Category Archives: Information

General news/information to the CAcert community or about security in general

Link

As of now, prospective Assurers can also take the Assurer test CATS in Czech. This is an important step towards vulgarizing of the Web of Trust and CAcert’s efforts to increase security on the Internet.

CAcert offers free certificates that can be used for digital signatures, phishing prophylaxis, login or encryption. In order for their own name to be included in the certificate, each user must first meet and identify themselves with at least two Assurers of the Web of Trust. CATS is an important part of Assurer training, explains Bernhard Fröhlich, responsible for training courses. Experience shows that acceptance and the success rate are higher if a course can be completed in one’s own language. Currently CATS can be completed in Czech, German and English.

www.cacert.org
wiki.cacert.org/AssurerChallenge/

CAcert renewed root certificates

CAcert has finally upgraded the Root and Class 3 certificates from the old MD5 encoding to the modern SHA-256. Your browsers will like us again! The new certificates were installed in “the usual places” on April 10th. You may go to our web site home page, https://www.cacert.org, and over on the right-hand side, three lines from the top, is “Root Certificates.” The short way to get there is https://www.cacert.org/index.php?id=3.

We would like to thank all software team members for the job they did. All teams consist of volunteers. If you want to support the work done by the Software Team, including the review, please donate to continue to run this service. Thank you.

CAcert a renouvelé ses certificats racine

CAcert a finalement mis à jour les certificats Root et Class 3 de l’ancien encodage MD5 vers le moderne SHA-256. Vos navigateurs nous apprécieront à nouveau ! Les nouveaux certificats ont été installés dans “les lieux habituels” le 10 avril. Vous pouvez vous rendre sur la page d’accueil de notre site Web, https://www.cacert.org, et sur le côté droit, à trois lignes du haut, se trouve “Root Certificates”. Le chemin le plus court pour s’y rendre est https://www.cacert.org/index.php?id=3.v

Nous aimerions remercier tous les membres de l’équipe du logiciel pour le travail qu’ils ont fait. Toutes les équipes sont composées de bénévoles. Si vous souhaitez soutenir le travail effectué par l’équipe du logiciel, y compris la révision, veuillez faire un don pour continuer à faire fonctionner ce service. Merci.

Stability of e-mail verification strongly improved

The e-mail verification on the CAcert web server has recently led to repeated support requests. An analysis of the log files in our data center showed that the corresponding error occurred more frequently. So we have to conclude that many CAcert users have been negatively affected. In order to avoid further negative effects, an emergency
patch was deemed necessary by the Critical System Administrator Team.

The standardised review and testing of the emergency patch implemented yesterday is carried out by the regular teams in the aftermath, which can result in a formal blessing for this patch or a request for additional code or configuration changes. We would like to thank the Critical System Administrator Team for their quick and decisive action. All teams consist of volunteers. If you want to support the work done by the Critical System Administration Team and the review by the Software Team, please donate, to continue to run this service. Thank you.

CAcert at Fosdem 2019

On February, 2nd and 3rd, Fosdem in Brussels (Belgium) will open its doors. It is an ideal platform to get informed about free software – and of course CAcert will attend. The fair takes place in the ULB Campus.

But: This time CAcert and secure-u will NOT have stand there due to limited space in the builings. On Saturday noon and Sunday morning I’ll be at Infodesk in K-Building, where wearing my white CAcert Jacket to answer questions about the current status of CAcert and secure-u.

Feel free to contact me there for a short talk … or to agree to a later schedule after my shift there for a longer discussion about CAcert support, software …

NCCIC notices DNS Hijacking Campaign

As described in https://www.us-cert.gov/ncas/alerts/AA19-024A the US Cybersecurity Agency warns about hackers trying to hijack DNS servers, and manipulating them to obtain SSL certificates for the hijacked domains.

This is a serious problem, since the vast majority of certificates, including CAcert’s “Class 1” certificates for non-assured members, are issued on “proof of DNS control” only.
“Extended Validation” certificates, which assure the real person or organisation controlling the domain, are not affected by this threat. But they are usually extremly expensive when requested from a commercial CA.

CAcert’s “Class 3” certificates for assured members, as well as CAcert’s Organisation Assurance are a (mostly) free alternative for those certificates, with an overall security level which is at least compareable, if not better!

Know whom to trust! Ask us on cacert@lists.cacert.org if you want to know more details!

L’interruption au Congo se poursuit

CAcert still not available in Congo-Kinshasa. After the government ordered the Internet to be turned off on 30 December last year, the interruption was today extended indefinitely.

CAcert toujours pas disponible au Congo-Kinshasa. Après que le gouvernement a ordonné la fermeture d’Internet le 30 décembre de l’année dernière, l’interruption a été aujourd’hui prolongée indéfiniment.

Security is not everything, but without security everything is nothing

According to estimates, around six million people of the eight million inhabitants in Switzerland use the Whatsapp news service in their private lives. In Germany and Austria, the figures will probably be similarly high. This type of communication is so self-evident that more and more companies want to communicate with their employees and customers with Whatsapp: Picture messages of a place to be repaired, details of a booked flight or even direct advertising.

The well-known news service explicitly allows operational use and offers a business version for SMEs and an interface (API) for large companies. The list of advantages is long: uncomplicated, direct, shorter decision paths, cost-effective customer service, etc. – what more do you want? Since 2017, however, more and more companies have prohibited their employees from using Whatsapp, as the basic EU data protection regulation stipulates that personal data may neither be collected nor processed without the consent of the person concerned. No company wants to afford the imminent fines of several million euros.

The problem lies in the way the messsanger service operates. It regularly reads the address books of its users in order to compare them with its database. In this way he can display contacts that are new to the service. They have never given their consent. This is therefore a violation of the general data protection regulation, which also applies to companies that have only one contact in the EU. If it is either a service telephone or a private one on which business contacts are stored with the consent of the company, the company is liable. If the employees use their own device in the company, no synchronization with the data processing systems may take place. Thus, the employee processes personal data without the employer’s permission and is then liable for possible violations of the law.

If the intelligence service is to be used in compliance with data protection regulations, there must be two separate address books, one internal, with only those persons who have given their consent to the transfer of their personal data to Whatsapp. Another possibility is the use of a GDPR-compliant messenger in the company. The disadvantage of this solution, however, is that such messengers have not yet become widespread and can therefore hardly be used in contact with customers.

And the solution? It corresponds to squaring the circle and is about as simple as the browser integration of CAcert in the next 12 months. Nevertheless, it is worthwhile, especially in the year 2019, to deal with how one deals with personal data in one’s company. The first companies to find practicable and easily implementable solutions can gain a competitive advantage, because “Security is not everything, but without security everything is nothing”. (Schopenhauer)

The sending of encrypted and signed e-mails is in compliance with the general data protection regulation. With the Organisation Assurance Programme, CAcert offers companies a simple and practical solution. The systematic sending of digitally signed e-mails offers customers the opportunity to clearly distinguish messages from spam and phishing. The encryption of internal e-mails increases security and is technically easy to implement, as the IT department rolls out the corresponding certificates.

Source: NZZ, 31.12.2018

Donate the running costs of allmost one day (5€)     Donate as much as you want                     Donate the running costs of one week (50€)                                                                                    IBAN DE50 2019 0003 0008 5478 07 “CAcert”