Microsoft adds free root certificate authority to Windows

securityA couple of weeks ago some very interesting Windows news flew by under the radars that I think deserves much more credit than it received, considering how much we rely on the web and the impact this has on making it safer.

In the September 2009 update to the Windows Root Certificate Program, Microsoft has added to the list of trusted root certificate authorities StartCom Ltd, notably its first member who issues amongst others free SSL digital certificates.

What this means in practice is that out-of-the-box in Windows 7 and if installed as an optional patch under Windows Vista and XP, free digital certificates issued by StartCom will be inherently trusted by the operating system and its applications.

Besides simple identification, one other benefit delivered by digital certificates is the ability to transparently encrypt and secure the connection to a server via HTTPS and this is what makes what Microsoft did so notable.

Up and until now the digital certificates market has been dominated by large corporations who charge quite a pretty penny for the privilege, limiting the use of HTTPS. Unfortunately at the same time due to the nature of digital certificates and the chain of trust, a limited number of root certificate authorities (CA) in operating systems such as Windows has limited the adoption of free digital certificates as offered by some companies like StartCom. Granted Firefox and Safari has supported many of the certificate authorities issuing free certificates for some time, Microsoft has not, until now.

With StartCom as a Windows root CA, web developers now have a practical free alternative for digital certificates if they wish to secure their websites or web services that by default works with Internet Explorer and other Windows applications.

Not only is this great for developers but even more so users who can look forward to more websites that encrypt the data they send to and receive from – reducing the risks of sniffing and man-in-the-middle vulnerabilities, especially when using wireless and public networks.

55 insightful thoughts

  1. This is great and everything but I deal with CAcert primarily and I am still waiting on them to finish the audits.

  2. Hey … this is very useful! I was looking into SSL encryption for the site that I’m building awhile back, but it looked like everything cost money. I had no idea that there was anyone giving it out for free, and for Microsoft to even partner with them? Sounds like a win-win situation. ^.^ Many thanks for letting us know!

  3. Great move by Bill … err, I guess we can’t refer to Microsoft as ‘Bill’ any longer can we? Still great move another positive step for the company. This must be tied to the W7 push for greater VPN support (Direct Access, etc).

  4. Hi Long, been a long (silent) watcher of your blog, but now I feel I should put in my bits about this.

    Are we really to be happy about this, or is this a double-edge sword? In mean from security perspectief. If its so easy now to obtain a free certificate, I assume dubious charachters on the Net will also find it easy to obtain one forthwith.

    Given that such company like StartCom Ltd is doing it for free, I wonder how much energy they’ll put in verifying their registrations. I am afraid we may face an avalache of bogus SSL/TLS encrypted sites trusted by default by Windows. This will end up breaking the TSL system.

    Personally, I don’t share your enthusiasm about this. I am pissed naturally that the big-wigs like Verisign etc are charging heaven and HELL for a bit of Bits, the Internet community should start a prostest against these known CA’s to reduce their charges. I still don’t see any reason why a certificate renewal should cost about $5,000.00 with verisign. They can charge Banks and Wall Street that kind of amount, but they should also have an “almost” free service for the John Doe’s of this world.

    1. verisign started off as being Free. It was well known back then and trusted and I just went to get a verisign cert and found it cost an arm and a leg. SSL being free did not jeopardize the internet security then, it does not mean it will now. Should people have got up and boycotted Verisign then?

      I too am concerned about internet security but your argument is faulty based on them being free. Competition is good. Considering Verisign is now raping its customers, we need lower affordable prices.

  5. Does this include StartCom’s 29.99 USD level 2 product, which allows code signing?

    That would be great news. I wonder how long it will take for this to trickle down to enough systems to make startcom usable tho.

  6. @Fowl: Microsoft has added the whole of StartCom as a root CA so all their signed certificates are accepted.

  7. @Infinity: The issue of trust did occur to me as well but in the end I think this is no different to us trusting any other existing root CA in Windows. StartCom is a CA that offers all sorts of certificates and it is in their best interest to make sure the certificates they sign are valid – therefore, will go into whatever lengths they deem necessary to verify claims.

