy.

 Okay.

Thanks, Dan 

Turns out it was mailed from Israel. 35 days later I receive the piece of wood pulp with a cryptographic hash on it that I typed into my computer and sent to their servers. Yay! FINALLY THIS WILL BE OVER.

Nope. I got this from them:

 Thank you for the verification code, please send us some
evidence only with your name and home address, I think that we sent
you the letter to your company address and not to your residence
address.  

What.

 I've sent you:

1. My passport.  2. My driver's license.  3. My company's articles of
incorporation.  4. A credit card that cleared payment with a valid
address.  5. A digital security code that you mailed to me on a piece
of wood pulp from another continent.

This is more evidence than was required for me to move to another
country.  This is too much and ridiculous and not worth it.  I will
use another organization.  Please refund my money and destroy all
information you have on file.

Sincerely, Dan Connor 

To which they replied...

 I'm sorry about that, I didn't saw the last two documents,
we can approve the validation right away, is that OK with you?

Sure, fine. They approved my verification. Sweet Jesus that sucked. Now 38 days later I can finally get some work done!!I logged into their weird-ass control panel and made myself a cert.

Then I was told that the cert would have to be manually approved by a staff member, which would take *no more than* 3 hours. It took ten hours. And it was declined. I was livid.

I wrote:

 I can't seem to figure out how to close my account from
your control panel.  Please delete my account and destroy all my
personal information.

Thanks, Dan 

Turns out this is "not really possible".

 It's not really possible as the retention period is at
least seven years (according to the various requirements we are
subjected to).  

You're going to hold on to my passport photo, EIN, and driver's license for SEVEN YEARS!? I hope to god your database never gets hacked.

 You really have to retain my data even if you never
actually issue a certificate on my behalf?  My account was only
verified yesterday.  Basically I am really unhappy with the
communication and UI provided by your company and I would just much
rather work with some other organization moving forward.

No response so far. StartCom is joke and I am ashamed that I sent them anything at all.


Despite my intentionally colorful, unprofessional language in this post I'd like to make a real point: I am OK with due diligence but I want to know what I'm getting into. If a company is going to be rigid it needs to say "you do X, Y, Z and you'll expect A, B, C". If they stick to that I can deal with it; but each time I sent data to StartCom we'd go further into the rabbit hole with more wasted time. I never had any idea how deep it would go. That's unacceptable customer service in my book.

It appears that I'll be getting a refund but that my person data will be locked in their purgatory for years to come.

 > I'm most concerned with the private data - namely my
passport information.  Would you please make sure that is destroyed?

Not at this stage - we have to clearly document all steps we perform
for auditing purpose.

> And, once due diligence is exercised, I expect a company to "get out
  of my way" so I can get work done.  The idea of manual interventions
  by staff in every little detail is too much friction for me.

Even though I can understand your point, our interests and tasks are
not always aligned with that. More than once this manual intervention
saved the day for us and if we lose one customer once in a while,
that's fine with us.

> Honestly this has been some of the worst customer service I've
  encountered in my life.

I'm sorry that you feel this way, but StartCom is not by chance today
the 6th largest certificate provider worldwide and with a fairly good
reputation at that. My apologies if we made a mistake - in any case
I'll go ahead and cancel your validation now.  

Yeah well Walmart is the largest corporation in the world and I don't do business with them, either.

Still no refund to this day.

comments powered by Disqus