Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

What Would It Take To Have Open CA Authorities?

ScuttleMonkey posted more than 6 years ago | from the sounds-like-vc-pitch-time dept.

Security 529

trainman writes "With the release of Firefox 3, those who have been using self-signed certificates for SSL now face a huge issue — the big, scary warning FF3 issues which is very unintuitive for non-technical users. It seems Firefox is pushing more websites in to the monopolistic arms of companies such as Verisign. For smaller, especially non-profit groups, which will never have issues with domain typo scammers, this adds an extra and difficult-to-swallow cost. Does a service such as this need the same level of scrutiny and cost since all that is being done is verifying domain and certificate match? This extra hand holding adds a tremendous cost and allows monopolistic companies such as Verisign to thrive. Can organizations such as Mozilla not move towards a model that helps break this monopoly, helping establish a CA root authority that's cheap (free?) and only links the certificate to the domain, not actual verification of who owns the domain?"

Sorry! There are no comments related to the filter you selected.

CACert (5, Informative)

Anonymous Coward | more than 6 years ago | (#24246121)

try it....

Re:CACert (5, Informative)

zerOnIne (128186) | more than 6 years ago | (#24246163)

Seconded. go here [cacert.org] .

Re:CACert (3, Informative)

Anonymous Coward | more than 6 years ago | (#24246175)

Which doesn't answer the question as their certificate isn't supported in Firefox.

Re:CACert (4, Informative)

rufus t firefly (35399) | more than 6 years ago | (#24246257)

It isn't *included*, but it's definitely *supported*. Just go here [cacert.org] with Firefox to install their root cert.

Re:CACert (5, Funny)

pablomme (1270790) | more than 6 years ago | (#24246471)

Or even better, go here [cacert.org] , since the above address is an https and Firefox won't accept its self-signed certificate..

Re:CACert (4, Insightful)

LordKronos (470910) | more than 6 years ago | (#24246577)

Which does absolutely nothing to stop scaring visitors of your website. We need something that is accepted by default.

Re:CACert (2, Informative)

sakdoctor (1087155) | more than 6 years ago | (#24246195)

The cert isn't included in any browser your are likely to use.

Re:CACert (1)

john83 (923470) | more than 6 years ago | (#24246275)

Why not? Surely Mozilla should have a few recommended free options supported out of principle?

Re:CACert (4, Insightful)

squiggleslash (241428) | more than 6 years ago | (#24246397)

No, it shouldn't.

All CACert does is verify that you have control of the domain name you're trying to get a certificate for before issuing a certificate. That means that you can, with CACert, register something like "citicardbank.com" using throwaway fake information, put up a phishing website, get a certificate for it, and look perfectly legitimate to anyone you phish, without any of your victims ever being able to find out who you were. It doesn't, of course, have to be phishing. It could be "discountjewelryandelectonics.com", with you raking in the "orders" and running away with the cash, again with nobody able to find out who you are.

Given the general security principle, espoused by most web browser makers, of "Trust nobody unless it's a secure connection, and even then be careful", it makes no sense for Mozilla, Opera, or Microsoft to encourage the use of unaccountable certificates. CACert is fundamentally a bad idea, at least with the current implementation of most web browsers. The only way to make it acceptable is for the user to be warned every time they visit a new website with a certificate signed by a accountability-free CA.

And given it's the warnings the submitter is whining about, well, what's the point?

Re:CACert (3, Insightful)

Bryansix (761547) | more than 6 years ago | (#24246635)

Uhm, I sincerely doubt that Verisign actually makes you go in person to an office and fingerprints you and checks your Driver's License and gets a DNA sample. And since that's the ONLY real way to verify someone is who they say they are then Verisign can provide certificates to people running the same damned scam! Verisign offers no real value. It's all a scam they run for the perception of value added.

Re:CACert (3, Insightful)

Illbay (700081) | more than 6 years ago | (#24246647)

...it makes no sense for Mozilla, Opera, or Microsoft to encourage the use of unaccountable certificates.

Well, then O-B-V-I-O-U-S-L-Y you're in favor of evil "monopolies like Verisign," of which there are, of course, several (which means they're not "monopolies" at all, then, but since we just want to say "they're mean and charge too much money," why quibble?)

Re:CACert (4, Insightful)

cbreaker (561297) | more than 6 years ago | (#24246653)

Verisign and friends aren't much better. They have given SSL certs to all kinds of scammer or ridicuous domain names in the past, and continue to do so.

Trusting that companies like Verisign are doing the right thing is no better than doing nothing.

Re:CACert (2, Informative)

noa (4909) | more than 6 years ago | (#24246675)

No.

I have bought a few "commercial" certificates from vendors in a capacity as consultant, and I use cacert certificates for my private work and their verification of domain is very similiar. You need to have access to the email sent to at least one official looking email address associated with the domain in question (you may choose from a short list of names like root@domain, hostmaster@domain, postmaster@domain etc.)

In other words, you couldn't get a cacert certificate for a domain you can't read the email for. The security of the process is not perfect, but it is no worse with cacert than it is with the other certification authorities.

Re:CACert (4, Informative)

mindstormpt (728974) | more than 6 years ago | (#24246699)

Actually you can only get a certificate from CACert if you've been assured with enough points, and that's only supposed to happen after in-person ID verification by multiple members. The certificate includes the verified identity of the member, or the organization if that's the case.

You can debate if this web of trust model is acceptable, but it's been used by Thawte for some time now, and its certificate is included in every browser.

What about (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#24246153)

CACert (http://www.cacert.org/)?