    Furthermore, the fact of the matter Microsoft has added them to Windows implies they trust them enough to issue certificates that are legitimate is a good sign StartCom is doing the right things.

  8. I’m not sure how Microsoft accomplished this, maybe some voodoo, but all my XP machines started to trust StratCom even without installing the September 2009 Root CA update. I think IE7 and 8 has a built-in mechanism that checks a list of valid CA at MS when it encounters an unknown CA.

  9. Great! I only thought we could get a free personal signed certificate for email; wasn’t aware of StartCom’s free CA at all. Now only if they could extend their certificate validity period to some reasonable like 5 or 10 years. And I hope those router vendors start using it in their routers for HTTPS so I don’t f***king get an invalid certificate message every time I try to access the router web interface via HTTPS.

  10. Actually your “notably its first member who issues amongst others free Class 1 digital certificates.” is wrong.

    Comodo have been issuing free class 1 certificates for email signing for years from http://www.comodo.com/home/internet-security/secure-email.php

    And unlike start their systems work. I tried the start offer – their web site has javascript errors under IE and relies on a certificate activeX control which doesn’t run under Win7. When I tried it a second time IE wouldn’t even talk SSL to it.. Under firefox, well it doesn’t load at all.

  11. @barryd: Thanks for the heads up regarding Comodo. I’d argue though email-signing is only a subset of class 1 digital certificates and domain certificates are much more valuable.

  12. @barryd: Errr, you’re mistaken. StartCom’s free class 1 digital certificates are for both email and domain (SSL). For proof, I setup a certificate for this site. https://istartedsomething.com (you’ll see errors because my template links to non-HTTPS URLs).

  13. Hmm then they’re misusing class 1s. Class 1s are meant to identify an individual (and be limited to email), not a computer/domain/organisation. Generally Class 3 is for SSL.

    If they’re issuing class 1s that have the OID for server identification then they’re never going to get into the Mozilla root CAs and I’m surprised that MS are putting them into the Windows CRL.

  14. @barryd: Right. I think their definition of “class” is a little different to how Verisign defines the class. Nevertheless, it works and I’m just glad there is a free and practical solution for web developers to have HTTPS on their sites.

  15. Yea, if they’re issuing free SSL certs those are class 3 certificates, by everyone else’s definition.

    Regardless it won’t issue certs on Win7 right now!

  16. Firefox won’t even talk SSL for me to https://startcom.com once you get past the home page:

    SSL peer was unable to negotiate an acceptable set of security parameters.

    (Error code: ssl_error_handshake_failure_alert)

  17. (Sorry got the wrong URL, I did mean startssl.com). As soon as I press authenticate then bang.

    Which doesn’t fill me with much hope for using it.

  18. @barryd: Unless you have an account, you can’t click “Authenticate” since it checks for your personal certificate.

    You have to use “Sign up” or “Express Lane” first, during which it installs the certificate to your browser.

  19. You usually have some good calls. StartCom/StartSSL however was not one of them – their website was worse than useless.

    I know I will never look at them again, and chances are I will advise others to avoid them – in fact, I may well pull them out of my cert issuer’s list.

  20. Im experiencing the same issue with BarryD. I use expresslane and after they generate a private key for me I can no longer continue…Im using Win 7 as well. 🙁

  21. We’ve been using StartCom free certs for the last 4 years on our MS OWA box, glad to see that we’ll no longer need to provide instructions for our users on how to add the StartCom root cert in IE! 🙂

  22. @ Long Zheng Thanks for a very nice article!

    @barryd Mozilla and Apple have supported the StartCom CA root for years already. StartCom is a trusted CA today in most browsers, Microsoft really has been closing the gap.

    @Xepol and barryd Regarding your web site problems. Make sure you run your browser as Administrator. Further make sure that if you have an AntiVirus program that it doesn’t interfere with the cryptographic processes. We received various reports and found evidence that some AVs do exactly that. At last you might need to whitelist the startssl.com domain or use a different browser.

    @to all Enjoy your secured sites!

