Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Thawte Will End "Web of Trust" On November 16

kdawson posted about 5 years ago | from the fencing-of-the-commons dept.

Encryption 127

An anonymous reader writes "Thawte is ending their Web of Trust, including their free Personal Email Certificates, in less than 2 weeks' time. This hasn't been picked up by the media yet. Seems to me a lot of people, including myself, are hurt by this." Thawte is offering a 1-year free VeriSign cert to those holding valid Personal Email Certificates; after that you pay.

cancel ×

127 comments

Sorry! There are no comments related to the filter you selected.

I knew it! (4, Funny)

Rantastic (583764) | about 5 years ago | (#29655411)

I knew I should not have trusted them and their web!

Sad by understandable (5, Insightful)

chamilto0516 (675640) | about 5 years ago | (#29655429)

This saddens me but I understand it. Adoption of PKI for email in this multi-standard, multi-client fashion was just too difficult for the average email user. Yes, I usually have one or two accounts for secure messaging and I do use Thawte (I am a Notary) but it just doesn't work for most unless there is someone to walk them through. As much as I am aggravated by Lotus Notes, they self contained system (part of my aggravation) was able to pull this off 10 years ago and is still really the only app that I have seen do PKI well. Unfortunately it doesn't do a lot of other things very well.

Re:Sad by understandable (4, Interesting)

Joiseybill (788712) | about 5 years ago | (#29655565)

Notary here too.
I didn't see any notification yet, so I'm not sure if this is true.

If it is, then I won't need to worry about those pesky " check ID" and "keep paperwork on file for 5 years" rules.
I wonder if I can get my notary fees back.. I paid them since I couldn't find any other Notaries in my area.

If this really is true, I might not be opposed to giving away 30 points to anyone that seems reasonable enough. If we get another few notaries on board, maybe we can register a couple thousand slashdotters in the next few weeks - so at least they all get free VeriSign email certs.

PS - in addition to Lotus Notes, I've done a fair job with Novell GroupWise and individual Eudora and T-Bird clients as far as certificate management for the masses. At one point, (obviously a while back with Eudora) I had nearly three dozen non-IT folks using this appropriately to sign and verify their inter-office email. That 'trial' lasted about two weeks, and many still ask me to renew their certificates annually.

Re:Sad by understandable (1)

swillden (191260) | about 5 years ago | (#29656013)

If this really is true, I might not be opposed to giving away 30 points to anyone that seems reasonable enough. If we get another few notaries on board, maybe we can register a couple thousand slashdotters in the next few weeks - so at least they all get free VeriSign email certs.

I've been meaning to get my identity validated for the web of trust for years, and never quite gotten around to it. I'm interested if you want to drop me an e-mail, and I think I can prove my identity adequately on-line, through my long history on /., USENET, blog posts, etc.

Re:Sad by understandable (1)

TheLink (130905) | about 5 years ago | (#29657537)

> > I might not be opposed to giving away 30 points to anyone that seems reasonable enough
> I'm interested if you want to drop me an e-mail, and I think I can prove my identity adequately on-line, through my long history

I suspect there's a funny Nigerian spammer spoof for this (with the "all caps" and other fun stuff).

But I'm too lazy at the moment to try. Anyone willing to give it a go?

Re:Sad by understandable (3, Informative)

storem (117912) | about 5 years ago | (#29657285)

I'm a WOT Notary myself since 2002.

<rant>To be very blunt, Thawte went downhill ever since VeriSign took over. I'm sure things would be different with Mark Shuttleworth still heading the company.</rant>

I also did not receive any official information from Thawte yet about this. I guess they figured we read today's Internet newspapers anyway.

Many of us Thawte WOT Notaries became CAcert ECCP Assurers during the last couple of years. While CAcert.org is a community-driven certificate authority that issues free public key certificates to the public, it still lacks inclusion of its root certificate in most popular browsers. I do however strongly think there is a need for this kind of service, as no communication is ever going to be really safe unless we all use encryption. It is way to easy to spot the important emails nowadays.

I'm must also admit that less people are interested by the technology - and WOT notaries assert less people each year - mainly due to the complexity of PKI implementations in popular email packages.

<product_placement>I hope efforts like the Comodo/DigitalPersona Privacy Manager product to make it easier for people to use PKI, revive the identity security awareness with people.</product_placement>

More info from Thawte's Wikipedia page:

Thawte Notaries have been submitting minimal information to the Gossamer Spider Web of Trust ("GSWoT"; a grass-roots OpenPGP PKI) for safe-keeping in hopes to increase the longevity of their earned trust points. The collaborative effort aims to bind Thawte Notary names and email addresses to their now-existing entry on Thawte's Web of Trust Notary Map. Thawte Notaries from within and without GSWoT are performing the validations. The initiative will bear no fruit if Thawte Notaries fail to find or create a WoT that will recognize their former status as a Thawte Web of Trust Notary. The Thawte Notary EOL List on GSWoT will die in one year's time - on November 16, 2010.

