While I had heard about the frog and the scorpion story in the past, I didn’t realise the analogy with the current CA/browser summit occurring shortly. I’ve been throwing out some mailing list posts to the mozilla groups as well as some private emails trying to gain more information about who’s going to be attending, how open and freely the information will be after the fact, so on and so forth and I’ve not been given any straight or useful answers to date.

For example I received an email from Steve @ Comodo in response to one of my questions about attendance, his reply was that he wasn’t going to tell me and that it was up to the PR department of companies involved to make this public knowledge. So far I have next to nothing to go on and I’m being told it’s a public relations issue? Either this is a PR stunt to make it look like everyone is doing something about current issues, or there is some pretty major ulterior motives being acted out upon (which leads me back to the story on the frog and the scorpion).

The frog and the scorpion are stuck on a small island in a rising flood, looking at the bank.

The scorpion says, “you know, you could swim to the other bank.” The frog says, no, I can’t see where to go when I’m swimming. So the scorpion says, “well, I’ll ride on your back and tell you where to go.”

No, you’ll sting me, says the frog. “Ah, no, I won’t sting you because it is in my interest to get to the other side. I promise you I’ll not sting you.”

Oh, ok, says the frog, so the scorpion climbs on the frog and off they go. As they are swimming
along, the frog kicking and the scorpion directing, suddenly, the frog feels a burning sensation in his side, and realises that he’s been stung.

Not understanding why the scorpion would sting him when they were only half way across, as the
paralysing freezes his body, he gasps out “Why??”

As the frog sinks under the scorpion, with confusion in his eyes, the scorpion gargles out his last words too. “It’s in my nature…”

I will mention here I don’t think “everyone” is out to get us, or that anything they can cook up will effect us, but it just flys in the face of what F/OSS and in turn what the Mozilla Group is supposed to stand for, that is open source and being able to see the code to see if there is any security issues, why aren’t their other policies on this matter so liberal? After all aren’t they supposed to be looking out for the interests of their community first, how can the community at large make any kind of informed choices/decisions if people in the Mozilla Foundation aren’t forth coming with what I’d consider fairly important information about what may effect all their users in future.

An announcement came through on the mozilla security newsgroup by Gervase Markham, who is a developer with the mozilla foundation, that there will be a meeting on the 17th of this month in NYC, with most of the major CAs, browser vendors and other interested parties (note at no point was an invitation ever extended to myself or CAcert as an organisation).

Now I have no reason to believe there is anything sinister about Gervase’s motives, however I long since worked out, most vested interests in better protecting people’s security and privacy only stem from what they stand to gain from it, or in some cases what they stand to not loose such as their freedom from being sent to jail for corporate corruption and scandals.

So we must ask ourselves what does a bunch of CAs and browser vendors stand to gain from better identifying users on the internet? In mozilla’s case they stand to potentially increase the browsing experience for their users, but why would a commercial CA instigate these proceedings?

In any case, Gervase’s post to his website on his thoughts are worth the read.

Sent in to me by Gary —

I am interested in computer security. I have been ever since I worked at what was Coopers & Lybrand in their Computer Audit Assistance Group in the 1980’s. Their have been at lot of changes since then, but I think there are a couple of areas were we have not made much progress.

We have virus checkers and we have spam checkers. Microsoft has improved security so much that popular humor columnist Dave Barry wrote that with their security features enabled, it was impossible to either send or receive email. Security for the “corporate” environment has improved, well at least the entire mail system is not being shut down these days by script viruses, but no one is looking out for the needs of the small business and home user.

I have the ability to send digitally signed and encrypted email. I have had it for years. Every year, I test it to make sure I still know how to use it. I thought, maybe, if I used a secure method to identify myself, people might not be afraid to open my emails, but hardly anyone uses digital signatures or encryption. When we check our email, we are told we only open mail from entities you trust. We trust what we see. Despite the fact that we are told how easy it is to generate fake emails.

The protections against Identity Theft and fraud are a joke. Last month in the Boston Globe, two reporters wrote how they forged each others identity and had fraudulent credit cards in days.

There are computer security and identity mechanisms which can be used to help protect us. I wish people would start using them.

