Of late Verisign has been heavily pushing a new initiative for extended verification certificates, going so far as being on record criticising Mozilla for not keeping up with security innovations that Microsoft has already implemented, to give this some context, EV certificates are similar to the Class 3 certificates CAcert issues, minus the huge price tag.

While we applaud the effort to unify procedures and processes CAs employ we feel things have been heavily slanted towards commercial certificate authorities so much so that it seems to be more about keeping a strangle hold on the market and the price tag that comes with it then any actual improvements with security that end users might enjoy.

As a result, there is a number of flawed assumptions being pushed that can only be seen as helping out Verisign’s bottom line, not helping out end users, and while I can understand Microsoft’s motivations for accepting Verisign’s recommendations so openly, one must start to question Mozilla’s motives for even contemplating doing the same.

Now, if this was to truly help out users, surely we would hope for wide spread adoption, but this won’t be the case, even Verisign has expectations that 99% of sites will stick with the status quo. This becomes even more interesting when you take into account how this will be or is implemented in browsers.

Currently Firefox turns the URL bar yellow when the site is secured with SSL, with EV certificates the URL bar will turn green, this is supposed to indicate that the site is great and super and should be implicitly trusted, but if most sites are yellow users will tend to associate yellow as being just as good as green. We’ve seen this behaviour in the past with people simply clicking through any popups, which occur far too regularly and people only end up clicking without even reading them.

CAcert was aware at the time of discussions that occurred between most/all browser vendors and some certificate authorities, however when we asked to participate our requests largely fell on deaf ears.

The bigger problem here is with the Mozilla Foundation itself, well over a year ago, there was university trained researchers falling over themselves to help out the mozilla foundation, they had conducted real studies into how to improve the browser experience and way to help users to detect fraudulent websites. The Mozilla Foundation basically snubbed the researchers and their efforts at creating proof of concepts in the hope of having their research utilised for the benefit of everyone.

The research has since been incorporated in tool bars by HP and others for Internet Explorer.

It makes you wonder how much research Verisign and others have completed to back up their claims that this will help users?

This is yet another example of people being told what they need to be safe, when it’s most likely not going to do anything except convince businesses to spend more money with Verisign, so again I’m left wondering why the Mozilla Foundation is entertaining this current push by Verisign to lock out competitors, and has little or no benefit for users and businesses in general, even though helping users is the excuse being used as why this is needed.

Two assurers will be present at JDL, Lyon, oct. 13 & 14.

See  http://www.jdll.org/

—

Th. Thomas.

1. A recent cryptography paper has announced a threat to
RSA certificates where those certificates use a particular
form (known as e=3 for crypto reasons).

Ref: http://www.cdc.informatik.tu-darmstadt.de/securebrowser/

2. CACert formed a task force to deal with this issue,
and searched all certs that we issued. We discovered:

a. 414 user certs have this characteristic of e=3.
b. No root or intermediate certs have e=3.

3. We will write to all users with these certs and advise
them to revoke and re-issue.

4. At this stage, we believe the threat of attack to be
low. For this reason we have decided to not revoke the
certificates preemptively.

5. However, if:

a. you are using the certificate for high value purposes,
b. you are in an environment where you may expect to be
attacked aggressively,
c. your software or the software of your users is not
kept up to date nor patched
d. there is a potential attack involving tricking a user
with a bogus RSA signature,

then you may be more at risk. If you think so, we suggest
you revoke the current certificate if e=3, and re-issue
using the normal CAcert website processes.

6. The CAcert risk team is watching the situation and may
choose at some stage to revoke those certificates preemptively.

7. We expect other CAs to take similar steps. This is an
industry wide security situation, and many companies are
evaluating the fallout from the announced weakness.

8. The software packages that are known to be affected to day are:
OpenSSL < 0.9.8c, Firefox < 1.5.0.7, Opera < 9.02, Netscape, More references: http://www.mail-archive.com/cryptography%40metzdowd.com/msg06537.html http://www.openssl.org/news/secadv_20060905.txt

On Thursday, September 14, 2006, at the Boulder Linux Users Group in Boulder Colorado (http://lug.boulder.co.us/), we will be doing CACert assuring.  We expect to have several full-pointy assurers, and probably a super-assurer as well.  See the meeting minutes at the above URL for more information on the meeting.

CAcert ist auf der SYSTEMS auf dem Stand A3.542 vertreten.

Weitere Infos:
http://wiki.cacert.org/wiki/SyStems2006
 
http://www.systems-world.de/

There is a conference in Nashville TN, USA on October 20 and 21. At least one assurer will be there. There is a fee for the conference, but not for the vendors area where an asurrer should be available. Ask at the NLUG booth if more information is needed. Bring your appropraite IDs and be pre-registered with CAcert.

PhreakNIC 10
http://www.phreaknic.info/pn10/

Days Inn At the Stadium/Downtown
211 N. First St.
Nashville, Tennessee 37213
United States
615-254-1551
Toll Free 1-800-251-3038

Am Sonntag, dem 8. Oktober 2006, findet der 4. Linux-Info-Tag im Hörsaalzentrum der Technischen Universität statt, dieses Jahr im Rahmen der Dresdner “Woche der Informatik” anläßlich des bundesweiten Informatikjahres.

CAcert bietet auch dieses Jahr wieder die kostenfreie Assurance von Personen an.
Interessenten sollten sich zunächst kostenlos einen Account bei CAcert.org anlegen (falls dies nicht vor der messe möglich ist geht dies auch zeitnahe nach der Veranstaltung); notwendig hierzu sind neben dem Namen lediglich eine gültige E-Mail-Adresse und ein möglichst sicheres Passwort. Am Stand kann nun dieses Benutzerkonto verifiziert und die dazugehörige Person identifiziert werden. Für diesen als “Assurance” bezeichneten Vorgang ist jedoch die Vorlage mindestens eines gültigen amtlichen Lichtbildausweises (z.B. Personalausweis oder Reisepass) notwendig, die dann am Stand überprüft und verifiziert werden. Nach erfolgter Überprüfung erhält jeder Benutzer Punkte, die seine Vertrauenswürdigkeit widerspiegeln. Zum einen kann ein als vertrauenswürdig eingestufter Benutzer im internen Bereich der CAcert-Website selber beglaubigte Zertifikate ausstellen, aber auch über ein “Web of Trust” Punkte an andere Benutzer vergeben. Darüberhinaus kann jeder auch noch seinen GPG-Key hier hochladen und so von einer CA signen lassen.
Interressierte die hier als Assurer helfen möchten können sich gerne unter http://wiki.cacert.org/wiki/LinuxInfotag_Dresden2006 vorbeischauen und sich eintragen.