Misleading StartCom Advertisement

Posted on .

Before Let's Encrypt existed, I – like many others – used to use StartSSL, which offered free domain validated TLS sertificates. It was a useful service, but not without its flaws, for example the user interface was very clumsy to use. When Let's Encrypt arrived, the automation made me jump ship immediately. But a couple of days ago I got an email from StartCom, the company behind StartSSL, that piqued my interest.

The gist of the email was that StartCom was launching a new service called StartEncrypt, promising free automated certificates like Let's Encrypt does. At first I thought, cool, more user friendly certificate services is a good thing, but then I read the text further and found some bold claims about the service, which I think are misleading at best and dishonest at worst. I'll go through the claims below.

Compare with Let’s Encrypt, StartEncrypt support Windows and Linux server for most popular web server software, and have many incomparable advantages as:

Even before the list of claims, this sentence implies that Let's Encrypt did not support both Windows and Linux, which is obviously not true, or that it did not support the "most popular web server software". But since StartCom's language in the email and on their website is rife with errors, I'm going to assume they meant something else.

From the end of the sentence, you can see that the following claims are presented by StartCom as areas where StartEncrypt is better than Let's Encrypt, so that is the angle I will comment on. Also, since Let's Encrypt is a free service, I will be focusing on the free StartEncrypt Lite.

(1) Not just get the SSL certificate automatically, but install it automatically;

MISLEADING. Let's Encrypt has many clients that install the certificates automatically, including the official one.

(2) Not just Encrypted, but also identity validated to display EV Green Bar and OV organization name in the certificate;

NOT FREE. Only domain validated certificates are part of the free service, EV and OV are paid features.

(3) Not just 90 days period certificate, but up to 39 months, more than 1180 days;

MISLEADING. It's true that StartEncrypt offers a longer expiration time for the certificate, but as far as I can tell from their website, the maximum is 1 year on the free service, and the mentioned times are paid features. Since the certificate renewal is automated, the expiration time does not really matter.

(4) Not just low assurance DV SSL certificate, but also high assurance OV SSL certificate and green bar EV SSL certificate;

NOT FREE. A repeat of claim (2).

(5) Not just for one domain, but up to 120 domains with wildcard support;

MISLEADING. The free service offers only up to 5 domains per certificate. Wildcards are not part of the free service. Let's Encrypt on the other hand offers up to 100 domains per certificate.

(6) All OV SSL certificate and EV SSL certificate are free, just make sure your StartSSL account is verified as Class 3 or Class 4 identity.

NOT FREE. The certificate is free, but the validation costs $119.80 yearly for OV and $199.90 yearly for EV certificates. Additionally, Class 2 validation must be acquired before Class 4 (EV) validation can begin, the Class 2 validation costs $59.90. Granted, the price looks to be on the low side for an EV certificate, but it is not free.

So to sum up, what StartCom can actually claim against Let's Encrypt is that their free service offers certificates with an expiration period of 1 year, which as said does not really matter in most use cases when the certificate renewal is automated. All the other features mentioned required different validations (Class 2, 3 or 4) which cost yearly. You can see the differences more clearly in the comparison chart on their website.

There are also some advantages that are unique to Let's Encrypt here, that StartCom naturally does not mention:

Neither the email nor the StartEncrypt website mention that certificate revocation is not free. It is not free even for free certificates, as revocation with StartCom always costs $9.90 (previously $24.90), unless the certificate was an EV certificate. This leads to problems if a massive security problem like Heartbleed is discovered, as many StartSSL free certificates will not be revoked because of the fee. If you had lots of different subdomains, the cost of such an event (or the loss of private keys in some other way) could be in the hundreds of dollars. Revocation is free with Let's Encrypt.

The StartEncrypt software is a binary blob with no source available. It starts a daemon on your server that I'm assuming handles the certificate requests and renewals automatically. They are not using the open ACME protocol like Let's Encrypt, but their own StartAPI. I cannot comment on it, since its documentation is hidden behind a login. There will probably eventually be open source clients for the service, but Let's Encrypt already has multiple open source clients for many different platforms and use cases. Personally I use simp_le.

More services offering automated free certificates is a good thing, but I'm not happy with the deceptive advertising style StartCom has chosen here. It seems Let's Encrypt has taken users from them and they want them back, not caring about the cost. For me, this has only made me dislike them more than earlier.