There are quite a few firms that offer help in these area. My opinion is that, unfortunately, most of them are more interested in exploiting computer security for profit than in making computers more secure. The same goes for identity theft. Until we get financial institutions more interested in protecting our identities than in how many new cards they can issue, we are in trouble.

Wide spread adoption of computer security and identity management is required and that is not going to happen unless there are some major changes.

There are a few organizations that are trying to promote a more “trusted computing” environment.

There is the free thawte web of trust at http://www.thawte.com/wot/ for acquiring personal email certificates.

There is a more extensive effort by the folks at CAcert.org. They offer free digital certificates for a variety of purposes. I was certified by a member of their board of directors. I am a Notary Public in Massachusetts. In my opinion, CAcert’s free certification process is just as valid as the State of Massachusetts.

I have looked into getting certificates from other sources, however, when they tell me its $400.00 (or $600 or more) per year I don’t pursue it, but their certification and approval process is basically the same. And I am pretty sure the person who would approve me, is sort of like me, but with a few more restrictions on what he could do. Restrictions like if the payment clears and the person has no outstanding felony warrants in the local police jurisdiction, he gets a certificate. So what, he also wants to take flight lessons (but just for taking off, landing is not necessary), that’s not my problem.

Quite honestly, given the shafting the public has gotten from such corporate stalwarts as Enron and Worldcom, I am more inclined to trust the little guys.

When I worked at Coopers and Lybrand (PriceWaterhouse Coopers in its current incarnation) I worked on a little project evaluating a manufacturing software package for its security features. As it turned out, my assessment got me into hot water. Another Coopers office called the partner in charge of my unit and said, what is this guy trying to do? We want to do business with these folks and we can’t have one of our staff members saying that “one of the primary security concerns for this package is that it be properly installed and administered”. I should say, for the most part, I saw a lot of good work done at Coopers; however, there were instances where I thought they could be investigated under the Racketeer Influenced and Corrupt Organizations (RICO) act.

There are legitimate concerns about the security mechanisms I am alluding too. But way to often, I think we are just nitpicking.

I remember reading this in the ACM’s February 2002 Forum. “Hello World Gets Mixed Greetings”. A teacher puts forward an example of a first programming assignment, and generates a lot of controversy. The example program took around 10 lines of code, the comments explaining its deficiencies filled up pages. It’s a first assignment, not OOP in a nutshell. Unfortunately, this is a good example of what you can expect from your colleagues.

I think the computer security world should shift its focus from trying to get it perfect, to getting people to use start using existing technologies and to committing to be responsive to needed changes.

The benefits of using the existing technologies outweigh the potential cost of them being exploited. There are billions of dollars being lost in fraudulent transaction every year with existing safeguards, but if we believe we will totally prevent fraud, we are sadly mistaken.

I hope the folks at www.CAcert.org are successful. I hope that someone stops the folks who have sent me hundreds of emails offering penis enlargement. I hope we come to our senses and realize that we can’t trust the FROM field in our emails and that all of our lives would be easier if all computer code was signed and that we could have assurance that the developers identity could be verified.

It’s taken 2 years, 2 months, and 6 days but finally we have reached 2000 assurers. This passing really belongs to everyone that’s ever assured anyone, or taken time off work to attend a conference, or just met up with others for coffee.

I was reading a blog the other day which the author describes meeting up with others to assure them, and comes out and says how it’s a great way to meet others with similar hobbies in security related fields. Speaking from personal experience, I’ve always liked getting out and networking with others and have mused about in-direct non-tangible benefits in the past before. However I’ve never thought it worthy of writing it down, and letting others know the side effects to assuring people and how you can actually end up with some really good friends out of it in the very physical area you lived but would never have known they were there otherwise, all drawn in by a common goal. I truly believe with each passing day that more people know about CAcert, and to that end I hope things keep getting bigger and better.

When I started with the first incarnation of CAcert almost 3 years ago, I had no idea things would be where they ended up. My original intentions behind CAcert was to provide better security for wireless networks (something that still is in a mess for the most part), but the community wireless guys didn’t end up running with it, and I guess what surprised me most out of all this, is in the fact that we issue more client certificates then server certificates.

