We've released a beta product to display the CAcert logo and indicate if
the site has a valid certificate or not.

We are after testers to verify if the site stamp works in all
circumstances possible, (ie no false positives, and no false negatives),
and is efficiently displayed in a timely fashion.

Please see http://stamp.cacert.org for more details.

Every where I look lately I see a post about the EV (extended verification) certificates, the articles against are more or less pointing out what others and myself have posted in the past, or a watered down version.

All the articles for EV certificates keep pushing the same line how it will prevent phishing, but this will only be prevented for the top 1 or 2 sites at most, I guess these are the easiest for Verisign to exploit for cash, the company “thinks” they’re getting a good deal, and Verisign gets a fat bank account, win win right?

Wrong, the end user will still be paying the piper because this isn’t a real solution for all the sites everyone is likely to visit, everyone visits a multitude of sites for pleasure and business, and the latter is the important bit here, if we are going to a variety of sites and most smaller businesses still don’t sign up to the emperors clothes argument, either for pragmatic reasons or due to their ideological views on the topic, then users will still associate white or yellow = OK, green = OK, so white or yellow must be pretty much the same as green so we’re all back to square one.

In the mean time browsers are wasting the precious seconds some people pay security issues, and instead of guiding people on real solutions that can be applied to all sites, the browsers are selling snake oil to everyone (yet again).

Mozilla and co claim this is for their end users but I seriously must question this motive and must look to past examples of what motivates the Mozilla Foundation. Things seem awfully like every other large entity out there, the almighty buck.

The reason I state this is because of past deals with Google, but more recently when the same metrics Mozilla pushes on other developers wasn’t pushed on Verisign, nor any research conducted or anything remotely like some conclusive statement how this will help anyone beyond Verisign what are we left to conclude?

I guess what others have told me is true in some sense, Mozilla wasn’t really in the browser business because of security, but because they are a browser, and one that seems to be getting steadily worst with each release.

My advice to everyone is to take an ideological stand and unequivocally refuse to buy these certificates, further more people should scream from the roof tops that we want real security solutions, not half baked ideas to lock everyone into certain certificate authorities that are trying to reinvent the locks that held the SSL market for the past 15 years.

Don’t buy into yet another lame duck!

There is a remotely exploitable security vulnerability in Acrobat Reader 7.x :
http://www.wisec.it/vulns.php?page=9
   
Please update your Acrobat Reader.

Certificate Login (secure.cacert.org) is currently not available due to a
migration of the servers and the unavailability of enough IP addresses.
We removed the button temporarily, and will activate it again, as soon as it
works again, hopefully within the next few weeks.

Please use the Password Login on https://www.cacert.org/ instead.

Bigger and Badder! The Fifth Annual Southern California Linux Expo is coming! It will be February 10-11, 2007, at The Westin Los Angeles Airport. Due to year over year growth, we’ve moved the Expo to a new location which will allow us to expand. We’ll have more speaker tracks, and more tutorials designed to show users of all skill levels what Open Source can do. And SCALE 5x will offer more booth space for those interested in showing how they have made Open Source work for them. You will again be able to find assurers in attendance this year.

Over the coming weeks, CAcert will be moving its systems from our current co-location in Sydney, Australia, to hosting over multiple sites in both the Netherlands and Austria.

During the migration, there will almost certainly be some outages of various services, ranging from a few minutes to a few days as we undertake this mammoth task. We hope to minimise all disruptions, and priority will be given to mission critical infrastructure such as the OSCP responder and CRL lists.

Updates to the migration, and as much possible advance warning of any downtime will be posted to the CAcert website, and where possible also posted to the cacert-users mailing list.

I would like to extend a personal thank you for everyone’s dedication and continued support for CAcert.

Early in the new year, the legal entity CAcert, Inc. will be having its annual general meeting, and a formal announcement of the date, and notice of the meeting will be published soon.

CAcert auf dem Chaos Communication Congress 2006 (23C3) in Berlin

english readers please read below

CAcert wird auch dieses Jahr wieder auf dem diesjährigen ChaosCommunicationCongress zwischen den Feiertagen vom 27. bis 30.12.2006 vertreten sein und wird hier kostenlose Assurances anbieten.
Interessenten sollten sich zunächst kostenlos (wenn nicht schon geschehen) einen Account bei CAcert.org anlegen (falls dies nicht vor dem Congress möglich ist geht dies auch zeitnahe nach der Veranstaltung); notwendig hierzu sind neben dem Namen lediglich eine gültige E-Mail-Adresse und ein möglichst sicheres Passwort. Am Stand kann nun dieses Benutzerkonto verifiziert und die dazugehörige Person identifiziert werden. Für diesen als “Assurance” bezeichneten Vorgang ist jedoch die Vorlage mindestens zwei gültigen Ausweisen, eines davon sollte in amtlicher Lichtbildausweis (z.B. Personalausweis oder Reisepass) sein, die dann am Stand überprüft und verifiziert werden. Nach erfolgter Überprüfung erhält jeder Benutzer Punkte, die seine Vertrauenswürdigkeit widerspiegeln. Zum einen kann ein so assurter Benutzer im internen Bereich der CAcert-Website selber beglaubigte Zertifikate ausstellen, aber auch über ein “Web of Trust” Punkte an andere Benutzer vergeben.
Assurer, Interressierte und Besucher können sich gerne unter http://events.ccc.de/congress/2006/CAcert über den aktuellen Stand informieren sowie sich als Helfer eintragen.

english version:

CAcert will be represented on this year’s ChaosCommunicationCongress between the winterholidays from 27th to 12-30-2006 this year and will here offer free CAcert Assurances. Interested parties should join thisbefore, also contemporary goes after the event lay out an account at CAcert.org free of charge next to themselves (if not happened already; if this isn’t possible before the Congress); merely a valid electronic mail address and a password as safe as possible are necessary to this besides the name. This user account verified and the necessary person can be identified at the booth now. For this process described “as an Assurance” the presentation is, however, at least two ID-Cards one should of this into be an official transparency card (e.g. identity card or passport), this would be checked and verified at the booth valid cards. After check having been carried out every user gets points which reflect his trustworthiness. On the one hand, a so assured person can issue certificates certified in the internal area of the CAcert web site but allocate points to other users also over a “web of trust”. Assurer, interrested people and visitors are welcome to ask under http://events.ccc.de/congress/2006/CAcert about the current stand as well as put down their name as a helper.

With the advent of the CABforum as a trade group for commercial CAs designed to keep everyone out that isn’t looking to make a big buck out of others you’d think the browsers with their cries of standards and openness so they don’t get locked out by Microsoft wouldn’t be so quick to jump on this band wagon, but the complete opposite is true.

So what should we do as users, well as one person pointed out they plan to boycott all Microsoft products that contain additions to their software that supports EV certificates but we can do much more then that. Remember the only ones to benefit from this are large commercial CAs such as Verisign, and browsers via kick backs, although it seems Verisign has spun this so well they won’t need to pay anyone a cent.

This will effect the 99% of small businesses (or even medium sized business) that can’t justify spending the big bucks to get EV certificates, it will effect partnerships, sole traders and even in most cases Universities. If you ever expect to get an EV cert and you’re not a bank or big company, well forget it, even if you had the money to cover it, the standard is set so high that you wouldn’t be eligible in any case.

If you ever thought of running a business over the internet now is the time to have your say otherwise it could be too late to voice an opinion.

EV certs are being touted by Microsoft as preventing phishing, but as so few phishing attacks utilise SSL at present this claim is laughable at best.