  23. Eddy -> Doesn’t explain why pages essential to the site’s operation (logon.ssl) report as unavailable under every browser and multiple computers.

    My experiences were universally bad. Regardless of browser, client OS and AV (on, off or just plain missing), the site just plain does not work at all in or out of administrator mode.

    Important pages that did load, did not work correctly and the browser reported fundamental scripting problems.

    Frankly, I found the whole experience to be seriously lacking in credibility. The same credibility that a cert issuer’s business is based upon.

    If asked for my opinion on the site – it will be negative in the extreme.

  24. @Xepol Came just by and saw your comment. I don’t want to misuse the blog of Long Zheng, nevertheless a short explanation:

    The authentication is only meant to be used, once you already have registered. It requires a client certificate which is issued to you during registration. This is our only means to reasonably protect your account with all the validations you may have performed. Just imagine somebody would crack your password and get a certificate for your domain, or worse impersonate you. Unlike all other certification authorities, no passwords are used at StartSSL and security has precedence over user experience.

    Unfortunately browsers have very bad implementations in case a client certificate is required to access a page, instead of informing about the error. We’ve setup a few FAQ entries here: https://www.startssl.com/?app=25#10 which explain more or less what happens. It’s obviously lame to pretend that the page doesn’t exist or some other weird message as if the site is broken. What’s broken really is, that you don’t have the client certificate you need to authenticate. However we don’t have control over the browser’s way of reporting that to you.

    We had mixed results with some browsers regarding the cryptographic capabilities required to generate a certificate in the browser. Firefox works extremely well, most Explorer’s too. The later appears to have some problems sometimes, some of which we could track to AVs interfering, some due to missing libraries on the system, JavaScript or VBscript disabled and yet some due to other permission problems. Some browsers don’t have those capabilities or only partly (Chrome), Safari works, but has other bugs making it difficult to be used. I can understand your initial impression, but our support is always just an email away and certainly not a reason to give up on getting your sites and emails secured. I hope this helps.

  25. @Eddy: No worries. I welcome you commenting to help out others.

    I however had a flawless experience signing up/logging in myself with Windows 7 and Firefox 3.5. 🙂

  26. A quick response from me. I’ve long given up and deleted the authentication code email. I too see the same connection for the login page as well when I choose authenticate. This is not a 404, but rather “Internet Explorer cannot display the webpage” with no further information. You’re right – IE’s not being the most helpful here, one to punt to MS probably!

    Telling users to elevate IE is an interesting idea, however the MS Certification Services, which use the same ActiveX certainly do not need elevation. Also, depending on how you elevate (if you need to login as an administrator rather than use the UAC split token approach) then you’re going to be accessing a different user certificate store anyway, so the issued cert would go into the administrator account rather than the limited user account.

    Yes certificates are horrible, I deal with them a lot in my day job (and I’ve just finished reviewing the encryption chapters for my book). Client certificates are even more horrible than server ones, but blaming anti-virus or non-elevated browser when both Microsoft’s own certificate services and Comodo and Verisign’s issuance work without disabling AV or elevating the browser just doesn’t feel like a reasonable answer to me. Especially when you’re leaving it to the browser to catch the javascript errors and not presenting the user with something more friendly.

    Anyway, enough said. I gave up I’m afraid, I’ll stop using long’s comments to moan 🙂

  27. Just ran another few a tests on MSIE 8 on Vista, Trusted Sites on, Protected mode off, works as expected. So far we can’t reproduce your difficulties (it doesn’t mean they don’t happen though).

  28. Eddy Nigg. Ok first of all I think the fact that startcom is providing free root trusted certs is a very good thing and will help many of us developers. And I certainally will be willing to pay to get to an L3 validation so I can get a wildcard EV cert. However there is a flaw in your authentication meathod. If a client cert is issued at the time of the express checkout account creation this is all well and good. However if someone gets a new computer or has to reformat their machine. Guess what no more client cert. Does this mean they won’t be able to access their account anymore to get additional certs or to pay startcom to get upgraded? Wouldn’t this represent a revenue loss for startcom. I’m working on a project now that is entirely serverside. I am using many proprietary meathods for authentication without having to rely on any client code or certs.

