A question came up the other day, what policy do we have about 3rd parties registering domains that contain the word “CAcert”. In the past few days I know of a few more domains either registered or applied for, and while I can assume (hopefully correctly) most people will do the right thing and they are applying for them to either point back to our main website or to localised content and support, there is of course like everything else in life the potential for abuse.

Up until now there has been reasonably small risk of anything bad occurring, but as things progress this is something that should be taken serious as it will reduce efforts to market ourselves, as these sites unless labelled correctly could be mistaken as an official off shoot, when in actual fact only the main website is the only site we officially operate.

The mozilla guys have recently published their trademark policy, and one clause included an item on domain names that contain mozilla trademarks.

If you want to include all or part of a Mozilla trademark in a domain name, you have to receive written permission from Mozilla. People naturally associate domain names with organizations whose names sound similar. Almost any use of a Mozilla trademark in a domain name is likely to confuse consumers, thus running afoul of the overarching requirement that any use of a Mozilla trademark be non-confusing. If you would like to build a Mozilla, Firefox Internet browser or Thunderbird e-mail client promotional site for your region, we encourage you to join an existing official localization project.

To receive written permission, please download and follow the directions as outlined in the Domain Name License.

There are a lot of examples out there of other community projects spawning domain names based on the original project for localisation/regionalisation purposes, and in at least one case, the Plone Foundation requires all domains to be handed over to them.

The simple solution might be to offer <country code>.CAcert.org (such as br.CAcert.org) or one of our other domains (.com/.net) and ask everyone nicely to refrain from purchasing confusing domains and to request a sub-domain from us instead.

I’m guessing we need to start thinking about official policies on other things as well that might be used against the spirit in which they were originally created.

So you’re a commercial certificate authority and you’re looking to provide an edge over other companies doing the same thing, so why not offer some kind of insurance!

Well that’s exactly what Godaddy has done, they’re offering US$1000 warranty, but it’s the same snake oil warranty that most other CAs offer.

So anyway, Gerv from the Mozilla foundation makes this nice little post to the mozilla news group today about how he couldn’t find out from their website exactly what it covers, so he decides to phone them up and ask them.

Long story short, the comments made by the sales representative says it all:

“Well say, for example, I own www.happycompany.com and I have a Verisign certificate. Then, a fraudster registers www.happy-company.com, gets a certificate from you and rips off my customers. Is that situation covered? Would you pay out?”

“Well, no. You see, we’re not securing you, we’re securing the other guy. You have to be registered with us.”

and this;

“Have you ever paid out under the warranty program?”

“No. It’s really there just to reassure you that it’s a true 128-bit certificate, and to make you feel better about purchasing it.”

I’m really not all that surprised by this I guess, as this is the same snake oil that’s been pushed and marketed all along really.

We had a successful assurance party in Denver, Colorado this evening. Six folks attended, with much mutual assurance and interesting conversation. We’re planning more events soon, so watch this space!

I’ve seen a couple of interesting things lately, firstly a post on one of the mozilla newsgroups explaining how little people are really educated about security in general, and pop-up warnings more specifically, and how it takes a lot of time and effort to get people to actually think before they act when a warning pops up and tries to get some useful feed back.

The story to the mozilla group went along the lines of, user gets windows computer infected, computer literate friend reformats computer and installs zone alarm et al and tells computer user to only click ok on warning messages that pop up directly after you run a program. Computer user gets re-infected and computer friend asks but didn’t you use zone alarm correctly, to which the computer user replies “Yes, I clicked ok every time a warning came up”.

Moral to this story is a little education can go a long way, or alternatively just use a Mac or linux and problem solved.

