Security → Mozilla - Distrusting New WoSign and StartCom Certificates

A BIG thank you to the Mozilla Security team for making the right decision, much respect.

"My name is Itzhak Daniel, during 2015 I was an employee of StartCom.
I don't speak on behalf of StartCom. I believe companies that are responsible for securing our internet should be transparent regarding their activities and who stands behind them."
There are several posts about this issue in Daniel's blog if you drill down ...»www.percya.com/search?up ··· sults=19

So I am/was using startcom certs for basic home stuff like my test exchange server and my pfSense router. I just recently had to renew my access cert for my account. And my exchange server just expired. Ironically, I got voicemails from someone about these certs. I believe they were from startcom but I haven't investigated exactly who they were from. Getting a call about an expiring cert never happened before as I've never paid them to do any kind of identity verification.

Any suggestions on what to use now? I'm not sure that I want to use Start SSL for anything from here on out. I've briefly checked out Let's Encrypt. But aren't those certs just 3 months at a time and then you have to renew? I know there is tool that renews it but I'm not sure that I want to set that up on Windows server. Or my pfSense box either.

I've paid for the cheapest cert from Godaddy in the past but I really don't want to do that again either if I can help it.

Don't pat them on the back just yet. It took them 2 years to pull the StartCom root certs after people started complaining about them on the Mozilla forums. This includes crap like StartCom charging $25 to revoke a certificate.

Now if we can just get Mozilla them to stop including all the other questionable certs, like the other ones owned by the Chinese or other hostile governments. They're as bad as Microsoft for silently adding trusted root certs/

My statement is in direct correlation with Moz Sec team's decision for this particular debacle.