W3? (1)

Van Cutter Romney (973766) | more than 6 years ago | (#24246157)

Can't the World Wide Web Consortium [w3.org] take over the job? Of course, Verisign will be all against it as it breaks their monopoly ...

Re:W3? (1)

bluefoxlucid (723572) | more than 6 years ago | (#24246717)

Verisign does not have a monopoly. It has a niche market in banks though.

Facebook uses Equifax.

Myspace self-signs.

Many small, independent ecommerce shops use SecureTrust or GoDaddy.

Not the first one... (5, Interesting)

bradgoodman (964302) | more than 6 years ago | (#24246177)

I have been using PayPal for many years for automatic payment processing on my web site for shareware I sell.

When Google Checkout came along, I figured I'd accept that too - so I started doing scripts on my web site to take Google Checkout payments.

This came to a screeching halt when I realized that Google Checkout payments (or at least automated CGI processing of them) would only be done through web sites with SSL certificates signed by one of the "Major Authorities".

I wasn't willing to shell out $100 (about half my yearly profit!) for the stupid certificate.

This FF3 problem is even worse - if you use SSL, your web browser would be screaming to your end-users that you're probably dealing with some hokey-untrusted individual!

Let's just say that in any respect, I won't be having any little buttons on my site recommending that people use Firefox...

Re:Not the first one... (0)

Anonymous Coward | more than 6 years ago | (#24246237)

It is silly to pay $100 for a signed certificate... you can obtain a certificate from many companies for less than $25/yr.

Re: Counter to "Recommend Firefox" (0, Flamebait)

TaoPhoenix (980487) | more than 6 years ago | (#24246253)

Anyone know the IE status on this? Did they buy themselves out of a warning, or some such? It's totally down Microsoft's alley to trick Firefox into screaming "LittleGuy.com suxxors t3rr0rIsts" while IE cruises along, users shrug and say "uhh... well, works for me when I use MS..."

Re: Counter to "Recommend Firefox" (1)

ivan256 (17499) | more than 6 years ago | (#24246563)

IE has the same problem. In fact they were first to the table with the over-the-top warning.

It's especially hard on vendors who sell browser-based applications which run locally. The customer wants SSL, even on their local network, and even for non-sensitive data... But then they go to their local machine and get a big warning from Firefox or IE that their connection is insecure... But they don't want to pay for a certificate.

I assumed Microsoft did it to reduce competition for native and .NET apps from browser based apps, but I don't know what Mozilla's reasoning is... Just to copy IE, maybe?

Re: Counter to "Recommend Firefox" (1)

vamidus (920823) | more than 6 years ago | (#24246619)

IE 7.0.5730.13 Shows a drawbar on top with a Blue Shield and a pink page: Content was blocked because it was not signed by a valid security certificate. For more information, see "Certificate Errors" in Internet Explorer Help.

Re: Counter to "Recommend Firefox" (1)

jonbryce (703250) | more than 6 years ago | (#24246649)

IE's warning is, if anything, even more scary. It does, however let you override it after clicking through a few warnings saying it isn't a good idea.

Re:Not the first one... (2, Insightful)

hedwards (940851) | more than 6 years ago | (#24246475)

The problem is the warning and it should really be changed. These sorts of certs do not guarantee the identity of the parties involved, they just make it difficult to impossible to eavesdrop. There isn't any reason why the key couldn't be stolen or misappropriated.

I definitely sympathize with you, paying that kind of fee is kind of ridiculous. Which is why I do not have one. But really the issue is that Google and the other companies want reliable certs and they're not going to accept all of the certs. If a smaller authority is reliable the only issue is keeping track of them to make sure that's still the case and adding them.

I'd definitely consider asking them about it, especially since it's causing them to lose smaller stores about it.

FF3 is right (2, Interesting)

duffbeer703 (177751) | more than 6 years ago | (#24246551)

This FF3 problem is even worse - if you use SSL, your web browser would be screaming to your end-users that you're probably dealing with some hokey-untrusted individual!

If you're not willing to lay out as little as $15 for an SSL-Cert that will work on FF3, you are a hokey, untrusted individual!

Re:Not the first one... (2, Informative)

nine-times (778537) | more than 6 years ago | (#24246559)

I wasn't willing to shell out $100 (about half my yearly profit!) for the stupid certificate.

It's not quite as bad as all that. Namecheap offers "RapidSSL" for $13 a year. They even have a deal [namecheap.com] where you can get a free SSL cert with registration or transfer of a domain. Still, yeah, SSL certificates are kind of a racket.

Re:Not the first one... (1)

Qzukk (229616) | more than 6 years ago | (#24246591)

some hokey-untrusted individual!

How do we know that you're not? How do we know that you didn't forget to renew your domain and now some hokey-untrusted individual is running your site for you (or that your domain got stolen out from under your nose?) How do we know that our ISP didn't forget to patch their DNS servers and that I'm not getting a copy of your site on hokey-untrusted individual's server thanks to a cache poisoning attack?

I contend that your site is hokey-untrusted.

I realized that Google Checkout payments (or at least automated CGI processing of them) would only be done through web sites with SSL certificates

Or you could have them pay through google's site, sure it's not exactly professional-looking but it beats expecting people to send their credit card details to some hokey-untrusted site.

This FF3 problem is even worse

As for FF3, I think they are a little overboard with the current dialog boxes. They should just state 1) That the site's owner cannot be verified automatically, 2) That the connection is still encrypted but due to 1 you don't know who is reading it, and 3) Don't provide any credit card numbers or secure information without manually validating the fingerprint of the certificate through some other means.

