I really don’t think a consensus was reached over the issue of what to do with unassured people issuing certificates. Long term my thoughts were to disable most functions from anyone not assured, but that requires some kind of critical mass which I just don’t think we have at present.

I think intent plays a big part here, by that I mean if you are utilising CAcert for certificates to secure emails, or even just IRC you’re more likely to stop using CAcert and go back to self signing if you’re not assured, where as those pushing to stop having unassured people issue certificates tend to fall into one of two camps, those assured, or those that think SSL can in some way greatly increase security, and I guess to an extent those already assured are perhaps leaning towards the latter as well.

So I guess here is my challenge to those wanting for a more secure internet, get out there and start assuring more people, because this then leads to critical mass which allows us the ability of making decisions based on merit rather then knee jerk.

What seems like a relatively simple thing in the SSH world, a simple warning about fingerprints changing, you think would be a very invaluable thing in the SSL world as well. The reason this should be important is because of a simple problem, Verisign has the potential to do a lot of things after all they’re the ones left guarding a couple of root name servers (which controls the entire DNS system), they also directly have control over several TLD zones (.com/.net) and to top things off they have their root certificates in every browser out there.

However that’s just the tip of the ice berg, Verisign is also one of the largest providers of snoop services for the US Government, and anyone else able to afford their services, and this is where a warning would come in handy.

If Verisign decided to redirect your traffic from from your website by making their name servers authoritative for your domain and then point your host name to their proxy server which in turn relays your traffic to your proper website, they could. But wait, you’re using SSL on your web-mail so no one can listen in to your passwords and/or emails, right? WRONG! This is where my earlier point about Verisign having their root certificates in browsers comes in, they can issue a new certificate for their proxy server for say “*” (a wild card for any domain/host name/everything) and if you connect to HTTPS the browser will never warn you that you are hitting a different certificate, and that all your traffic is now being proxied, captured, proded, poked and anything else you can think of.

What’s that I hear you say, that it’s illegal to intercept traffic like that, think again, the NSA is doing it to all traffic going across US international borders and have said that any and all is fair game to it. Not to mention the US has some interesting laws that they could force Verisign into doing it, then throw in a gag order for good measure!

So back to my original statement, if browsers cached and checked that certificates haven’t changed, then any kind of interception like this would then cause the user to be warned in an active sense, rather then the passive method of trying to view who issued a certificate.

This then leads to an interesting dilemma for browser developers, if you on one hand state all traffic that goes via SSL/TLS is encrypted and can’t read by others, and then on the other hand it really can, doesn’t that make you liable for making misleading statements?

The guys working on Mozilla software doesn’t seem to think so, nor do they seem to think it is a good idea to actually provide security for their users, they’d rather you lived under a rock and think commercial certificate authorities are such perfect entities. So far I’ve been met by nothing but a wall of silence on their news groups when the topic comes up, and when I filed a bug report, it was hastily marked as invalid.

I’ve said it before and I’ll say it again, I trust SSL in most browsers as far as my credit card number, I certainly wouldn’t be trusting it if I were a Chinese dissident!

CAcert now has an operational OpenCA (RFC compliant) OCSP Responder. All the certificates that were issued after 2005-05-16 should have the OCSP Service URL automatically included, and your OCSP client should check periodically for certificate status. The OCSP responder issues signed responses over http, (the OCSP address is not a normal website and you can only connect to it with an OCSP client, such as OpenSSL) once your client is running you can tell it to connect to http://ocsp.cacert.org or http://ocsp.cacert.org:2560.

To activate OCSP in firefox use the below settings.

• Click on the Tools menu, then select Options.
• After the Options window appears, select Advanced.
• Scroll down until you get to the Validation section, OCSP will be the last option.
• By default “Do not use OCSP for certificate Validation” is selected. Change to the second option, “Use OCSP to validate only certificates that specify an OCSP service URL”.
• Click OK to close the Options window.

We run our OCSP Responder on port 2560 (OpenCA default), we also make this available as a vHost in Apache on port 80, which will be important for anyone stuck behind a firewall and unable to connect to ports other then 80 or 443.

We now issue all certificates with the OCSP Responder URI address listed as http://ocsp.cacert.org and we plan to distributed servers around the world via round-robin DNS. If/when load or bandwidth become a problem in the future, we can simply add more OCSP responders in a similar fashion to adding secondary name servers (DNS), and it would seem things could easily be made highly distributed with our current configuration.

