StartCom free SSL certificates go bust

StartCom certificate authority that hands out free SSL certificates, is no longer recognized by major browsers. I’ve got their certificate back in May 2016, and it worked fine, but in October 2016 StartCom became involved in some sort of scandal, and their new certificates are not trusted by Mozilla, Chrome and Apple.

The next best option I found is $5/year “PositiveSSL” certificate from Comodo, obtained via If you know how to create a CSR, it takes about 10 minutes to get a certificate, and it appears to work fine.

To be frank, the whole deal about SSL certificates is quite annoying. If you want an HTTPS web site, you need to get a domain name and a certificate. Domain names registrars are quite well regulated and the prices are uniform and stable: a regular domain costs $11-$15 a year, and it’s been on that level for a long time. On the other hand, the world of SSL certificates feels like Wild West and a big headache. In theory, Certificate Authorities are supposed to be the epitome of honesty and trust, but the reality is quite different.

The sin of StartCom was that it was bought by WoSign, that engaged in some questionable practices, like back-dating issued certificates to avoid SHA1 decommission deadline. Additionally, both StartCom and WoSign kept denying the fact of purchase, which finally led for their removal from the list of CAs by Mozilla and others.

Astonishingly, StartCom continues to sell SSL certificates, some for as high $200/year. Their web site does not mention the scandal, or the fact that their certificates won’t work on Chrome, Firefox or Safari. There is a half-assed message at the bottom of the web page declaring that “StartCom™ / StartSSL™ is supported by (Edge) (IE) (Android) (Microsoft Windows)“, but it is intentionally ambiguous. In fact, I initially interpreted it as “Edge/IE/Windows and Android are our sponsors” (whatever that might mean).

Regardless of StartCom story, it does not take much to obtain a fraudulent certificate: all you need is access to one of several e-mails associated with the domain: either, or the one registered in whois. Of course, lack of checks makes obtaining a certificate quick and cheap, but it also dilutes trust in the system.

The price of the low-grade certificates varies greatly. The web site, that sells certificates for $5/year is affiliated with sells exactly the same certificates for $9/year. The certificates are issued by neither nor; they are issued by Comodo security authority. The cheapest certificate I could find on Comodo web site costs $77/year.

Such volatility, lack of transparency and great variation in prices is rarely a tell-tale sign of an honest business. And remember, once you switch your web site to HTTPS, there is no going back: you can redirect transparently from HTTP to HTTPS, but redirect in the opposite direction won’t happen unless you have a valid SSL certificate. If your certificate is broken, the users will see “your connection is not secure” page, before the redirect to HTTP would get a chance to kick in. If your web site is HTTPS, you will have to renew your certificate, or lose your customers/audience. If certificate prices went up, too bad, you will have to pay up or suffer the consequences.



  1. Включили бы вы, барин, в жж комментарии. А то в следующий раз я поленюсь зайти в какой-то левый бложек, чтобы сообщить про letsencrypt


    1. I do appreciate your effort. Welcome to the flaky bloglet 🙂 I can’t promise comments on LJ or any other platform, but I will think of a better way of integration. Do you think OAuth integration with Google/Facebook/whatever would help?

      As for letsencrypt, see my answer to AK.


  2. That complexity of managing your own domain – is one of the reasons why Facebook and similar services won over WordPress blogs that are hosted on user’s own web domain.
    But may be that is exactly what regular content consumer (reader) wants: to have smaller number of domains that is easier to remember, so there would be less issues with trust.


    1. You are probably right, but it’s not the whole truth. You can have a hosted blog at or

      Facebook is not really a blog platform at all, at least not for technical blogs. I think it is more about social interactions with friends and acquaintances. If you try to use it as a blog platform, it is quite annoying and difficult to navigate. Plus, of course, the Big Brother effect: anything you say may and will be used against you.

      Trust/integration is indeed another dimension: I don’t have a good solution for that.


    1. Thanks. Somehow it did not show up in my searches (now I wonder how I could have missed it).

      This is a very good initiative, but main trouble with letsencrypt is that their certificate is valid only for 90 days (and they actually think it’s a good thing: see It is too much hassle to update manually, so you have to setup some kind of bot that would re-request and reinstall your certificate every 90 days, risking a probability of failure because of change in APIs, lost connectivity, change in policies, etc.

      I paid $15 for a 3 years certificate. It is over twelve times longer than 90 days, I won’t have to worry about it until 2020.

      When letsencrypt grows up and starts issuing at least yearly certificates (or when Apache gets out of the box “re-request and install certificate” script) , they will be worth serious consideration.


Leave a Reply

Your email address will not be published. Required fields are marked *