Author Archives: Etienne Ruedin

How secure is cryptography still? (Part 1)

Leave a reply

Lake ZurichA revolution is imminent: With the help of quantum mechanical effects, new types of computers could one day quickly solve computing tasks that today’s machines cannot cope with. That is good news. On the one hand. On the other hand, it is bad news. Because commercial computer science as we know it today depends on the existence of computing tasks that computers can cope with. The high computational effort forms a protective wall that secures communication channels. Quantum computers could tear down this protective wall.

Around Lake Zurich, researchers are involved in various teams for the development of post-quantum cryptography. The new encryption methods should protect secrets entrusted to the Internet for decades to come.

For centuries, and even in the late 1970s, it seemed inevitable that the sender and recipient of secret messages would use the same key. This form of protected message exchange is called symmetrical. Since then, asymmetric encryption methods have become generally accepted. They enable the secure exchange of information between two communication partners who are facing each other for the first time and have not had the opportunity to agree on a common key beforehand.

The asymmetric encryption methods use mathematical functions that can only be inverted with great effort. These are one-way or trapdoor functions: In one direction, the passage is easy to pass through, but the way back is blocked. A widely used encryption method is based on the multiplication of two large prime numbers. It does not demand much from a calculating machine, but the opposite way, the prime factorization, is too much for common computers.

CAcert’s European Bank Accounts

3 Replies

deutsch:
Ab sofort können Zahlungen aus dem SEPA-Raum* auf das europäische Bankkonto von CAcert überwiesen werden. Für Spenden können Sie weiterhin das Bankkonto von Secure-U in Deutschland verwenden (so vermeiden wir, dass Geld sinnlos hin- und her geschoben wird, da Secure-U für uns die Server mietet); für Mitgliederbeiträge sollte jedoch das untenstehende Bankkonto in der Schweiz verwendet werden, da nur dann der Mitgliederbeitrag dem Mitglied zugeordnet werden kann. Sie finden untenstehend Name, Postleitzahl/Ort, IBAN-Kontonummer und Bank:

CAcert Inc
7514 Sils im Engadin
Schweiz
IBAN: CH02 0077 4010 3947 4420 0
Graubündner Kantonalbank, Chur
Clearing 774
BIC (SWIFT) GRKBCH2270A

Payments from these countries (SEPA) are particularly easy.

italiano:
A partire da ora, i pagamenti dall’area SEPA* possono essere trasferiti sul conto bancario europeo di CAcert. Per le donazioni prego di utilizzare il conto bancario Secure-U in Germania; tuttavia, per le quote associative, si deve utilizzare il conto bancario in Svizzera sotto indicato, poiché solo in tal caso la quota associativa può essere assegnata al socio. Qui di seguito trovate nome, numero postale/località, numero di conto IBAN e banca:

CAcert Inc
7514 Siglio in Engadina
Svizzera
IBAN: CH02 0077 4010 3947 4420 0
Banca Cantonale Grigione, Coira
Clearing 774
BIC (SWIFT) GRKBCH2270A

Rumantsch:
CAcert Inc
7514 Segl Maria
Svizra
IBAN: CH02 0077 4010 3947 4420 0
Banca Chantunala Grischuna, Cuira
Clearing 774
BIC (SWIFT) GRKBCH2270A

English:
As of now, payments from the SEPA area* can be transferred to CAcert’s European bank account. For donations, the Secure-U bank account in Germany can still be used (to avoid that money is transfered twice on the same account); however, for membership fees, the bank account in Switzerland listed below should be used, as only then the membership fee can be assigned to the member. Below you will find name, postcode/town, IBAN account number and bank:

The leading bank in southeastern Switzerland.

CAcert Inc
7514 Sils/Segl Maria
IBAN: CH02 0077 4010 3947 4420 0
Grisons Cantonal Bank, Coire
Clearing 774
BIC (SWIFT) GRKBCH2270A

The bank is rated AA/stable by Standard&Poor. It also has a state guarantee from the state (canton) of Grisons (one of Switzerland’s 26 provinces).

Français:
Dès à présent, les paiements provenant de l’espace SEPA* peuvent être transférés sur le compte bancaire européen de CAcert. Pour les dons, continuez d’utliser le compte bancaire Secure-U en Allemagne; en revanche, pour les cotisations, il convient d’utiliser le compte bancaire en Suisse indiqué ci-dessous, car ce n’est qu’alors que la cotisation peut être attribuée au membre. Vous trouverez ci-dessous le nom, le code postal/le lieu, le numéro de compte IBAN et la banque :

CAcert Inc
7514 Segl Maria
IBAN: CH02 0077 4010 3947 4420 0
Banque Cantonale des Grisons, Coire
Clearing 774
BIC (SWIFT) GRKBCH2270A

* SEPA Area: all 27 countries of the European Union, furthermore: Guadeloupe, French Guyana, Martinique, Réunion, Mayotte, Saint-Pierre, Miquelon, Canary Islands, Azores, Madeira, Ceuta, Melilla, United Kingdom, Gibraltar, Isle of Man, Jersey, Guernsey, Switzerland, Liechtenstein, Norway, Iceland, Monaco, San Marino, Holy Seed, Croatia, Andorra.