Due to the threat model used in developing the RFC for OCSP, high availability will be a key issue in running/maintaining OCSP services. Any clients with OCSP turned on will fail to connect to any site whose certificate doesn’t have a valid OCSP response. As far as I’m aware mozilla products currently do not have any form of OCSP caching, so reading signed/encrypted email on a plane in Thunderbird could be difficult at this point in time. Microsoft is apparently developing an OCSP client for it’s next version of Windows/MSIE that apparently does some caching, although it will be interesting to see how well this works.

A question came up the other day, what policy do we have about 3rd parties registering domains that contain the word “CAcert”. In the past few days I know of a few more domains either registered or applied for, and while I can assume (hopefully correctly) most people will do the right thing and they are applying for them to either point back to our main website or to localised content and support, there is of course like everything else in life the potential for abuse.

Up until now there has been reasonably small risk of anything bad occurring, but as things progress this is something that should be taken serious as it will reduce efforts to market ourselves, as these sites unless labelled correctly could be mistaken as an official off shoot, when in actual fact only the main website is the only site we officially operate.

The mozilla guys have recently published their trademark policy, and one clause included an item on domain names that contain mozilla trademarks.

If you want to include all or part of a Mozilla trademark in a domain name, you have to receive written permission from Mozilla. People naturally associate domain names with organizations whose names sound similar. Almost any use of a Mozilla trademark in a domain name is likely to confuse consumers, thus running afoul of the overarching requirement that any use of a Mozilla trademark be non-confusing. If you would like to build a Mozilla, Firefox Internet browser or Thunderbird e-mail client promotional site for your region, we encourage you to join an existing official localization project.

To receive written permission, please download and follow the directions as outlined in the Domain Name License.

There are a lot of examples out there of other community projects spawning domain names based on the original project for localisation/regionalisation purposes, and in at least one case, the Plone Foundation requires all domains to be handed over to them.

The simple solution might be to offer <country code>.CAcert.org (such as br.CAcert.org) or one of our other domains (.com/.net) and ask everyone nicely to refrain from purchasing confusing domains and to request a sub-domain from us instead.

I’m guessing we need to start thinking about official policies on other things as well that might be used against the spirit in which they were originally created.

So you’re a commercial certificate authority and you’re looking to provide an edge over other companies doing the same thing, so why not offer some kind of insurance!

Well that’s exactly what Godaddy has done, they’re offering US$1000 warranty, but it’s the same snake oil warranty that most other CAs offer.

So anyway, Gerv from the Mozilla foundation makes this nice little post to the mozilla news group today about how he couldn’t find out from their website exactly what it covers, so he decides to phone them up and ask them.

Long story short, the comments made by the sales representative says it all:

“Well say, for example, I own www.happycompany.com and I have a Verisign certificate. Then, a fraudster registers www.happy-company.com, gets a certificate from you and rips off my customers. Is that situation covered? Would you pay out?”

“Well, no. You see, we’re not securing you, we’re securing the other guy. You have to be registered with us.”

and this;

“Have you ever paid out under the warranty program?”

“No. It’s really there just to reassure you that it’s a true 128-bit certificate, and to make you feel better about purchasing it.”

I’m really not all that surprised by this I guess, as this is the same snake oil that’s been pushed and marketed all along really.

We had a successful assurance party in Denver, Colorado this evening. Six folks attended, with much mutual assurance and interesting conversation. We’re planning more events soon, so watch this space!

I’ve seen a couple of interesting things lately, firstly a post on one of the mozilla newsgroups explaining how little people are really educated about security in general, and pop-up warnings more specifically, and how it takes a lot of time and effort to get people to actually think before they act when a warning pops up and tries to get some useful feed back.

The story to the mozilla group went along the lines of, user gets windows computer infected, computer literate friend reformats computer and installs zone alarm et al and tells computer user to only click ok on warning messages that pop up directly after you run a program. Computer user gets re-infected and computer friend asks but didn’t you use zone alarm correctly, to which the computer user replies “Yes, I clicked ok every time a warning came up”.

Moral to this story is a little education can go a long way, or alternatively just use a Mac or linux and problem solved.