Yeeeeaah! Cheap mothers. (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24246179)

Fr1s7 P507

Certification crap (1, Informative)

Anonymous Coward | more than 6 years ago | (#24246181)

First of all, what does this certification crap prevent?

I go to randommalwaresite.com, I get a certificate for randommalwaresite.com!

HURRAY!! Everybody is happy. WTF?

Re:Certification crap (3, Informative)

qbwiz (87077) | more than 6 years ago | (#24246279)

First of all, what does this certification crap prevent?

I go to randommalwaresite.com, I get a certificate for randommalwaresite.com!

AFAIK, I believe it prevents man in the middle attacks from happening:

You go to mybank.com, but you actually access randommalwareip, which gives you a phony certificate from mybank.com.

Yup Folks (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24246187)

Firefox now sucks!

I've expirienced this myself. (4, Interesting)

vidarlo (134906) | more than 6 years ago | (#24246201)

I run a small norwegian forum, and we use SSL. Since our income is around 100USD a year, which is donated by members, it would be very unfair to spend all of that on a SSL cert. However, how can one explain that there is no security risk involved in creating an exception when the browser so fiercly states that it is a huge security risk? It would be better if you just got a warning like "This site is probably not your bank"...

Re:I've expirienced this myself. (4, Informative)

duffbeer703 (177751) | more than 6 years ago | (#24246569)

In your case, it's probably appropriate to ask your uses to add CACert or a self-signed certificate to their browsers. This isn't rocket science.

Re:I've expirienced this myself. (1)

JustOK (667959) | more than 6 years ago | (#24246659)

but its close to racket science

I doubt it will happen. (1, Insightful)

LWATCDR (28044) | more than 6 years ago | (#24246211)

SSL certs are a great source of revenue. Why would someone want to make a free one.
To create a free one you would have to get Microsoft to agree. They would never do that for say Mozilla "which would a logical choice to do this."
I don't think Microsoft would do it for Google.
It is a way to print money. I wonder just how much revenue Microsoft and or Mozilla get from the different CA root Authorities?

Re:I doubt it will happen. (2, Insightful)

Anonymous Coward | more than 6 years ago | (#24246299)

Well considering Mozilla don't trust the windows root certificate in their browsers (and more annoyingly ignore the certificate store in Windows itself in favor of their own alternative) why would MS bend over for them?

Re:I doubt it will happen. (1)

Richard_at_work (517087) | more than 6 years ago | (#24246433)

I wonder just how much revenue Microsoft and or Mozilla get from the different CA root Authorities?

Not a lot, it would seem:

How much does the program cost?

Microsoft does not currently charge for the Root Certificate Program. However, there is a material cost to CAs payable to an assessor associated with meeting the annual audit requirements. The CA is solely responsible for, and shall bear all financial and other costs and obligations associated with, meeting the requirements of the Program.

From Microsoft Root Certificate Program [microsoft.com] .

Re:I doubt it will happen. (2, Informative)

bigtangringo (800328) | more than 6 years ago | (#24246691)

I wasn't involved in the auditing process when the company I worked for started it's CA, but I believe that assessor is WebTrust. The fees are... significant; as are the physical and technical security requirements.

CA signed certificates aren't quite a license to print money, but almost.

Complying with SOX, PKI, and PCI security requirements all at the same time was an interesting experience.

http://cert.startcom.org/ (1, Informative)

Anonymous Coward | more than 6 years ago | (#24246213)

or create your own CA with a link on the http site to install that root cert on the browser.

A difficult and hard to swallow cost? (3, Insightful)

blowdart (31458) | more than 6 years ago | (#24246217)

$27 a year? (GoDaddy) $50 a year? (InstantSSL) etc.

Sorry, but if an organisation can't swallow around $50 a year then they have more serious problems that wanting SSL.

Re:A difficult and hard to swallow cost? (5, Informative)

cstdenis (1118589) | more than 6 years ago | (#24246315)

Don't buy from GoDaddy. There are better and cheaper alternatives.

$14.95 - http://www.rapidsslonline.com/rapidssl-certificates.php [rapidsslonline.com]

And unlike godaddy that on is not a chained cert.

Re:A difficult and hard to swallow cost? (1)

jagilbertvt (447707) | more than 6 years ago | (#24246573)

Not that I need an SSL cert at the moment, but I'll have to remember these guys next time I order one!

Re:A difficult and hard to swallow cost? (0)

Anonymous Coward | more than 6 years ago | (#24246421)

www.rapidsslonline.com $14.95/year

It would take.... (1)

nawcom (941663) | more than 6 years ago | (#24246219)

someone with a stuffed wallet. They essentially would have no more room in their pocket to earn money from people who simply want want credentials on their verified, secure web site. Unfortunately that isn't happening soon.

Re:It would take.... (2, Funny)

just_another_sean (919159) | more than 6 years ago | (#24246587)

someone with a stuffed wallet. They essentially would have no more room in their pocket to earn money from people who simply want want credentials on their verified, secure web site. Unfortunately that isn't happening soon.

Sounds like a job for Shuttleworth [markshuttleworth.com] then!

Try Godaddy (3, Informative)

tedhiltonhead (654502) | more than 6 years ago | (#24246221)

Godaddy has a very simple SSL cert option that only validates that the certificate issued matches the domain registration info, which is super cheap.

Re:Try Godaddy (0)

MindStalker (22827) | more than 6 years ago | (#24246319)

Yes, everyone shares a SINGLE cert, you will only get full validation if you form your URL like https://yoursite.godaddy.com/ [godaddy.com] or whatever it is that godaddy offers you. Otherwise your visiters get a warning that this cert isn't for your site.

