Is StartSSL.com a trustworthy site?

[This answer was true in June 2016. It is not in $NOW; see Wikipedia.]


Yes, StartCom is a legitimate Certificate Authority.

On the plus side, they were at one time the only provider which would hand out free SSL certificates which were recognized by the major browsers. (There's competition now in Let's Encrypt).

On the minus side, their web site design and implementation is clunky, non-intuitive, and lacks pretty.

(The danconnor link @ZN13 provided appears to be someone wanted more pretty and didn't expect rigidity out of the CA process...........

............you should expect rigidity out of the CA process.)


StartCom was very well legitimate while they still operated, but are nowadays not trusted anymore by browsers. As of early 2018, they are completely defunct and have stopped issuing certificates.

At the time when the question was asked, StartSSL/StartCOM was a Certificate Authority as any other. My original answer explaining this in detail is shown below.

However, @Jacob C noticed me, that StartCom is not trusted by browsers anymore, nowadays.

The simple reason was that they (which is: StartCom and WoSign, which were the same company) violated several requirements of CAs and misissued invalid/rogue certificates, so mayor browser vendors distrusted these certificates in 2016.

As of the end of 2017 they seem to operate again under a different domain. They still tried to get included in Firefox, etc. again.

Another update: Later StartCom announced to give up. A Cure53 audit was required to get back into the root store, but Cure53 said, the audited PHP "was full of holes, poorly commented, had few or no tests, and showed every evidence of being hacked together in an enormous rush". It "was frankly a security disaster."

They'll stop business at 2018-01-01.


Outdated answer:

Yes, StartSSL belongs to a StartCom - a legitimate certificate authority

Here some points how one can notice it is a legitimate site:

  • They use an EV certificate.
  • As they are a CA they of course signed the EV certificate by theirself and as the HTTPS connection succeeded you also know your browser trusts that CA.
  • They have a Wikipedia article
  • There is also some evidence on Twitter about this CA (with its bad English-skills) and the message... And you can also find a lot of guides for free certificates which describe how to get and install StartSSL certs.
  • You may also search a snippet of the mail.

FYI: AFAIK this mail was only send to customers who registered at StartSSL, so you certainly used their service at least once - or at least registered there. I doubt that they would send spam mails to random addresses.

BTW: Their web interface has been much uglier recently. They already had been improving it.