Author Archives: Duane

Outage Notification

We are in the final phase of testing the new server and we will be moving services tomorrow, and there will be an outage starting about 3PM GMT for potentially several hours while data is synchronised between servers and we make sure everything works before letting things go live.

This outage will effect the primary server/services only, the mailing list and wiki etc will not be effected as these were already transferred previously.

We apologise in advance for any inconvenience this may cause anyone however this should finalise the change over and restore all services currently not working.

An announcement will be made once everything is working again.

Eye spy with my little eye…

Every where I look lately I see a post about the EV (extended verification) certificates, the articles against are more or less pointing out what others and myself have posted in the past, or a watered down version.

All the articles for EV certificates keep pushing the same line how it will prevent phishing, but this will only be prevented for the top 1 or 2 sites at most, I guess these are the easiest for Verisign to exploit for cash, the company “thinks” they’re getting a good deal, and Verisign gets a fat bank account, win win right?

Wrong, the end user will still be paying the piper because this isn’t a real solution for all the sites everyone is likely to visit, everyone visits a multitude of sites for pleasure and business, and the latter is the important bit here, if we are going to a variety of sites and most smaller businesses still don’t sign up to the emperors clothes argument, either for pragmatic reasons or due to their ideological views on the topic, then users will still associate white or yellow = OK, green = OK, so white or yellow must be pretty much the same as green so we’re all back to square one.

In the mean time browsers are wasting the precious seconds some people pay security issues, and instead of guiding people on real solutions that can be applied to all sites, the browsers are selling snake oil to everyone (yet again).

Mozilla and co claim this is for their end users but I seriously must question this motive and must look to past examples of what motivates the Mozilla Foundation. Things seem awfully like every other large entity out there, the almighty buck.

The reason I state this is because of past deals with Google, but more recently when the same metrics Mozilla pushes on other developers wasn’t pushed on Verisign, nor any research conducted or anything remotely like some conclusive statement how this will help anyone beyond Verisign what are we left to conclude?

I guess what others have told me is true in some sense, Mozilla wasn’t really in the browser business because of security, but because they are a browser, and one that seems to be getting steadily worst with each release.

My advice to everyone is to take an ideological stand and unequivocally refuse to buy these certificates, further more people should scream from the roof tops that we want real security solutions, not half baked ideas to lock everyone into certain certificate authorities that are trying to reinvent the locks that held the SSL market for the past 15 years.

Don’t buy into yet another lame duck!

SCALE 2007

Bigger and Badder! The Fifth Annual Southern California Linux Expo is coming! It will be February 10-11, 2007, at The Westin Los Angeles Airport. Due to year over year growth, we’ve moved the Expo to a new location which will allow us to expand. We’ll have more speaker tracks, and more tutorials designed to show users of all skill levels what Open Source can do. And SCALE 5x will offer more booth space for those interested in showing how they have made Open Source work for them. You will again be able to find assurers in attendance this year.

Potential system down time

Over the coming weeks, CAcert will be moving its systems from our current co-location in Sydney, Australia, to hosting over multiple sites in both the Netherlands and Austria.

During the migration, there will almost certainly be some outages of various services, ranging from a few minutes to a few days as we undertake this mammoth task. We hope to minimise all disruptions, and priority will be given to mission critical infrastructure such as the OSCP responder and CRL lists.

Updates to the migration, and as much possible advance warning of any downtime will be posted to the CAcert website, and where possible also posted to the cacert-users mailing list.

I would like to extend a personal thank you for everyone’s dedication and continued support for CAcert.

Early in the new year, the legal entity CAcert, Inc. will be having its annual general meeting, and a formal announcement of the date, and notice of the meeting will be published soon.

Mozilla, Opera and co only tout open standards as it suits them

With the advent of the CABforum as a trade group for commercial CAs designed to keep everyone out that isn’t looking to make a big buck out of others you’d think the browsers with their cries of standards and openness so they don’t get locked out by Microsoft wouldn’t be so quick to jump on this band wagon, but the complete opposite is true.

So what should we do as users, well as one person pointed out they plan to boycott all Microsoft products that contain additions to their software that supports EV certificates but we can do much more then that. Remember the only ones to benefit from this are large commercial CAs such as Verisign, and browsers via kick backs, although it seems Verisign has spun this so well they won’t need to pay anyone a cent.

This will effect the 99% of small businesses (or even medium sized business) that can’t justify spending the big bucks to get EV certificates, it will effect partnerships, sole traders and even in most cases Universities. If you ever expect to get an EV cert and you’re not a bank or big company, well forget it, even if you had the money to cover it, the standard is set so high that you wouldn’t be eligible in any case.

