Apparently, they also sent out an e-mail with the same text to their customers, with an addendum that they are going to try to get a certificate for each customer with other CAs, and that to opt-out, one has to send them an e-mail.
I found that addendum quite strange. Such thing should be opt-in, in my opinion.
This is an automatically generated email, please do not reply.
Dear customer,
As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.
The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcom´s website.
StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years.
StartCom would like to thank you for your support during this difficult time.
StartCom is contacting some other CAs to provide you with the certificates needed. In case you don´t want us to provide you an alternative, please, contact us at certmaster@startcomca.com
Please let us know if you need any further assistance with the transition process. We deeply apologize for any inconveniences that this may cause.
In the email I received, it's a non-ASCII apostrophe encoded in UTF-8. The email headers say "Content-Type: text/html; charset=iso-8859-1", but then the HTML body says "<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>". Clients that give preference to the header will get it wrong.
Yes, the header should match the body encoding, but it doesn't necessarily have to; that is in part what the <meta http-equiv> tag is for; it may be interpreted as saying "the value of header is potentially wrong, use this value instead" (of course, the thing says "http-equiv", and in an email, it isn't an HTTP header, it is a MIME header!)
In HTML4/XHTML1, the <meta http-equiv> isn't meant to be interpreted by the user agent; the HTTP server is supposed to parse it and set the the HTTP header accordingly.
Of course, the people writing the (X)HTML probably have a better idea of what encoding they're using than the people configuring the HTTP server, so it's common for user agents to allow <meta http-equiv> to override the actual header, as it allows more things to work "correctly" for users. But, strictly speaking, that is non-conforming.
In (X)HTML5, that practice was codified, and the <meta http-equiv> tag is given preference over the actual headers (for a whitelist of allowed headers).
So, which interpretation is "correct" depends on if it is HTML4/XHTML1 or (X)HTML5.
Now, the MIME type of the email body said "text/html" which can be anything, and the body used the HTML5 doctype, but specified the XHTML1 xmlns. I'm honestly not sure which interpretation is correct in that case.
ISO-8859-1, aka "Latin 1" is a single-byte encoding but it represents the Unicode codepoints 0-127 (ASCII) in exactly the same way as UTF-8. This is a legacy of Microsoft Windows.
Thank you very much for pointing out about the opt-out crap. I also got the email but I didn’t bother to read past the first paragraph because I stopped using them as soon as I switched to cloudlfare for my certificates.
I always hated their interface but as a broke high school student I couldn’t afford to have a paid certificate. Thankfully we have Let’s Encrypt now
I have received a follow up email by them in a very timely manner:
> Hi,
>
> Sure, we will record your user ID and your details won't be transferred to other CA, as the alternative CA option is for those who need it.
>
> Best regards,
> StartCom Certification
> Authority
I have no idea if 'Turk Trust' is even a real CA or if you made up the name in jest. I'm honestly scared to Google it and find out, in slight fear of finding out that is an actual CA. (Not to get too political here, but given Turkey's current government, I'm not sure how anyone in their right mind would 1- trust them to say or do _anything_, and 2- trust SSL encryption certs coming out of there)
I had an interesting experience with these guys. About 3 years ago I registered the domain "getmoneymakemoney.com" and got a free StartSLL cert from them. Three days later they revoked it because they said the domain sounded like a scam site. I called them and tried arguing to no avail. I said it was just an adaptation of line from a rap song and hosted my personal blog (which it did!) but they didn't care. Go figure. Never understood why they cared so much about my site but then accrued all the negative publicity they did.
Note that these are not the same people. StartCom was sold to WoSign, and it is WoSign who terminated StartCom business after ruining the StartCom name. StartCom actually tried to be good net citizens.
I've got similar experience. It turned out my (four letter) domain is one letter away from some other domain and was detected as a typosquatting. Only way to get certificate from them would be to undergo Extended Verification.
I've met a lot of dealers and I am still waiting for my free coke...
Free certificates were free, no trick. Of course they recommended their paid offer, but there is nothing wrong with that.
You may argue that StartSSL turned some webmasters into https addicts but it is not exactly a bad thing isn't it? Remember that Let's Encrypt didn't exist back then.
You’re thinking of other drugs with intensely addictive properties, like heroin. Cocaine is way too expensive to hand out much more than a free bump or two, maybe a line, and that’s not necessarily enough to addict someone. Some people can do all the blow they want and not get addicted at all, which is obviously not a good RoI for the dealer.
I found that addendum quite strange. Such thing should be opt-in, in my opinion.