Next up a link just sent to me about an online banking server (within a server farm) in New Zealand that was transmitting an expired certificate for about 11 hours, after trawling through their logs they found, out of 300 users that potentially received pop-up warnings, only 1 user refused to continue using the website. The bank in the article tried to down play to incident, saying that most people possibly saw that the warning was for an out of date certificate and the users correctly assumed very little was wrong. I think the paper doing the article should have really gone to town berating both the bank for letting this happen and for the end users, while correct this time, for simply clicking through a warning. With all the phishing scams, and people being stupid enough to let themselves get ripped off left, right and center you’d think the rest of society would have gained a clue by now, but that just doesn’t seem like it’s going to happen any time soon with all the manually user installed viruses doing the rounds.

In reality this is nothing new, after all the people that get infected time and time again generally don’t care, and this will continue to happen until they’re forced to care, usually when they loose their bank/credit card information to some scammer, then they will be screaming blue murder about how they weren’t protected when in actual fact they’re not pro-actively doing enough to protect themselves. People pro-actively protect themselves in their day to day lives from mugging (ie not walking down a dark alley in the middle of the night), it’s just a pity the analogies don’t quite transfer though I guess. Actually the internet equivalent here is having a policeman on the alley saying I wouldn’t go any further if I were you, and they keep going anyway.

While I had heard about the frog and the scorpion story in the past, I didn’t realise the analogy with the current CA/browser summit occurring shortly. I’ve been throwing out some mailing list posts to the mozilla groups as well as some private emails trying to gain more information about who’s going to be attending, how open and freely the information will be after the fact, so on and so forth and I’ve not been given any straight or useful answers to date.

For example I received an email from Steve @ Comodo in response to one of my questions about attendance, his reply was that he wasn’t going to tell me and that it was up to the PR department of companies involved to make this public knowledge. So far I have next to nothing to go on and I’m being told it’s a public relations issue? Either this is a PR stunt to make it look like everyone is doing something about current issues, or there is some pretty major ulterior motives being acted out upon (which leads me back to the story on the frog and the scorpion).

The frog and the scorpion are stuck on a small island in a rising flood, looking at the bank.

The scorpion says, “you know, you could swim to the other bank.” The frog says, no, I can’t see where to go when I’m swimming. So the scorpion says, “well, I’ll ride on your back and tell you where to go.”

No, you’ll sting me, says the frog. “Ah, no, I won’t sting you because it is in my interest to get to the other side. I promise you I’ll not sting you.”

Oh, ok, says the frog, so the scorpion climbs on the frog and off they go. As they are swimming
along, the frog kicking and the scorpion directing, suddenly, the frog feels a burning sensation in his side, and realises that he’s been stung.

Not understanding why the scorpion would sting him when they were only half way across, as the
paralysing freezes his body, he gasps out “Why??”

As the frog sinks under the scorpion, with confusion in his eyes, the scorpion gargles out his last words too. “It’s in my nature…”

I will mention here I don’t think “everyone” is out to get us, or that anything they can cook up will effect us, but it just flys in the face of what F/OSS and in turn what the Mozilla Group is supposed to stand for, that is open source and being able to see the code to see if there is any security issues, why aren’t their other policies on this matter so liberal? After all aren’t they supposed to be looking out for the interests of their community first, how can the community at large make any kind of informed choices/decisions if people in the Mozilla Foundation aren’t forth coming with what I’d consider fairly important information about what may effect all their users in future.

An announcement came through on the mozilla security newsgroup by Gervase Markham, who is a developer with the mozilla foundation, that there will be a meeting on the 17th of this month in NYC, with most of the major CAs, browser vendors and other interested parties (note at no point was an invitation ever extended to myself or CAcert as an organisation).

Now I have no reason to believe there is anything sinister about Gervase’s motives, however I long since worked out, most vested interests in better protecting people’s security and privacy only stem from what they stand to gain from it, or in some cases what they stand to not loose such as their freedom from being sent to jail for corporate corruption and scandals.

So we must ask ourselves what does a bunch of CAs and browser vendors stand to gain from better identifying users on the internet? In mozilla’s case they stand to potentially increase the browsing experience for their users, but why would a commercial CA instigate these proceedings?

In any case, Gervase’s post to his website on his thoughts are worth the read.