Re:Try Godaddy (2, Informative)

bigtangringo (800328) | more than 6 years ago | (#24246463)

Sorry, but you have no idea what you're talking about.

GD gives you a full blown SSL cert that works just like what you would get from Verisign.

$30 for a standard cert, $200 for a "wildcard" cert which lets you SSLize all your subdomains.

Re:Try Godaddy (2, Informative)

jagilbertvt (447707) | more than 6 years ago | (#24246469)

Untrue.

You can get a chained cert for very cheap from godaddy (and others) that will use your own domain name (www.yoursite.com).

Re:Try Godaddy (1)

tukang (1209392) | more than 6 years ago | (#24246523)

Yes, everyone shares a SINGLE cert, you will only get full validation if you form your URL like https://yoursite.godaddy.com/ [godaddy.com] or whatever it is that godaddy offers you. Otherwise your visiters get a warning that this cert isn't for your site.

Not true you can get your own cert: https://www.godaddy.com/gdshop/ssl/ssl.asp?ci=8979 [godaddy.com] ... although I don't know why anyone would get anything through GoDaddy

No (5, Insightful)

squiggleslash (241428) | more than 6 years ago | (#24246225)

One entire point of SSL is to ensure that the user can trust the site they're connecting to. If I register citicardbank.com, my inability to get an SSL certificate for it without being traced by my phishing victims severely undermines my ability to rip people off.

The only way to get what you're asking for is to get a secondary protocol, somewhere between HTTP and HTTPS, that would provide privacy for the communication link but wouldn't promote the notion that the end domain is what it says it is. Whether such a thing is a good idea is open to question, even if it is desirable.

If push comes to shove, the only problem with the present regime is that it's expensive. There's increasing amounts of competition in that space, so you should expect prices to come down over time. Wait. .com domain names once cost more than what many SSL certs do today.

Re:No (1, Informative)

Anonymous Coward | more than 6 years ago | (#24246341)

Counterpoint:

I basically run the IT division for our organization. If we purchased for-sale SSL certs it would cost us thousands of dollars per year on something that I can generate, for free, for the various secured services we provide (both internally and externally) for the employees of this organization. There's simply no reason to do so, especially when the reason for the SSL cert is for the sole purpose of encrypting traffic between client and server.

Instead, we use a self-signed CA cert and deploy the public part of the CA cert to all machines that use the services. That way, even Firefox 3.0 doesn't care. I don't see why you couldn't provide a similar service where you could make the site's self-signed CA cert available before signing into the SSL-encrypted part of the site.

Re:No (1)

QuantumRiff (120817) | more than 6 years ago | (#24246481)

I agree.. People seem to think the problem is getting one or two certs. I would need 12 (off the top of my head) and have to keep track of them, their expiration dates, etc, just so that traffic between people working at home or on the road, and some of our servers is encrypted. (like webmail) I would love to see a solution more like DNS. I get a Cert for my domain from the root. Then, I can issue sub-certs for my systems. IE, the client goes to the root, finds contoso.com, then goes to contoso.com, authenticates, then asks for "webmail.constoso.com"'s cert, etc. Self signed by contoso.com, but totaly valid.

Re:No (1)

duffbeer703 (177751) | more than 6 years ago | (#24246607)

In an enterprise environment, you have the option of setting up your own CA, which is much better than just generating BS certs that are essentially meaningless.

Re:No (5, Insightful)

squiggleslash (241428) | more than 6 years ago | (#24246483)

First of all, that's not in any way, shape, or form, a counterpoint.

Are you using different top level domains for all your systems? Because if you're not, you should be able to make do with a wildcard SSL certificate, which generally runs to a few hundred dollars per year, not $1,000. Just saying.

In any case, your particular set of circumstances means you have control over who would need the self-signed certificates. In particular, you can legitimately create a CA of your own and import it's certificate into the web browsers of your users, because that CA (you) is accountable to you and your users.

This is very different from someone outside of the organization trying to get "secure access" to your systems, not knowing for sure that they really are connecting to you (and not a typosquatter.)

Re:No (0)

Anonymous Coward | more than 6 years ago | (#24246427)

>There's increasing amounts of competition in that space, so you should expect prices to come down over time. Wait. .com domain names once cost more than what many SSL certs do today.

Wrong. Verisign has purchased all the companies that issue certificates (except the us post office) -- Someone look up monopoly and see if Verisign is mentioned in the definition.

Re:No (0)

Anonymous Coward | more than 6 years ago | (#24246571)

One entire point of SSL is to ensure that the user can trust the
site they're connecting to.

"One entire point?" It's one *use* of SSL, but certainly not the only one. I'd venture that SSL is used more often to provide link encryption rather than remote site identification.

SSL certificates already have a number of use flags. I think there ought to be a way to flag a certificate as "encryption only", and allow these certificates to be used to secure a connection without big scary warnings in the browser. Modern browsers already have mechanisms to indicate that a site is trusted; encryption-only certificates would not engage these mechanisms.

Re:No (1)

squiggleslash (241428) | more than 6 years ago | (#24246711)

"One entire point?" It's one *use* of SSL, but certainly not the only one.

Indeed, hence the words "One entire point" rather than "All entire points" or even "The entire point".

However, yes, authentication is a key part of SSL. It's so behind-the-scenes it's often hard to notice that people use it all the time. You click on the HTTPS link to "citibank.com", and up comes the padlock and login for Citibank. You know, at this point, it's the real deal. Most people aren't sure why it works, they just know it generally does.

I'd imagine you're one of them.