As I mentioned in a previous posting, I met up with Mark Shuttleworth the other day, he’s been involved in a number of high profile things in the past, such as being the founder of Thawte and kicking off the Thawte web of trust, to being shot into space on a Russian space craft. He expressed slight disappointment the other day in the fact that the Thawte web of trust not going anywhere beyond where it is at present, and that slightly shocked me in that here was a man that setup a commercial company for the purposes of making a profit, yet on the other hand had a great sense of community, which is also obvious through his company’s sponsorship and heavy involvement with the Ubuntu Linux distribution. Also worth mentioning about Mark is the fact that unlike other free/open software projects, we weren’t simply dismissed, and also unlike many others he actually had a valid grasp of the reality surrounding CAs, rather then simply having the notion that they must be a commercialised operation to provide the service. Specifically on this last point someone has sent me a very interesting post I’ll throw up later today.

All up even though we’re still hassling mozilla for inclusion and most people rated inclusion into MS products as unobtainable, me being the eternal optimist, think we as a collective can do all this and more, and by the ever increasing number of users and assurers only serves to make me think I’m right. Simply put the more users and assurers that we have the greater the chance this will occur, and as I mentioned before 2005 is the year of the Assurer! By helping us to obtain greater numbers everyone is helping themselves indirectly as a result (we can’t be brushed aside forever with ever increasing numbers!), so get out there and start hassling your relatives, neighbours, co-workers and everyone else in sight into signing up and getting even just a client certificate to protect their own emails!

For those that are interested in keeping tabs on upcoming events the calendar.ics we now dynamically publish based on this blogs posts is one of the easier ways to do it. Today I’ve been playing with this and the sun-bird plugin for thunder bird/fire fox. The sun bird plugin allows you to import (you can even tell it to re-import on start up) remote calendars, such as the Events Calendar.

My only gripe is that the plugin is basically a completely new program and that it doesn’t seem to integrate very well with thunder bird, this could be a whole lot more useful and more to the point, more intuitive, to a whole lot more people. Once I downloaded and installed the plugin nothing on the thunder bird interface actually looked or seemed any different and it took me a fair while to track down the solitaire menu item when I could launch the sun bird interface from, so a big thumbs down on usability. As far as I can see all that it needs to be a little more useful is a little calendar looking item in the main interface that some how indicates events are occurring on certain days and by clicking would open to the plugins normal looking page.

Apart from evolution can anyone suggest any other plugins for thunder bird that integrate better, so that shared calendar events etc for people can better keep tabs of each other by publishing their public calendar to the Internet somewhere?

If you ever are involved with any sort of event trying to promote CAcert, this question at one point or another is bound to come up, and Microsoft has given us the best answer to date. With the new release of long horn comes a number of changes in the way Microsoft handles PKI, in particular the biggest change most likely to effect people with having OCSP turned on by default.

This will mean that if you’re publishing self signed certificates and no OCSP responder approves the certificate, Internet Explorer and other programs will reject the connection and you will have to go back to using no encryption or buying a certificate from a commercial provider.

At this stage CAcert isn’t running an OCSP responder either, this is in part due to the testing of different OCSP options in the past and having no sucess with any of the free software options actually workin properly, most software was returning a lot of false positives and false negatives. Having an OCSP responder is something that we need to address before betas are being officially released to ensure we don’t get left behind either, but at the same time it can be used as leverage as to why people should use us compared to self signing.

One suggestion on which OCSP responder to use is the one RedHat recently bought when it acquired some of the remaining Netscape assets from AOL. So far I’m not sure that anything has been released at all or what RedHat’s plans go for any time line.

One other minor note about OCSP in general, the protocol states that if you can’t talk to the responder to verify the status you have to assume it’s not a valid certificate, this could potentially lead to major disruptions on the Internet if CAs are being attacked via denial of service on their responder, which in turn could have the potential of wiping them out as a company if a lot of their customers’ websites are no longer usable.

One other situation that is similar to a denial of service attack, which will be a lot more common is when people are sitting in a plane or similar and not having Internet access, although apparently Microsoft have attempted to solve this via a OCSP caching solution, but will this actually be any better then the caching that Internet Explorer does? Something to think about at least I guess.