Browser manufacturers shorten certificate lifetime to one year

4 Replies

From September onwards, HTTPS certificates may only be issued for a maximum of one year.

Reading time: 1 min.

CAcert will adapt the free certificates

The maximum validity of certificates for proof of identity on the web will be further reduced – in the next step to one year. Although a vote on this issue in the CA/Browser Forum failed in September due to resistance from the certification authorities, it is still being discussed. But in March Apple came forward and declared that Safari will only accept certificates issued after September 1, 2020 if they are not valid for more than one year.

Now Mozilla and Google are following suit and creating facts. In the past, terms of 5 years were not unusual. Currently, certificates may still be issued for 2 years (more precisely: 825 days — i.e. plus some grace period). With the renewed tightening, Chrome, for example, delivers an ERR_CERT_VALIDITY_TOO_LONG if a certificate was issued after September 1, 2020 and is valid for more than 398 days.

Revocation broken

The main reason for the constant shortening of the certificate lifetime is the fact that there is no generally functioning revocation mechanism by which a certificate could be revoked. Revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP) have proven to be unsuitable and are now switched off by default.

The browser manufacturers still maintain their own internal revocation lists, which they can use to react to acute incidents. But this is a quasi manual procedure that can only cover significant problem cases. Ultimately, the browser manufacturers are now focusing on damage limitation: if, for example, the secret key of a certificate is stolen, an expiration date that is approaching as soon as possible should solve the problem.

No need for action for users

Lets Encrypt, which meanwhile dominates the market, is the pioneer and only issues certificates for 3 months anyway. Renewal is then automated via ACME. According to Mozilla, however, the other certification authorities have also agreed to only issue certificates for 398 days from September 1. In view of the demonstration of power of the browser manufacturers, they probably don’t have much choice.

As a web site operator, you don’t have to do anything else – even if you still have a certificate with a longer validity in operation. The new rule only applies to certificates issued after September 1, 2020.

Les fabricants de navigateurs ramènent la durée de vie des certificats à un an

Leave a reply

À partir de septembre, les certificats HTTPS ne peuvent être délivrés que pour une durée maximale d’un an.

CAcert adaptera ses certificats

Temps de lecture: 1 min.

La validité maximale des certificats pour la preuve d’identité sur le Web est encore réduite – dans l’étape suivante à un an. Un vote à ce sujet au sein du CA/Browser Forum en septembre a échoué en raison de la résistance des autorités de certification. Mais en mars, Apple s’est manifesté et a déclaré que Safari n’acceptera les certificats émis après le 1er septembre 2020 que s’ils ne sont pas valables plus d’un an.

Aujourd’hui, Mozilla et Google suivent le mouvement et créent des faits. Dans le passé, des mandats de 5 ans n’étaient pas inhabituels. Actuellement, les certificats peuvent encore être délivrés pour 2 ans (plus précisément : 825 jours — c’est-à-dire plus un certain délai de grâce). Avec le nouveau resserrement, Chrome, par exemple, délivre un ERR_CERT_VALIDITY_TOO_LONG si un certificat a été délivré après le 1er septembre 2020 et est valable plus de 398 jours.

Révocation cassée

La principale raison de la réduction constante de la durée de vie des certificats est le fait qu’il n’existe pas de mécanisme de révocation généralement opérationnel permettant de révoquer un certificat. Les listes de révocation (CRL) et le protocole OCSP (Online Certificate Status Protocol) se sont révélés inadaptés et sont désormais désactivés par défaut.

Les fabricants de navigateurs tiennent toujours leurs propres listes de révocation internes, qu’ils peuvent utiliser pour réagir à des incidents graves. Mais il s’agit d’une procédure quasi manuelle qui ne peut couvrir que les cas problématiques importants. En fin de compte, les fabricants de navigateurs se concentrent maintenant sur la limitation des dommages: si, par exemple, la clé secrète d’un certificat est volée, une date d’expiration qui approche le plus tôt possible devrait résoudre le problème.

Pas de nécessité d’action pour les utilisateurs

Lets Encrypt, qui domine entre-temps le marché, est le pionnier et ne délivre de toute façon des certificats que pour 3 mois. Le renouvellement est ensuite automatisé via ACME. Selon Mozilla, cependant, les autres autorités de certification ont également accepté de ne délivrer des certificats que pour 398 jours à partir du 1er septembre. Compte tenu de la démonstration de puissance des fabricants de navigateurs, ils n’ont probablement pas beaucoup de choix.