Re:Sad by understandable (2, Informative)

Lennie (16154) | about 5 years ago | (#29658907)

Their is also a StartCom/StartSSL WOT, their free SSL-certs root cert recently got on the Microsoft list, although the update was still optional last time I looked.

https://blog.startcom.org/?p=205

Re:Sad by understandable (2, Insightful)

tobiasly (524456) | about 5 years ago | (#29656563)

Yes it sucks but I agree, none of us should really be surprised. Ever since Verisign bought Thawte I've been waiting for this to happen. I've been a notary in a fairly large metro area for years and can't remember the last time I was asked to notarize someone.

Yeah, the concept itself was a bit difficult for a lot of people to grasp but their website also really sucked. It hadn't been updated in years and you had to navigate through that ridiculous hierarchical system instead of being able to just "find notaries within 25 miles of me".

But really, email certs serve two purposes: sender verification and/or encryption (I guess proving an email wasn't tampered with could count as a third but it's really part of encryption). The first function is increasingly already being performed at the server level using SenderID/DomainKeys, and there are plenty of ways to accomplish the second if two parties so choose.

It's one of those things that probably would have been a great idea if it were baked into the email standard since inception, but was just too unwieldy to bolt-on later.

Providing free certificates (3, Funny)

igny (716218) | about 5 years ago | (#29655449)

Can some other trusted company, like Google, step in?

Re:Providing free certificates (2, Funny)

Yamata no Orochi (1626135) | about 5 years ago | (#29655461)

Can some other trusted company, like Google, step in?

I honestly can't tell if this was supposed to be funny or not.

Re:Providing free certificates (3, Insightful)

Wowsers (1151731) | about 5 years ago | (#29655465)

I trust myself, but how can I trust another company?

Re:Providing free certificates (4, Informative)

Anonymous Coward | about 5 years ago | (#29655599)

www.cacert.org has an alternative web of trust that issues both client and server certs.

Re:Providing free certificates (1)

L4t3r4lu5 (1216702) | about 5 years ago | (#29655635)

Posted by Anon Coward. I don't trust that site, or their web.

What now?

Re:Providing free certificates (0)

Anonymous Coward | about 5 years ago | (#29656287)

You fear.

Re:Providing free certificates (3, Interesting)

martijno (533960) | about 5 years ago | (#29655683)

How about community driven efforts such as cacert.org [cacert.org] ? Requires the receiver to import their root certificate, though.

Re:Providing free certificates (1)

tepples (727027) | about 5 years ago | (#29656861)

Requires the receiver to import their root certificate, though.

But how would a receiver who is a home user know to import cacert.org's root certificate and not a phisher's root certificate?

Re:Providing free certificates (1)

digitalunity (19107) | about 5 years ago | (#29657841)

Whats the path to getting the root cert in popular browsers?

I really don't know how that works. Does Mozilla just decide?

Did not get any email (1)

Nikademus (631739) | about 5 years ago | (#29655453)

I did not get any email from Thawte about this issue. How do I get my token then?

Should have stuck with PGP/GPG (4, Insightful)

argent (18001) | about 5 years ago | (#29655479)

Don't forget where the "web of trust" came from.

Re:Should have stuck with PGP/GPG (3, Interesting)

Chrisq (894406) | about 5 years ago | (#29655577)

The problem is that PGP/GPG certificates are too open. If you trust a few certificates, say for software support, then trust the certificates they trust pretty soon you end up trusting almost everyone. Even worse GPG (and maybe PGP) by default will try and download a certificate from a public server when encountering an unknown certificate. This makes it as easy to set up a trust certificate for a "throw away" email account as to create a throw-away account in the first place.

True if you follow the guidelines in the GPG manual, find a trusted friend, verify the fingerprint of their email by phone, both agree only to sign certificates where you have gone through the same process, you can set up a trusted web - but its not as easy as having someone verify it for you.

Re:Should have stuck with PGP/GPG (5, Informative)

Anonymous Coward | about 5 years ago | (#29655741)

You're post is an example of how people don't understand PGP, not that there are any technical limitations. Looking in my enigmail key manager, I have a whole list of keys (automatically downloaded) that are not trusted. The few that I have verified are trusted. If someone signs "almost everyone's" keys and isn't trustworthy you don't trust them. If they are trustworthy, then you just made use of the web of trust.