Re:No (1)

QuasiEvil (74356) | more than 6 years ago | (#24246655)

I'd say it's definitely desirable to have something in between. I use self-signed SSL to encrypt my connections between random public web terminals and my webmail server at home. I don't really care about trust, since I'm 99% percent certain that I'm really connecting to my box. I do want encryption, though, so as to avoid random snoopers from seeing my username/password combo, or reading my mail.

I realize you can make the argument that an encrypted tunnel to an unverified host isn't really security (and I agree), but I don't need 100% security. I'd like it, but given the cost for certificates and the only minor nuisance of entering an exception, the cost/benefit ratio isnt' there. I need only part of a truly secure solution (the encryption part) to defeat 95% of the problems (random packet sniffers, etc.) I'm willing to live with the rest of the risk for reduced cost, because cost/benefit doesn't work out for getting a certificate for my own webmail server.

mwod 3own (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24246227)

who seel ano7her

IE7 (3, Informative)

airedalez (743328) | more than 6 years ago | (#24246231)

Why is this being brought up now as something new? IE7 has been doing practically the same thing since it was released. I agree that there should be something "open source", but this is far from new...

Certificate Authority authorities? (0)

Anonymous Coward | more than 6 years ago | (#24246233)

Are we talking about some sort of meta-CA or does the submitter have a stutter?

Alternative solution (1)

MoHaG (1002926) | more than 6 years ago | (#24246235)

Someone could run a service where sites can list themselves to be verified... That way bank sites can still give the big scary warning if the certificate does not check out AND smaller sites can use self-signed certificates...

The real problem would be to get a neutral and secure way to host this site... (The current SSL method of verifying a site's identity might work in most cases...) In addition, administrators that add domains need to prove that they own the domain... Verification of this site is VERY important to protect against DNS based attacks...

Monopoly? (5, Informative)

nonpareility (822891) | more than 6 years ago | (#24246245)

The fact that there are "compan*ies* such as Verisign" means Verisign is not a monopoly. In Firefox, go to Tools, Options, Advanced, Encryption, View Certificates, Authorities. These are all valid CAs according to Firefox. As for being cheap, a quick check at GoDaddy's says you can get one from them for $30/year.

In related news... (-1, Offtopic)

LM741N (258038) | more than 6 years ago | (#24246249)

12 Al Qaeda operatives caught trying to buy SSL certificates. Film at 11.

Domain only? (2, Insightful)

coolhelperguy (698466) | more than 6 years ago | (#24246255)

For all but the biggest transactions, most people couldn't care less about what the certificate says. Really, how many people check the certificate on, say, PayPal, to see that it's actually owned by them?

I'm all for breaking the monopoly of current root CAs, but for the most part, that's already being undertaken over at OpenCA [openca.org] , which is indeed trying to get included into major browsers. (Last I heard, they had problems with IE, but Mozilla and perhaps Apple were willing to let them try if they had several audits, among other things.)

Perhaps a better solution would be for Firefox 3 to detect self-signed certificates (separate from expired, or wrong-domain certificates) and warn the user that there's no good way to be sure that the people running the website are who they say they are, but that if all they want to do is connect and have an encrypted communication, have a simple (but slightly scary) button to proceed, once per session. That of course wouldn't protect against man-in-the-middle attacks, but that's the reason the root CA infrastructure is in place. Getting something like OpenCA in more browsers is probably the best (only?) fix for that.

Re:Domain only? (2, Insightful)

rehevkor5 (594051) | more than 6 years ago | (#24246431)

It's simple. The browser should detect self-signed signatures and then instruct the user to verify the SHA1/MD5 hash (fingerprint/thumbprint) with the site's owner. That's all that needs to happen.

Re:Domain only? (0)

Anonymous Coward | more than 6 years ago | (#24246627)

>>For all but the biggest transactions, most people couldn't care less about what the certificate says. >>Really, how many people check the certificate on, say, PayPal, to see that it's actually owned by them?

No-one does, because they don't HAVE to. The browser contains your trusted certificate authorities so you don't have to check every site one by one. Only reputable certificate authorities that validate your identity are included.

namecheap.com (1)

TofuMatt (1105351) | more than 6 years ago | (#24246263)

While CA-validated certs are still somewhat stupid (my site is just as encrypted self-signed or not, though I see the points on the site of having CAs), namecheap.com does offer somewhat cheap SSL certs -- I've used them and it's been OK for simple stuff like adding a cert to my mail.* mailservers and such.

Re:namecheap.com (1)

bigtangringo (800328) | more than 6 years ago | (#24246535)

The basic premise of a CA is giving everyone a trusted third party.

How do I know you are who you say you are, and not a man in the middle? With a self-signed cert, there's no assurance unless the cert has already been saved. With a CA signed cert, there's assurance of identity.

StartCom (0)

Anonymous Coward | more than 6 years ago | (#24246297)

FF3 appears to have these as an authority by default.

http://cert.startcom.org/

StartCom, the vendor and distributor of StartCom Linux Operating Systems, also operates MediaHostâ, a hosting company, which offered its clients, SSL secured web sites with certificates signed by StartCom for many years. That's where the idea originated: Free SSL certificates!

"Open" vs. "Secure" - A Contradiction (3, Insightful)

bradgoodman (964302) | more than 6 years ago | (#24246307)

I don't think anyone really wants "Open" CA authorities. "Open" and "Secure" are generally contradictory in this context (not everywhere).

I think the optimum solution would be a cheap root CA who is also highly trusted.

I don't know who this would be - maybe someone like a traditional brick-and-morter "bank" which could vogue for an SSL certificate being validated in the same way that are able to link a bank account to a person, company, SSN, etc.

I was going to say also someone like Google.