Next up a link just sent to me about an online banking server (within a server farm) in New Zealand that was transmitting an expired certificate for about 11 hours, after trawling through their logs they found, out of 300 users that potentially received pop-up warnings, only 1 user refused to continue using the website. The bank in the article tried to down play to incident, saying that most people possibly saw that the warning was for an out of date certificate and the users correctly assumed very little was wrong. I think the paper doing the article should have really gone to town berating both the bank for letting this happen and for the end users, while correct this time, for simply clicking through a warning. With all the phishing scams, and people being stupid enough to let themselves get ripped off left, right and center you’d think the rest of society would have gained a clue by now, but that just doesn’t seem like it’s going to happen any time soon with all the manually user installed viruses doing the rounds.

In reality this is nothing new, after all the people that get infected time and time again generally don’t care, and this will continue to happen until they’re forced to care, usually when they loose their bank/credit card information to some scammer, then they will be screaming blue murder about how they weren’t protected when in actual fact they’re not pro-actively doing enough to protect themselves. People pro-actively protect themselves in their day to day lives from mugging (ie not walking down a dark alley in the middle of the night), it’s just a pity the analogies don’t quite transfer though I guess. Actually the internet equivalent here is having a policeman on the alley saying I wouldn’t go any further if I were you, and they keep going anyway.

While I had heard about the frog and the scorpion story in the past, I didn’t realise the analogy with the current CA/browser summit occurring shortly. I’ve been throwing out some mailing list posts to the mozilla groups as well as some private emails trying to gain more information about who’s going to be attending, how open and freely the information will be after the fact, so on and so forth and I’ve not been given any straight or useful answers to date.

For example I received an email from Steve @ Comodo in response to one of my questions about attendance, his reply was that he wasn’t going to tell me and that it was up to the PR department of companies involved to make this public knowledge. So far I have next to nothing to go on and I’m being told it’s a public relations issue? Either this is a PR stunt to make it look like everyone is doing something about current issues, or there is some pretty major ulterior motives being acted out upon (which leads me back to the story on the frog and the scorpion).

The frog and the scorpion are stuck on a small island in a rising flood, looking at the bank.

The scorpion says, “you know, you could swim to the other bank.” The frog says, no, I can’t see where to go when I’m swimming. So the scorpion says, “well, I’ll ride on your back and tell you where to go.”

No, you’ll sting me, says the frog. “Ah, no, I won’t sting you because it is in my interest to get to the other side. I promise you I’ll not sting you.”

Oh, ok, says the frog, so the scorpion climbs on the frog and off they go. As they are swimming
along, the frog kicking and the scorpion directing, suddenly, the frog feels a burning sensation in his side, and realises that he’s been stung.

Not understanding why the scorpion would sting him when they were only half way across, as the
paralysing freezes his body, he gasps out “Why??”

As the frog sinks under the scorpion, with confusion in his eyes, the scorpion gargles out his last words too. “It’s in my nature…”

I will mention here I don’t think “everyone” is out to get us, or that anything they can cook up will effect us, but it just flys in the face of what F/OSS and in turn what the Mozilla Group is supposed to stand for, that is open source and being able to see the code to see if there is any security issues, why aren’t their other policies on this matter so liberal? After all aren’t they supposed to be looking out for the interests of their community first, how can the community at large make any kind of informed choices/decisions if people in the Mozilla Foundation aren’t forth coming with what I’d consider fairly important information about what may effect all their users in future.

An announcement came through on the mozilla security newsgroup by Gervase Markham, who is a developer with the mozilla foundation, that there will be a meeting on the 17th of this month in NYC, with most of the major CAs, browser vendors and other interested parties (note at no point was an invitation ever extended to myself or CAcert as an organisation).

Now I have no reason to believe there is anything sinister about Gervase’s motives, however I long since worked out, most vested interests in better protecting people’s security and privacy only stem from what they stand to gain from it, or in some cases what they stand to not loose such as their freedom from being sent to jail for corporate corruption and scandals.

So we must ask ourselves what does a bunch of CAs and browser vendors stand to gain from better identifying users on the internet? In mozilla’s case they stand to potentially increase the browsing experience for their users, but why would a commercial CA instigate these proceedings?

In any case, Gervase’s post to his website on his thoughts are worth the read.