Re:Should have stuck with PGP/GPG (1)

slabbe (736852) | about 5 years ago | (#29655765)

As far as I know, gpg version 1.x doesn't try to download anything by itself. Maybe it's different for version 2.x, or some secondary software depending upon gpg? Regarding public key signing, http://xkcd.com/364/ [xkcd.com]

Re:Should have stuck with PGP/GPG (5, Informative)

buchner.johannes (1139593) | about 5 years ago | (#29655917)

You don't have to trust everyone in a Web of Trust that originated from you. It just tells you who trusts that person. What you do with that information is up to you. Also, there are several levels of trust. You don't have to sign anyones key, just the ones you met.

GPG is right to download the public key from a server, because that tells you nothing about how much you trust that person. If it would set that person automatically to fully trusted, that'd be a different story.

Re:Should have stuck with PGP/GPG (0)

Anonymous Coward | about 5 years ago | (#29656187)

Who the hell modded this insightful ?

You aren't distinguishing between is a key VALID (ie Does it really belong to who it says it belong to) and is it TRUSTED (do I trust that person/authority to sign others keys).

Re:Should have stuck with PGP/GPG (1)

The Cisco Kid (31490) | about 5 years ago | (#29656941)

If you think thawte and/or verisign actually do anything to verify anything (other than that the persons credit card works) you are a fool.

Re:Should have stuck with PGP/GPG (1)

Hurricane78 (562437) | about 5 years ago | (#29657633)

The problem that you describe would be, that stating that a human should do something, and then expecting him to always do it, is a giant fallacy. And a very stupid one to expect, if you ever saw a real human. ^^

The rule is: If someone can do something wrong or the bad way, someone will. No exceptions.
And that's why those guidelines just useless dreams with no relation to physical reality.

Done right, you would have to set up a system where nothing is possible, except for the things you absolutely need, to achieve what it meant to be possible.
But who has the brains to actually do that?

Re:Should have stuck with PGP/GPG (0)

Anonymous Coward | about 5 years ago | (#29658553)

Even worse GPG (and maybe PGP) by default will try and download a certificate from a public server when encountering an unknown certificate.

And S/MIME sends its entire certificate along with the signature blob - the fact that you can get GPG to download unknown keys is irrelevant, since they are not trusted just because you possess their public keys.

Re:Should have stuck with PGP/GPG (1)

Ilgaz (86384) | about 5 years ago | (#29655761)

Apple mail has built in PKCS7 support, I don't even care to mention pro apps like Outlook/Entoruage/Blacberry.

Where is PGP except that expensive commercial client which tries to do too much? If people used Thawte cert, they went for "easy and built in way", can you blame them? If PGP free version with that kind of compatibility, mail plugin was still alive and kicking, you could blame people for not sticking with PGP. All we see is some open source stuff not promising any kind of stability and support over there and there, that is what you get when you try to use PGP standard for free.

Re:Should have stuck with PGP/GPG (1)

digitalunity (19107) | about 5 years ago | (#29657907)

Honestly, the best email client I have ever used respecting PKI was Thunderbird with Enigmail on Linux.

I've tried to duplicate this success on my laptop with Vista, but enigmail sucks balls and just flat out doesn't work right.

We really need a good, OSS cross platform email client that supports GPG.

Re:Should have stuck with PGP/GPG (0)

Anonymous Coward | about 5 years ago | (#29655913)

Web of Trust may be stupid but using PGP/GPG stuff is stupid too because it's just a hack of a system. There are real tested global standards out there like X.509, S/MIME, etc that PGP/GPG does not use.

Personally I hate it when people use that idiotic non-standard PGP stuff in e-mails and such when things like X.509 and S/MIME are supported by practically everything out-of-the-box (and for good reason, it's standardized and globally recognized).

Re:Should have stuck with PGP/GPG (1)

argent (18001) | about 5 years ago | (#29657095)

You do know that PGP came before S/MIME, right?

Re:Should have stuck with PGP/GPG (0)

Anonymous Coward | about 5 years ago | (#29657227)

What does that have to do with anything? If anything it shows yet another reason why we should not be using PGP because despite the fact that it came first, it's supported by less software.

Standards almost always come after the "hacks." We should be using the recognized standards once they are available.

Re:Should have stuck with PGP/GPG (1)

argent (18001) | about 5 years ago | (#29657795)

The standard did not get created because PGP was a "hack", it was created because of the legal issues surrounding PGP and Phil Zimmerman. Those issues should have been addressed explicitly, instead of creating a standard that depends on an expensive infrastructure that keeps it from being adopted by hoi polloi.