The point is, if a CA-signed cert was $5, no one would be complaining, but if any 'ol shmucks signed certs were automatically accepted by your browser, the whole system wouldn't mean anything.

Secure DNS can help (4, Informative)

John.P.Jones (601028) | more than 6 years ago | (#24246329)

Can organizations such as Mozilla not move towards a model that helps break this monopoly, helping establish a CA root authority that's cheap (free?) and only links the certificate to the domain, not actual verification of who owns the domain?

How can anyone possibly establish that a given certificate is associated with a given domain without first proving that they do indeed have the (ownership) rights to establish said association?

What you are asking for can be accomplished via SecureDNS, you can enter the hash of the certificate in the DNS entry and Secure DNS ensures that only the authorized party can enter that association and verifies that it was not changed. SecureDNS facilitates a lot of these kinds of authentication issues by extending the rooted hierarchy of DNS names to securely dissiminate information, whether it be IP addresses of servers or public key commitments. See my paper "Layering Public Key Distribution Over Secure DNS using Authenticated Delegation" (ACSAC 2005).

You're kidding right? (2, Insightful)

Anonymous Coward | more than 6 years ago | (#24246339)

It sounds like some people need to educate themselves on security and the reasons for SSL in the first place. Also take a look at the current situation on the internet - for example how do phishing sites currently operate?

One of the biggest reasons for using or trusting SSL is that you can trust that the website is who they say they are. If you give out certs without validation, you're not helping the community at all.

If you think just encryption is enough, you're wrong. People are rarely defrauded because their packets were intercepted. Using encryption on the internet is like using a armored car to deliver $5 from the man on a park bench to the hotdog stand on the corner. The endpoints are the biggest security problem these days.

All of the phishing attacks have to do with sending you to a malicious site that convinces you to enter your information.

There are cheaper SSL certs out there than verisign, do some shopping around.

Firefox is not trying to harm a small site. They are trying to protect the community from the phishing attacks.

Monopolistic? FUD alert. (1)

MyNymWasTaken (879908) | more than 6 years ago | (#24246389)

You keep using that word. I do not think it means what you think it means.

There are more Certificate Authorities than just Verisign; e.g. Thawte, GeoTrust & GoDaddy.

GoDaddy charges $15/year for a single-domain SSL cert.

Ah, let's just solve that FACTOR problem... (2, Funny)

tjstork (137384) | more than 6 years ago | (#24246407)

1. Step 1 - FACTOR algorithm in polynomial time
2. Step 2 - SSL is obsolete, and certificates are pointless
3. Step 3- PROFIT!

Re:Ah, let's just solve that FACTOR problem... (1)

The Dancing Panda (1321121) | more than 6 years ago | (#24246541)

I think step 1 is the ?????????. And the profit is $1 million, as you would have solved P=NP.

Certification trust levels (5, Insightful)

davidwr (791652) | more than 6 years ago | (#24246409)

The certification authorities really need to get together with the web browser vendors so the big scary warnings can be made trust-level-appropriate.

For example:

Domain confirmed: [green][yellow][red]
Responsible Party Identity Confirmed: [green with seal][green][yellow][red]

Where "yellow" meant unconfirmed or self-signed and not whitelisted SSL or an easy-to-fake or -steal ID such as a credit card, "red" meant revoked, expired, or invalid credential, and "green" meant a valid SSL or hard-to-fake or -steal personal ID such as a driver's license backed by a notary. "Green with seal" meant a financially-backed guarantee, something big banks would probably get.

Most small-time web sites would be either green/yellow or yellow/yellow, depending on if they had self-signed certificates.

The cost of a "no identity confirmed" green/red certificate shouldn't be much more than domain registration. A "yellow/red" self-signed certificate would remain free.

If people expect "green with seal" when dealing with major financial companies, "green" with most businesses, and "yellow" for personal web sites, they'll give the appropriate level of trust.

Great Summary (0)

Anonymous Coward | more than 6 years ago | (#24246415)

"With the release of Firefox 3, those who have been using self-signed certificates for SSL now face a huge issue â" the big, scary warning FF3 issues which is very unintuitive for non-technical users. It seems Firefox is pushing more websites in to the monopolistic arms of companies such as Verisign. For smaller, especially non-profit groups, which will never have issues with domain typo scammers, this adds an extra and difficult-to-swallow cost. Does a service such as this need the same level of scrutiny and cost since all that is being done is verifying domain and certificate match? This extra hand holding adds a tremendous cost and allows monopolistic companies such as Verisign to thrive. Can organizations such as Mozilla not move towards a model that helps break this monopoly, helping establish a CA root authority that's cheap (free?) and only links the certificate to the domain, not actual verification of who owns the domain?"

There was this one word which means "exclusive ownership or control", but I can't remember what it means. Can anyone help me out?

Trust is the issue (4, Insightful)

AlexCV (261412) | more than 6 years ago | (#24246443)

The problem with SSL certificate is that what you're supposed to be buying is trust. Your 400$ is supposed to be for VeriSign to validate that (a) an entity of that name/address pair exist; and (b) there's supporting evidence that the applicant represents that entity.

The reiterate strongly: Certificates are about authentication not encryption!

This isn't cheap, it requires a fair bit of effort.

Also, the CA needs to be trusted in the first place. That's very gray, but even old VeriSign is a lot more trustworthy then "Joe Q. Random Computer Service Associates" with a PO Box in RU.

Most proponent of "free" CAs really want the little padlock without any concern about trust because they implicitly trust themselves. Suppose you did have a shall-issue free-for-all CA on the web. What value would you place on its certificates? Would you trust that entity to not have a compromised private key?