  29. Hey Doctor, lets Go… 😉

    Client certificate authentication is no flaw, StartCom decided that this is the only means for protecting subscriber accounts sufficiently, their information and possible validations. Just imagine somebody would gain access to your account and request a few certificates of the domains you already validated…or even worse impersonate you.

    However it is correct that client certificate must be treated with care, it’s a responsibility placed onto our subscribers. It’s your responsibility to create an adequate backup of your certificate – you can take it with your, move it around, import into other browsers and systems, remove them when you are done. Obviously there are smart cards and reader-less USB tokens which are extremely helpful for this task, but a simple disk-on-key will do as well. See this item on how to backup your keys from the browser: https://www.startssl.com/?app=25#4

  30. hey-ho! thanks a lot for this information. Now I have own free SSL certificate that works with Windows well. Suddenly webdav, https, and vpn began to work. 🙂

  31. For the predominant number of start-ups, like myself and smaller organisations and sites, the fees charged by the likes of Thawte and Verisign (although trusted and consumer recognised) are out of the financial reach for the many similar sized organisations. So Free SSL Certificates are really taking off in an open source battle. I know Startcom for example has had a lot of support from Microsoft recently, with the IE browser closing the gap on the support of SSL certification already at hand from rival browsers such as Firefox, Safari, Chrome etc.

  32. startssl website is just not user-friendly, I must have signed up over 6 times. each time, I did something else it didnt like. many time ‘Page could not be displayed’ and just when I think Im about to get my certificate, i get an email saying it has been revoked. I Will not try anymore, after all the wasted time. startssl may be ready, but their delivery method is not ready for prime time. I am removing them from my trusted certs, the whole process was ‘mickey mouse’ GET A REAL CERT. PEOPLE, or get some Tylenol.

    1. @Edison: You really should talk to Eddy about your experiences. I found him incredibly helpful – you are right the startSSL website is a bit clunky, but heck, have you tried Verisign/Thawte’s site (which has just had an overhall) they (Thawte) were still using the original interface that Mark Shuttleworth wrote back in the days before selling to Verisign.

      Point I am making is you now have a viable lower cost alternative that is a REAL certificate. It really irritates me when people add the sort of comments and inferences that you just have when in reality there are thousands of people who navigate startSSL’s site just fine (as you can tell from the comments on this post). I think your inability to do so is related to a skill problem on your side coupled wiht an inability to ask for help. It is really just your loss (the fee you will be paying to the other ones) and your choice to do so to compensate for your inability to work with the startSSL site.

      Thanks for sharing tho.

  33. I’ve used several different SSL companies over the years and I can honestly say that http://www.clickssl.com has the absolute best customer support of the bunch. I purchased a Geotrust True Business ID and made a mistake when generating the CSR. I was pleasantly surprised when live chat support immediately responded with live chat support (late at night) and began the process to resolve the issue. This is one of the few companies I’ve dealt with that is actually there for you 24/7. Because their prices are so low, I expected service to be compromised.

    1. Seems to be a shameful plug!
      Thanks for the FREE SSL certificates StartCom. Very much appreciated.

  34. I’ve been using a self-signed CA for years now to issue cert to my (at home, yeah, I know, weirdo) Exchange install. Means trusting that cert from a variety of other machines. Kinda lame. And as far as I can tell impossible on new Windows phones – it appears you’re stuck using “real” CAs. So finding this was a Good Thing. I believe I’ve now got a “real” cert attached to my email server and it appears to work from a variety of machines. But the phone still chokes.

  35. Hi all ***novice alert*** please roll your eyes and curse under the breath now.

    Dear Long Zheng, is there any place you could point to for creating step by step self signed SSL/TLS certs for dummies on Win 7 64 bit? Yes I am and I have searched the net but the more I dig the more confusing it becomes. Reason I am bothering you is perhaps you know a better set of docs that walks through such creation.

    Thank you in advance,

    S

Comments are closed.