Web site owners who depend on SSL certificates issues by StartSSL either have been, or soon will be, in for a nasty surprise! Sometime last week, we started noticing Firefox would, in some cases, no longer load https://sbpro.io/. The issue was initially reported by one of our developers, however when trying to reproduce the issue on my end, I was not able to. Therefor, I brushed it off as being a freak incident rather then a serious issue. A few days later, customers started to reported the same thing. Some reports were about the site no longer loading in Firefox, others about the site having issues in Chrome.
Mozilla displayed an error stating the certificate had expired, and Chrome was saying it was invalid. Upon investigating, I quickly found out the certificates was indeed still valid and had not been revoked (which was my first thought). Then, after accessing my StartSSL account, I noticed the following:
The notification was hidden below a bunch of other, rather unimportant and unrelated, notifications and was therefor not spotted immediately. After searching around on Google, I quickly found a number of sites reporting on the issue. Apparently, as indicated by the following excerpt, the measure would only affect newer certificates and older ones should be save for now:
We plan to distrust only newly-issued certificates to try and reduce the impact on web users, as both of these CA brands have substantial outstanding certificate corpuses. Our proposal is that we determine “newly issued” by examining the notBefore date in the certificates.
We dealt with the issue by moving the SB Pro site to the Cloudflare platform, which conveniently comes with a free SSL solution (in addition to other useful features).