Re:Trust is the issue (1, Insightful)

bluefoxlucid (723572) | more than 6 years ago | (#24246593)

Certificates are all about encryption. Places I can sniff your packets from:

1. A hub.

2. A switch.

3. A Wireless Access Point (hub using invisible cable).

4. Routers on the Internet that I've hacked.

Places I can replace the certificate with one of my own self-signed under the same name from:

1. A hub (ARP spoofing and you use me as your default gateway).

2. A switch (ARP spoofing, confuses the switch too)

3. A WAP (ARP spoofing)

4. Routers on the Internet that I've hacked.

Note that if I'm on your computer, I can just grab the data ahead of time; and if I'm on the endpoint server, I can just use their private key. A fun game is to download all the private keys off a shared hosting server, since they often leave that directory world-readable.

Saw this coming. (0)

Anonymous Coward | more than 6 years ago | (#24246449)

I manage a small ecom site for my father's company. He's being using a shared cert provided by his hosting company (free with the hosting account) for the checkout portion of his site. That was wonderful until IE7 came out and started shouting a frightening warning full of red Xs at the user.

But, I put in a little message to the site for IE7 users and we carried on.

Now, it seems FF3 will shoot the same bullet at us, along with MANY other small sites who can't afford the cost of a certificate.

The unfortunate thing is that this will likely make him give up on the site altogether. While it is a code-beast, it is still a nice source of extra freelance cash for me, and a part of his business.

This just kills me. I don't know ANYONE who actually checks who a certificate is signed to. As long as it's there, and you know what site you're on. That's all you need.

I'm really disappointed in this news.

StartSSL is free or cheap, as you prefer (4, Informative)

petard (117521) | more than 6 years ago | (#24246455)

They offer certs with domain validation for free. There are gentle attempts to upsell you to higher levels of validation, but their domain validated certificates work without errors. Look here [startssl.com] .

If you want certs that are validated to your business' identity (instead of just your domain) and don't indicate in the DN that they were free, there is a small charge.

Such a thing? (1)

skelly33 (891182) | more than 6 years ago | (#24246461)

There's such a thing as a non-technical FireFox user? I've never met one; it almost seems to be reserved for people who "get it".

Re:Such a thing? (1, Interesting)

Anonymous Coward | more than 6 years ago | (#24246597)

Thats definitely not true. I know several people who only use Firefox after being directed to by a technical friend such as myself and will never got back to MSIE.

I will admit though the first FF3 gave me cert warning I was quite surprised and it took me a bit to understand what had happened.

Re:Such a thing? (2, Informative)

mistapotta (941143) | more than 6 years ago | (#24246683)

My mother is a non-technical firefox user. Meaning, I got tired of cleaning up her machine, so I installed firefox, put the little IE icon on her desktop to link to the FF executable, and have had much fewer reasons to go over and "clean up her computer."

Gosh! (1)

fluch (126140) | more than 6 years ago | (#24246473)

You don't get security if you switch of your brain. Something like I-refuse-to-think-but-want-to-have-it-secure ... forget it!

If I understand it right, the expensive authorities put some effort (do they?) into checking the identity of some person applying for a certificate. You pay for this work and on the otherhand you get a certificate which most browsers can verify immediately without shouting loud.

If you make yourself a certificate not using the those authorities, you need explicitely tell the browser (once) to accept the certificate. It is in my opinion good that the browser shouts quite a lot, because this makes people think a bit before they accept it.

Now would you think that a low buddget CA authority could/would provide the same trust as the more expensive ones? Would you trust it so much that you would automaticaly accept all certificates from this CA authority?

Firefox extension (1)

rfunk (765049) | more than 6 years ago | (#24246479)

We need a Firefox extension that will add a toolbar under the location bar to always show who owns the certificate. Maybe also do a whois query and show who owns the domain.

Better way for FF to handle it (1)

JShadow21 (871404) | more than 6 years ago | (#24246487)

IMHO Firefox should have a bar pull down from the top like the password saver or the pop-up blocker warning you its self signed. Enough to let you know, but not too much to disrupt you from actually using the site.

The current ominous warning is a bit much I think.

Monopolistic what? (1)

bluefoxlucid (723572) | more than 6 years ago | (#24246509)

SecureTrust and XRamp were the most common I saw at a Web host.

A lot of people brought their own GoDaddy signed cert.

My last employer used Equifax signed certs.

I've seen a few RSA Security signed certs.

Verisign is the big name; Linux is the big name in not-Windows but you see a lot of Apple. Which company has plurality, and is it more than a percent difference from the runner up?

On a more th

Monopoly?! (2, Insightful)

thepacketmaster (574632) | more than 6 years ago | (#24246511)

A monopoly would be a telephone company or electric company from the 80's, where you had no choice. Last time I opened up the Certificate Authority section of Firefox, there were a LOT of CAs. To name a few of the public ones:
  • Verisign
  • Thawte
  • Go Daddy
  • Network Solutions
  • GeoTrust
  • Entrust

Not to mention there are a bunch of second level CA's that are very reasonably priced. I think trainman needs to do a bit more research. If you can't afford GoDaddy's prices, I don't think you really need to be concerned with your customers freaking out.

HUGE (0, Troll)

btaranto (921814) | more than 6 years ago | (#24246527)

i don't want understand the people anymore... #$%#@#@!@#!

Bargains (1)

Klaus_1250 (987230) | more than 6 years ago | (#24246543)

Keep an eye out on good bargains. Once in a while, CA's have really good deals to get some fresh customers. You can get certificates for as low as 10-30/year for up to 7 years. Still not cheap, but for a signed certificate that doesn't need to include fancy insurance/identification and such, 63 for a 7 year cert is a good deal.

