Important Notice: At no time is or was the StartCom Certificate Authority affected by the so-called "Heartbleed" OpenSSL bug - this bug doesn't affect certificate authority operations. Neither were the web servers serving our content affected in any way at any time.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
- Which certificates are affected?
Any server certificate hosted at a SSL/TLS enabled server using one of the vulnerable OpenSSL versions, either in the past or current.
- Which OpenSSL versions are vulnerable?
This bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is not vulnerable
- OpenSSL 1.0.0 branch is not vulnerable
- OpenSSL 0.9.8 branch is not vulnerable
- Which certificates are not affected?
Generally speaking S/MIME and Code Signing certificates are not affected by this bug, only server certificates served by an affected server.
- Can I know if my keys were leaked?
The exploitation of this bug leaves no traces in the log files and it's practically not possible to know.
- Who should request revocation of affected certificates?
Any certificate that has been served by a server using one of the vulnerable OpenSSL versions should be revoked. It's upon the subscriber to make the correct assessment regarding this bug and take appropriate action at the StartSSL Tool Box if affected.
- Is replacing the certificate enough?
No! Merely replacing the certifciate at an affected server does not solve the problem, because if the private key material was obtained by another party it can be used to impersonate the site even after replacing the certificate.
- Does revocation of a certificate carry a fee?
Yes, depending on the verification level of the certificate a revocation fee of US$ 24.90 is charged. See also the Fees page with the current price list.
- Why does StartCom charge a fee for revocations?
Due to the unique business model of StartCom where certificates are issued without charge (except Extended Validation Certificates), revocations always carried a fee due to the expensive nature of this service.
Revoked certificates have to be listed in certificate revocations lists (CRL) which are downloaded by software like browsers and mail clients on an almost daily basis. This means millions of download requests every day which StartCom has to serve, where every additional entry in the list increases the load and related costs accordingly.
- OCSP and CRL distribution
We made a special effort during the last year with significant investments and improvements to our infrastructure including cooperation with a major content delivery network provider to serve OCSP (Online Certificate Status Protocol) and CRLs responses as fast as possible to visitors of StartCom secured sites for the best user experience. As result StartCom has become one of the leading certificate authorities with fastest response times for OCSP and CRLs.
- Where can I find more information?
For more detailed information about this bug please visit this site dedicated to this bug.