StartSSL is PKI solution from StartCom, a company based in Israel.
StartSSL offers the free (for personal use) Class 1 X.509 SSL certificate "StartSSL Free", which works for webservers (SSL/TLS) as well as for E-mail encryption (S/MIME). It also offers Class 2 and 3 certificates as well as Extended Validation Certificates. All major browsers include support for StartSSL certificates.
StartCom, a leading global Certificate Authority (CA) and provider of trusted identity and authentication services, launched its newly designed website just at the end of the year and announces expansion if its activities in China.
StartSSL uses https://auth.startssl.com/ for the front-end to access to their PKIs (login to the PKI, create, revoke certificates...). It's the Core of their service and the critical part of their infrastructure.
Using Robtex, we discover the platform of StartSSL is mainly operated in Israel with the 184.108.40.206/24 IP range (netname: SrartCom-Ltd(sic!), with country: IL).
The www.startssl.com vhost is provided by a custom CDN:
root@kali:~/# host www.startssl.com www.startssl.com has address 220.127.116.11 <- Godaddy www.startssl.com has address 18.104.22.168 <- Amazon Web Services www.startssl.com has address 22.214.171.124 <- Amazon Web Services www.startssl.com has address 126.96.36.199 <- Amazon Web Services www.startssl.com has address 188.8.131.52 <- Godaddy www.startssl.com has address 184.108.40.206 <- QiHU 360 Inc. www.startssl.com has address 220.127.116.11 <- Godaddy root@kali:~/#
Apart from IPs from CDNs, we find a strange fact:
There are only 3 vhosts pointing to 18.104.22.168 :
www.startssl.com resolves for 1 IP to 22.214.171.124 auth.startssl.com -> 126.96.36.199 www.startpki.com -> 188.8.131.52
We can use WhatsMyDNS to check that auth.startssl.com revolves to 184.108.40.206 from any location. This is not a CDN solution but an intentional usage of a single Chinese IP.
As auth.startssl.com revolves to 220.127.116.11 from any location, we can assume the PKI is now hosted on the 18.104.22.168 IP.
22.214.171.124 is an IP from "QiHU 360 Inc", which actually means Qihoo 360. Qihoo 360 is a Chinese tech company.
You may have heard something about Qihoo 360, who just bought Opera. Strangely enough, Qihoo 360 uses IPs from China Telecom Americas. China Telecom Americas is a subsidiary of China Telecom Corporation Limited which is a Chinese state-owned telecommunication company. It is the largest fixed-line service and the third largest mobile telecommunication provider in the People's Republic of China.
It is worrying that the PKI front-end (auth.startssl.com) is now hosted within a Chinese Antivirus Company, who have been using a Chinese ISP for 2 months AND that there hasn't been any news around. It can be only linked to the expansion of StartSSL's activities in China in December 2015, as explained above.
From a history point of view, StartSSL already refused to revoke certificates affected by the HeartBleed vulnerability and accused the user from negligence ("your software was vulnerable").
With all these facts, I don't think using StartSSL is a good idea now, except if they offer a clear explanation why they are hosting their PKI in a Chinese company.
Go use Let's encrypt ! :)
published on 2016-02-16 00:00:00 by Pierre Kim <email@example.com>