En tant qu’exploitant de site web, vous n’avez rien d’autre à faire – même si vous disposez toujours d’un certificat d’une durée de validité plus longue en service. La nouvelle règle ne s’applique qu’aux certificats délivrés après le 1er septembre 2020.

Change in the Committee

Leave a reply

Frédéric Grither from France has resigned as treasurer of CAcert Inc. However, he will continue to offer his expertise and experience as a member of the CAcert finance team. On 13 February 2020, the Committee (Board) was able to fill the vacancy by electing Christophe Meesters from Belgium to the Committee. Christophe is a proven financial expert.

Bret Watson from Australia is now also supporting us in the finance team, particularly with regard to Australian issues. The board is very grateful to know that the finances of our fellowship are in good hands and that we have managed to spread the work over several shoulders.

Soziale Netzwerke im Kinderzimmer

Leave a reply

Soziale Netzwerke sind schon längst im Kinderzimmer angekommen – immer jüngere Kinder nutzen sie. Influencer auf Plattformen wie Instagram oder YouTube begleiten unsere Kinder im Alltag. Da stellt sich einmal mehr, wie Eltern oder auch ältere Geschwister damit umgehen sollen.

Anlässlich des heutigen Safer Internet Day (SID 2020) fordert Youtuber Robin Blase mehr Medienkompetenz. CAcert erarbeitet zur Zeit entsprechendes Unterrichtsmaterial.

CAcert Event in Staffordshire – 11th Feb 2020

Leave a reply

CAcert Event in Staffordshire - 11th Feb 2020 at Keele University

CAcert Event in Staffordshire – 11th Feb 2020, 7pm

Good news: There will be a CAcert event in the United Kingdom!

The CAcert event will be on the 11th February 2020. The main talk will begin at 7pm, the doors will be open for earlier arrivals from 6pm onwards.

The CAcert Event will be at the StaffsLUG Workshop, Internet Central, Innovation Centre, Keele Science Park, ST5 5NB, Newcastle-under-Lyme/Stoke-on-Trent, which you can find details (and maps of) of at this URL: https://staffslug.org.uk/events/

All users of any OS are welcome to come along! Disregard the fact that StaffsLUG are helping to host it!

You should be able to find details of the event at this other URL which is our calendar: https://staffslug.org.uk/calendar/

But essentially it’ll cover…

  • An introduction to CAcert from one of their UK volunteers Alex.
  • We’ll also cover SSL in general for anyone unfamiliar.
  • Time for assurances (for free certificates with CAcert, you’ll need this), to participate in this you’ll need to bring some form of ID as mentioned here (e.g. Passport and Driving License).
  • We’re being joined by people from CAcert and existing users of CAcert who’ll be able to help issue points during the assurance part.

If anyone has any further thoughts about things we should be considering for the event and/or things you like to see covered. Let us know! For the latest details, see our UK mailing list: https://lists.cacert.org/wws/info/cacert-uk

New Committee constituted

Leave a reply

The constituent meeting of the comittee took place on December, 23rd 2019. At this meeting, Sascha T was given a warm welcome. Furthermore, strategic issues were discussed and offices were allocated within the board.

Brian M will remain president, Peter N vice president and Etienne R secretary. The office of treasurer will be filled definitively in the coming weeks.

Deutsch: Am 23. Dezember 2019 hat die konstituierende Sitzung des Vorstandes stattgefunden. Dabei wurden strategische Fragen erörtert und die Ämter innerhalb des Vorstandes verteilt.

Français: La réunion constitutive du comité a eu lieu le 23 décembre 2019. Lors de cette réunion, des questions stratégiques ont été discutées et des bureaux ont été attribués au sein du comité.

Deutschland ist wieder im CAcert-Vorstand vertreten

Leave a reply

An der Generalversammlung wurde die Jahresrechnung 2018/19 genehmigt und der Vorstand im Amt bestätigt. Infolge Rücktritt konnte ein Sitz neu besetzt werden. Mit Sascha T ist Deutschland wieder im Vorstand vertreten. Das macht durchaus Sinn, ist doch die CAcert-Gemeinschaft in diesem Land sehr stark.

English: At the General Meeting, the annual accounts for 2018/19 were approved and the committee was confirmed in office. As a result of resignations, one seat could be newly filled. With Sascha T, Germany is again represented on the board again. This makes sense, as the CAcert community is very strong in this country.

General Meeting 2019 – save the date!

Leave a reply

CAcert’s Annual General Meeting 2019 will be held on Saturday, 30. November 2019, 20:00 UTC = Sat 21:00 Central Europe* = Sat 15:00 NY* = Sun 07:00 Sydney*…..

20:00 GMT / 20:00 UTC / 21:00 CET (Berlin/Zurich) / 15:00 EDT (New York) / Sun 1.12.2019 07:00 AEDT (Sydney)

Further information will follow.

see https://wiki.cacert.org/AGM/Next