If you ever thought of running a business over the internet now is the time to have your say otherwise it could be too late to voice an opinion.

EV certs are being touted by Microsoft as preventing phishing, but as so few phishing attacks utilise SSL at present this claim is laughable at best.

Verisign Extended Verification Certificates

Of late Verisign has been heavily pushing a new initiative for extended verification certificates, going so far as being on record criticising Mozilla for not keeping up with security innovations that Microsoft has already implemented, to give this some context, EV certificates are similar to the Class 3 certificates CAcert issues, minus the huge price tag.

While we applaud the effort to unify procedures and processes CAs employ we feel things have been heavily slanted towards commercial certificate authorities so much so that it seems to be more about keeping a strangle hold on the market and the price tag that comes with it then any actual improvements with security that end users might enjoy.

As a result, there is a number of flawed assumptions being pushed that can only be seen as helping out Verisign’s bottom line, not helping out end users, and while I can understand Microsoft’s motivations for accepting Verisign’s recommendations so openly, one must start to question Mozilla’s motives for even contemplating doing the same.

Now, if this was to truly help out users, surely we would hope for wide spread adoption, but this won’t be the case, even Verisign has expectations that 99% of sites will stick with the status quo. This becomes even more interesting when you take into account how this will be or is implemented in browsers.

Currently Firefox turns the URL bar yellow when the site is secured with SSL, with EV certificates the URL bar will turn green, this is supposed to indicate that the site is great and super and should be implicitly trusted, but if most sites are yellow users will tend to associate yellow as being just as good as green. We’ve seen this behaviour in the past with people simply clicking through any popups, which occur far too regularly and people only end up clicking without even reading them.

CAcert was aware at the time of discussions that occurred between most/all browser vendors and some certificate authorities, however when we asked to participate our requests largely fell on deaf ears.

The bigger problem here is with the Mozilla Foundation itself, well over a year ago, there was university trained researchers falling over themselves to help out the mozilla foundation, they had conducted real studies into how to improve the browser experience and way to help users to detect fraudulent websites. The Mozilla Foundation basically snubbed the researchers and their efforts at creating proof of concepts in the hope of having their research utilised for the benefit of everyone.

The research has since been incorporated in tool bars by HP and others for Internet Explorer.

It makes you wonder how much research Verisign and others have completed to back up their claims that this will help users?

This is yet another example of people being told what they need to be safe, when it’s most likely not going to do anything except convince businesses to spend more money with Verisign, so again I’m left wondering why the Mozilla Foundation is entertaining this current push by Verisign to lock out competitors, and has little or no benefit for users and businesses in general, even though helping users is the excuse being used as why this is needed.

Looking for an event co-ordinator

We are currently looking for someone to volunteer as an events co-ordinator. This role will entail at least the following responsibilities:

  • Take upcoming event noticies and publish to this blog
  • Co-ordinate with high visibility events to get table space + volunteers to attend
  • If funding is needed for travel/materials you will need to put a justification to the board to approve funding

I’m sure there is more skills needed, and we’re not sure how much time is needed to deal with all this.

Time for people to stop using SORBS

I like many others thought the DUL list sorbs keeps was a good idea, that is until today.

Today I noticed a lot of bounced emails (please note I’ve had servers in the colo working fine for the past 9 months and it’s never relayed spam or anything.) and realised they’d added a subnet block to their list I had so I go ahead and ask for it to be removed and they denied my application simply because the reverse lookup on the IP appears to be dynamically allocated.

So I appeal to everyone to tell them to knock off this ridiculous practise, especially when asked to remove IPs from the ranges.

Actually it’s getting to the point that RBL lists are uselessly populated with false positives, so really is there any point in using them any more?

Is there a Moore’s Law for Certificates?

The issue of statistics came up again today (as it does from time to time), currently CAcert is experiencing linear growth rates both in the number of certificates issued each month and the numbers of new signups. Assurances tend to be a bit spikey depending how many conferences attended.

In any case, the number of certificates issued has more then doubled in the past 10 months (about May last year is the half way point) so one must wonder where things are headed if the same trend continues.

Some quick stats for people, about the begining of this month we issued our 100,000th certificate, and about the same time we had our 50,000th signup, and by this time next year we could easily have more then double both those numbers.

SCALE – Southern CALifornia Linux Expo

The 4th Annual Southern California Linux Expo is being held this weekend (11th and 12th of Feburary) near LAX airport, and there will be assurers in attendance manning a booth for both days.

For more information please visit their website or contact Russ