It is, however, ridiculous that DigitalOcean (a quite popular VPS provider) advises innocent webmasters to generate it in the browser with no mention of how insecure this is.
I agree that there's a very slim chance, realistically, of this being exploited. But StartSSL doesn't have to be hacked for a user to be MITM'ed and served malicious JS. Especially given that their site (at least the homepage) loads over plain HTTP.
I've had no problem using startssl for personal projects. Free trusted certificates, and as madsushi says you should generate your own key and csr, just as you would for any premium certificate authority.
... does nobody here understand what StartSSL is doing?
Guys, they're giving you a certificate to identify yourself with. You add it in your browser. You go to their website, and you don't need a username or password to login. This certificate is much more secure than normal credentials.
Is the concept of authentication without a username+password that lost on you? It's like an SSH key except your username is embedded in it, too.
I had used StartSSL years ago and forgot about this. Not reading all the text, I expected the usual login/password prompt and hoped for a "reset password" form. Getting a browser SSL error interrupted that flow.
Now that I know, it makes more sense, but I'm going to take the position that this is a UX fail. Whether the browser's (which didn't even prompt me for a cert) or StartSSL (who could've made this clearer), I don't know.
Any input action that you do on their site will direct you to SSL. Though they should probably use HSTS and redirect all their users before hand.
>I get a TLS fail (ssl_error_handshake_failure_alert)
That happens to me when I am on one particular provider myself. It concerns me that those providers are doing something with https connections causing them to break on their site.