Sent in to me by Gary —

I am interested in computer security. I have been ever since I worked at what was Coopers & Lybrand in their Computer Audit Assistance Group in the 1980’s. Their have been at lot of changes since then, but I think there are a couple of areas were we have not made much progress.

We have virus checkers and we have spam checkers. Microsoft has improved security so much that popular humor columnist Dave Barry wrote that with their security features enabled, it was impossible to either send or receive email. Security for the “corporate” environment has improved, well at least the entire mail system is not being shut down these days by script viruses, but no one is looking out for the needs of the small business and home user.

I have the ability to send digitally signed and encrypted email. I have had it for years. Every year, I test it to make sure I still know how to use it. I thought, maybe, if I used a secure method to identify myself, people might not be afraid to open my emails, but hardly anyone uses digital signatures or encryption. When we check our email, we are told we only open mail from entities you trust. We trust what we see. Despite the fact that we are told how easy it is to generate fake emails.

The protections against Identity Theft and fraud are a joke. Last month in the Boston Globe, two reporters wrote how they forged each others identity and had fraudulent credit cards in days.

There are computer security and identity mechanisms which can be used to help protect us. I wish people would start using them.

There are quite a few firms that offer help in these area. My opinion is that, unfortunately, most of them are more interested in exploiting computer security for profit than in making computers more secure. The same goes for identity theft. Until we get financial institutions more interested in protecting our identities than in how many new cards they can issue, we are in trouble.

Wide spread adoption of computer security and identity management is required and that is not going to happen unless there are some major changes.

There are a few organizations that are trying to promote a more “trusted computing” environment.

There is the free thawte web of trust at http://www.thawte.com/wot/ for acquiring personal email certificates.

There is a more extensive effort by the folks at CAcert.org. They offer free digital certificates for a variety of purposes. I was certified by a member of their board of directors. I am a Notary Public in Massachusetts. In my opinion, CAcert’s free certification process is just as valid as the State of Massachusetts.

I have looked into getting certificates from other sources, however, when they tell me its $400.00 (or $600 or more) per year I don’t pursue it, but their certification and approval process is basically the same. And I am pretty sure the person who would approve me, is sort of like me, but with a few more restrictions on what he could do. Restrictions like if the payment clears and the person has no outstanding felony warrants in the local police jurisdiction, he gets a certificate. So what, he also wants to take flight lessons (but just for taking off, landing is not necessary), that’s not my problem.

Quite honestly, given the shafting the public has gotten from such corporate stalwarts as Enron and Worldcom, I am more inclined to trust the little guys.

When I worked at Coopers and Lybrand (PriceWaterhouse Coopers in its current incarnation) I worked on a little project evaluating a manufacturing software package for its security features. As it turned out, my assessment got me into hot water. Another Coopers office called the partner in charge of my unit and said, what is this guy trying to do? We want to do business with these folks and we can’t have one of our staff members saying that “one of the primary security concerns for this package is that it be properly installed and administered”. I should say, for the most part, I saw a lot of good work done at Coopers; however, there were instances where I thought they could be investigated under the Racketeer Influenced and Corrupt Organizations (RICO) act.

There are legitimate concerns about the security mechanisms I am alluding too. But way to often, I think we are just nitpicking.

I remember reading this in the ACM’s February 2002 Forum. “Hello World Gets Mixed Greetings”. A teacher puts forward an example of a first programming assignment, and generates a lot of controversy. The example program took around 10 lines of code, the comments explaining its deficiencies filled up pages. It’s a first assignment, not OOP in a nutshell. Unfortunately, this is a good example of what you can expect from your colleagues.

I think the computer security world should shift its focus from trying to get it perfect, to getting people to use start using existing technologies and to committing to be responsive to needed changes.

The benefits of using the existing technologies outweigh the potential cost of them being exploited. There are billions of dollars being lost in fraudulent transaction every year with existing safeguards, but if we believe we will totally prevent fraud, we are sadly mistaken.

I hope the folks at www.CAcert.org are successful. I hope that someone stops the folks who have sent me hundreds of emails offering penis enlargement. I hope we come to our senses and realize that we can’t trust the FROM field in our emails and that all of our lives would be easier if all computer code was signed and that we could have assurance that the developers identity could be verified.