Skip to Content.
Sympa Menu

cacert-de - Re: Lie about StartSSL

Subject: Deutschsprachige CAcert Support Liste

List archive

Re: Lie about StartSSL

Chronological Thread 
  • From: Michael Tänzer <michael.taenzer AT>
  • To: cacert AT
  • Cc: cacert-de AT
  • Subject: Re: Lie about StartSSL
  • Date: Sat, 20 Mar 2010 01:50:32 +0100
  • Authentication-results:; dkim=pass (1024-bit key) header.i= AT; dkim-asp=none
  • Openpgp: id=9940BEF1

Hi Nik,

Dominik George schrieb:
> a few days ago, I stated that StartSSL was generating private keys
> server-side. This news was published by Heise and not verified well enough
> by me (however, it looked as though they did it, because that stupid WebKit
> browser which must not be named did not look like being busy).
> Heise demented the article a few days later, so do I, as after another
> verification, StartSSL does not seem to have comparable security leaks.

Disclaimer: I never used StartSSL, I'll probably never do. The following
is in reliance on screenshots on

Yes, client certs are always generated in the browser but according to
the following screenshot generating the private key of server certs on
the server side seems standard for them (you need to explicitly skip it);bild=6

Could someone verify this claim (e.g. HTML sourcecode of the page the
screenshot is referring to)? I would do it myself but I really don't
want to create an account with them.

Michael Tänzer
CAcert Support Team Leader

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Archive powered by MHonArc 2.6.16.

Top of Page