#startssl

TL;DR: The PKI plateform of StartSSL, an Israeli leader of free SSL certificates, is now hosted by Qihoo 360, a Chinese Antivirus Company, which uses IPs from a Chinese state-owned telecommunication company.

...

Apart from IPs from CDNs, we find a strange fact:The DNS of auth.startssl.com changed in December 2015 from 192.116.242.27 (StrartCom-Ltd) to 104.192.110.222 (QiHU 360), which belongs to a Chinese Company (Qihoo 360).

root@kali:~/# host www.startssl.com www.startssl.com has address 97.74.232.97    <- Godaddy www.startssl.com has address 52.7.55.170     <- Amazon Web Services www.startssl.com has address 52.21.57.183    <- Amazon Web Services www.startssl.com has address 52.0.114.134    <- Amazon Web Services www.startssl.com has address 50.62.56.98     <- Godaddy www.startssl.com has address 104.192.110.222 <- QiHU 360 Inc. www.startssl.com has address 50.62.133.237   <- Godaddy root@kali:~/#

You may be heard something about Qihoo 360, who just bought Opera. Strangely enough, Qihoo 360 uses IPs from China Telecom Americas. China Telecom Americas is a subsidiary of China Telecom Corporation Limited which is a Chinese state-owned telecommunication company. It is the largest fixed-line service and the third largest mobile telecommunication provider in the People's Republic of China.

It is worrying that the PKI front-end (auth.startssl.com) is now hosted within a Chinese Antivirus Company, who uses a Chinese ISP for 2 months AND that there hasn't been any news around. It can be only linked to the expansion of StartSSL's activities in China in December 2015, as explained above.

From a history point of view, StartSSL already refused to revoke certificates affected by the HeartBleed vulnerability and accused the user from negligence ("your software was vulnerable").

With all these facts, I don't think using StartSSL is a good idea now, except if they offer a clear explanation why they are hosting their PKI in a Chinese company.

Webseite mit SSL absichern: Wieso sollte ich das tun?

Wieso sollte ich meine Webseite mit SSL absichern? Was bringt mir das? Das sind wichtige Fragen, mit denen sich Jeder, der eine Webseite betreibt befassen sollte. Auch ich habe mir diese Frage kürzlich gestellt und netw0rker.com mit einem SSL-Zertifikat versehen.  (more…)

(Thanks to Ingmar Steen for the instructions) First, use the StartSSL™ Control Panel to create a private key and certificate and transfer them to your server. Then execute the following steps (if you use a class 2 certificate replace class1 by class2 in the instructions below):

Decrypt the private key by using the password you entered when you created your key:

openssl rsa -in ssl.key -out /etc/nginx/conf/ssl.key Alternatively you can also use the Tool Box decryption tool of your StartSSL™ account.

Protect your key from prying eyes:

chmod 600 /etc/nginx/conf/ssl.key

Fetch the Root CA and Class 1 Intermediate Server CA certificates:

wget http://www.startssl.com/certs/ca.pem wget http://www.startssl.com/certs/sub.class1.server.ca.pem

Create a unified certificate from your certificate and the CA certificates:

cat ssl.crt sub.class1.server.ca.pem ca.pem > /etc/nginx/conf/ssl-unified.crt

Configure your nginx server to use the new key and certificate (in the global settings or a server section):

ssl on; ssl_certificate /etc/nginx/conf/ssl-unified.crt; ssl_certificate_key /etc/nginx/conf/ssl.key;

Tell nginx to reload its configuration:

killall -HUP nginx And you’re done!