False StartCom vulnerability report
Mar. 22, 2016
Eilat, Israel - 22th Mar. 2016.
StartCom received yesterday a vulnerability report via a blog post on the Internet. Upon investigation of the claimed vulnerability it appears that the report has several mistakes:
- The email address used to verify the domain name is listed in the WHOIS records ** of the domain name and therefore eligible for the validation procedure according to the StartCom Certificate Policy and the various requirements set forth by the CA Browser Forum and software vendors. Email addresses not eligible for the domain name control validation are rejected and not used during the verification procedure.
- Claims made about wrongful issuance of digital certificates by StartCom in 2011 are incorrect; they are attributed to a competing certificate authority and not StartCom.
We appreciate the diligence of our subscribers and always welcome any vulnerability report directly to us. Public posts however should be researched carefully and preferable confirmed with us before publishing.