from Hacker News

Termination of the certificates business of StartCom

by marksamman on 11/17/17, 11:51 AM with 28 comments

  • by DyslexicAtheist on 11/17/17, 3:43 PM

    I worked as Director of Engineering for an investor[1] who helped bootstrap StartCom. StartCom was back then the first successful firm from the Authenticity Institute portfolio. I joined Authenticity because I thought it could really shake up the certification industry.

    I quit after 6 months when I learned that the equity based contracts were designed to scam the engineers that I hired. Also I dared to raise concerns over bringing StartCom founder Eddy Nigg back into the company for advise on how to build a sound infrastructure (fit for ETSI & WebTrust certification).

    Management there has a thing for "hiring struggling entrepreneurs" and then phishing them for their ideas with promise of equity which is never paid out. There were also a range of other issues such as racist coworkers (which I fired in my first week) and a refusal from the founder to face up to these issues.

    One applicant was made promises, then stalled on the contract and when she quit her original job was told on her first day of work that her salary negotiation hasn't even started. I was let go (or I quit with a bang depending who you ask) because I dared to point out they're all crooks.

    I personally don't see how trust can every be implemented in systems when it is owned by a company which can be acquired with M&A and the same bad apples who cash out from projects are then investing in similar companies.

    [1] https://en.wikipedia.org/wiki/Wes_Kussmaul

  • by nickjj on 11/17/17, 3:25 PM

    I won't miss them. For many years their certificate registration process was extremely confusing and tedious, but they conveniently charged a lot of money to revoke a certificate (read: it was cheaper to buy a new certificate from someone else like SSLMate for less money than it was to revoke a free certificate with StartSSL).

    I once contacted their support and was barraged with unprovoked aggressiveness. Things like asking an innocent question with no snarkiness and getting a response like "Next time you should read the page :)".

    Nowadays I use Let's Encrypt and I'm really happy with it. I haven't even thought about an SSL certificate in about a year and all of my sites have auto renewing certificates for free.

    If anyone is curious how to set all of that and just want to see how all of the pieces of hosting a secure site come together (from hosting, domain purchasing and automated SSL integration with Let's Encrypt) then you can check out a course I put together that demonstrates everything at https://httpswithletsencrypt.com/.

  • by creshal on 11/17/17, 1:48 PM

    StartCom will always have a special place in my heart – they're the only company that I had to outright bribe to do business with.

    On the other hand… I really won't miss 'em.

  • by lithiumfrost on 11/17/17, 5:40 PM

    The loss of this particular business isn't nearly the shame that the loss of the business model is. Activities that required human effort and involvement had a cost, like identity verification, while activities that had near zero costs were free.

    That was terrific, as you could verify your identity, get a code signing cert, one for the website, and one for s/mime or digital document signing all for $60. I like Let's Encrypt and have used it since, but it's nowhere near as full featured of an offering.

  • by jchw on 11/17/17, 11:56 AM

  • by bmn__ on 11/17/17, 2:28 PM

    It went all to shambles when Eddy Nigg lost control.

  • by moduspwnens14 on 11/17/17, 7:39 PM

    I used them for a few years without issue. They were always quick to respond to my e-mails.

    Let's Encrypt and AWS cover my cert needs now.

  • by rmdoss on 11/18/17, 12:15 AM

    Details on why it happened here:

    https://groups.google.com/forum/#!msg/mozilla.dev.security.p...

    Good read on what not to do.

  • by hinkley on 11/17/17, 5:31 PM

    Since they are owned by a parent company (look at the sig of the email), are they really shutting it down or are they going to reassign the employees to another team with a different name?

  • by ComputerGuru on 11/17/17, 1:29 PM

    No doubt victim to the success of LetsEncrypt and good riddance, too. Before LE, Starcom was the only way to get a free and recognized SSL certificate, only it was a pain to use (client certificates) and only worked with specific browsers.