Certificates ARE about ENCRYPTION (3, Interesting)

unity100 (970058) | more than 6 years ago | (#24246547)

the foremost aim of an SSL cert is to encrypt the communication so 3rd parties cant eavesdrop.

it doesnt make a ZIT of difference if the site you are shopping from has a Verisign signed 256 bit certificate or a self signed certificate. almost all certs are encrypted with similar technologies encryption wise. if you are concerned with 'authenticity', you dont know a website or dont trust them or suspect them, you should NOT be shopping there in the first place.

yes, this move of firefox 3 is a VERY bad thing. it really pushes people to the arms of verisign, geotrust (which is verisign) and so on.

not only that, it will also force control panel companies like cpanel, which serve millions of website users through web hosts to have to force users of their services to pay for SSL certs for each server they use or let their users connect to their site control panels through unencrypted connections. that will eventually drive up prices in the high to mid end hosting market. which is BAD, since majority of people host their websites in such small business hosts with $3-4 bucks a month. the overall effect that will have is yet to be seen.

yes, this was a stupid move by mozilla team, unfortunately.

Re:Certificates ARE about ENCRYPTION (2, Insightful)

Percy_Blakeney (542178) | more than 6 years ago | (#24246661)

Yes, SSL is about encryption. That's why the signing issue is important -- without it, you are vulnerable to man-in-the-middle attacks, which effectively negates the encryption.

A Trust Web for Victory (5, Interesting)

Doc Ruby (173196) | more than 6 years ago | (#24246557)

Instead of relying on centralized CAs, and implicitly trusting these privileged monopolies, we could shift to trust webs [wikipedia.org] .

It's like a social network. You trust who your "friends" trust, and distrust who they don't. With weightings, so some friends' and enemies' associations (and dissociations) count more than others Because some people you trust in their content, but not their judgement of who to trust (and vice versa, but probably more rarely).

Trust webs can perfectly simulate the current centralized trust model. You can just set your trust web to always trust whoever, say, VeriSign trusts, and ignore everyone else, which is what we get by default today. But you could tweak your trust web to say "If my grad student distrusts a site, then ignore whether VeriSign trusts it".

Such a trust web could therefore just ship set up with the current CAs the only trusted authorities, and work exactly the same as now. But we'd each have the freedom (or our sysadmins, who could lock the trust web changes away from normal users) to emphasize whoever we actually trust to influence our automated trust.

Independent authorities could "watch the watchers". So investigators with a reliable track record could become important "second guessers" to the "offical" CAs. People could make their reputation by proving a trusted authority has less than 100% good judgement. And the whole system can become more robust, instead of fracturing as soon as different CAs have different trust levels for different sites.

The technique and some SW is already available, for apps like PGP and others that rely on a Public Key Infrastructure. What's necessary for the critical mass that makes such a system work is for a browser like Firefox to upgrade to a trust web, with an easy and reliable UI with sensible defaults. Then we're as strong as the trust network in which we embed ourselves.

Does No One Understand English Any More? (5, Insightful)

Illbay (700081) | more than 6 years ago | (#24246603)

The O.P. mentions "...monopolistic arms of companies such as Verisign."

Okay, look. The word "monopoly" has as its prefix the stem "mono-," from the Greek, meaning "one." That means there can only be ONE "monopoly."

A phrase such as "monopolistic company LIKE Versign..." is absurd on the face of it. If there are other companies LIKE Verisign, then there is no monopoly.

Is it REALLY that hard to understand?

This is an example of how the rising generation is so used to "buzz words" chosen for shock value, etc., and has gone completely away from clarity of speech and writing. What the O.P. means to say, really, is "I don't want to pay the going rate for this service, so I'll call Verisign 'a monopolistic company' because everyone knows 'monopolies' are bad, and that will communicate the 'badness' of 'companies like Verisign.'"

Oddly, the word "rhetoric," also from the Greek (rheteros, "a speech") used to be a positive appellation for the study of good, clear communication of thoughts and ideas. But it has also succumbed to the buzz-word dementia, and now usually means "empty words."

How sad.

Unintuitive for *non-technical* users ? (1)

drsmithy (35869) | more than 6 years ago | (#24246609)

It's unintuitive across the board. Took me a good minute or two to figure out how to get past the "this isn't a valid SSL certificate" page.

Looking at it again, it's just crap UI.

Superb summary, well up to /. standards (1)

kiwimate (458274) | more than 6 years ago | (#24246617)

With the release of Firefox 3, those who have been using self-signed certificates for SSL now face a huge issue -- the big, scary warning FF3 issues which is very unintuitive for non-technical users.

Let's assume there are still two or three people on the planet who don't use Firefox 3 and consequently have no idea what big scary warning you're talking about.

Also let's figure that those who are using self-signed certificates are at least somewhat likely to fall outside the ranks of "non-technical users".

Levels of certification (2, Insightful)

Animats (122034) | more than 6 years ago | (#24246643)

There are already plenty of providers selling crap "domain control only validated" certs. We (as SiteTruth [sitetruth.com] ) regard those as having no value, and we encourage others to do the same. If it doesn't have an "L" (location) field, it's worthless. The introduction of those crap "quick SSL" certs poisoned the whole cert industry.

It's a problem that certificates which verify business name and address cost too much. They ought to cost maybe $25 per year. Validation isn't that expensive. That's what registered mail is for.

There used to be some enthusiasm for "web of trust" schemes of certification, but since the bad guys organized into criminal networks, domain farms became popular, and it became easy to get phony GMail accounts in bulk, that approach is obsolete.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?