It's Just That (2, Funny)

Anonymous Coward | about 5 years ago | (#29655485)

Thawte had been hurt so many times and it's going to take a long time before Thawte can learn to trust again.

Re:It's Just That (2, Funny)

GaryOlson (737642) | about 5 years ago | (#29655861)

This is a technical discussion; find a non-technical support group therapy session to work thru your personal issues.

You didn't expect this? Really want to help? (5, Insightful)

Uzik2 (679490) | about 5 years ago | (#29655489)

What were you thinking?
If you really want to do something worthwhile campaign the browser makers to change their browsers. The whole "encryption = authentication" idea is stupid and wrong. The scary warnings when someone wants to encrypt the traffic between you and their website using their own certificate is commercialism at it's worst.

Re:You didn't expect this? Really want to help? (1)

CaptnMArk (9003) | about 5 years ago | (#29655567)

You are confused. Perhaps you mean authentication != certification?

Certification is something that CA's should do (that's what you trust them to do). Some don't. That's why the broken idea of EV certificates came about.

Re:You didn't expect this? Really want to help? (1)

Aladrin (926209) | about 5 years ago | (#29655651)

No, he meant exactly what he said. As far as he went, he's correct. Putting up scary warnings when all that is required is an encrypted connection is silly.

But the process actually goes a step further, and you need to know what you are connected to who you think you are, which is the purpose of the scary warnings. It's very seldom that you need to just encrypt the connection without worrying about man-in-the-middle attacks.

Re:You didn't expect this? Really want to help? (0)

Anonymous Coward | about 5 years ago | (#29655727)

What does an encrypted connection get you when you don't know where it's coming from? It only protects you from the MITM that hasn't intercepted your connection...

I'm starting with the man in the middle (2, Interesting)

tepples (727027) | about 5 years ago | (#29656983)

Putting up scary warnings when all that is required is an encrypted connection is silly.

Without some sort of authentication, you don't know that a man in the middle isn't proxying and decrypting your encrypted connection. These man in the middle attacks are happening [mozilla.org] . Self-signed certs are good for verifying that the proxy hasn't been added between connections, but that doesn't help if you've got a proxy and have always had it.

Re:I'm starting with the man in the middle (1)

TheLink (130905) | about 5 years ago | (#29657647)

What if someone gets a CA in "Elbonia" to sign some certs? The browsers don't protect you against that sort of MITM attacks. Go look at how many CAs are preinstalled in your browser. Trust all of them?

If browsers _also_ did the SSH thing where they warn you if the cert has changed from the expected I'd be happy, and the OP would be happy - on his first visit to the site, he might choose to take the risk and say "accept this", and the browser will warn him if it changes in the future.

After all, he could choose to control his risk and exposure by making his first visits via a connection that he can trust. And then subsequent visits could be at some random WiFi.

It's not 100% safe, but neither is the way the current browsers do stuff - if a CA gets tricked/hacked/bribed into signing a Microsoft or a bank cert, you are just as screwed.

Think it'll never happen? Verisign got tricked, and more recently another CA's automated system got exploited.

Re:You didn't expect this? Really want to help? (4, Insightful)

nedlohs (1335013) | about 5 years ago | (#29655655)

No he means what he says, encryption.

If I'm buying stuff then yes some authentication/certification that I'm actually giving my credit card details to the company I think I am is a good thing.

If I am entering my password for a shitty forum web site, then having the session encrypted is nice to have. I don't really care about man-in-the-middle attacks since the alternative is no encryption at all.

Sometimes partial coverage is good enough. But web browsers make it appear that an encrypted connection without authentication is worse than an unencrypted connection without authentication by throwing up scary warnings about evil hackers.

Re:You didn't expect this? Really want to help? (1, Informative)

Anonymous Coward | about 5 years ago | (#29655877)

For repeat customers, accepting a self signed certificate the first time would work fine. The certificate ensures that I'm connected to the site I think I am.

But for all the sites I haven't shopped before, a certificate doesn't improve anything. The certificate confirms that I'm connected to a site I don't know (since I haven't been there before), and I'm expecting to be connected to a site I don't know. But can I trust the site I'm connected to? That's the problem. I don't know. And the certificate won't help me a bit, it can only tell me that I am in fact connected to the site I don't know.

Re:You didn't expect this? Really want to help? (1)

ArsenneLupin (766289) | about 5 years ago | (#29656529)

The certificate confirms that I'm connected to a site I don't know (since I haven't been there before), and I'm expecting to be connected to a site I don't know.

It not only confirms to you that you are connect to a site that you don't know, but to this particular site that you don't know. Which means that if something untowards happen, you now know that site a little bit better :-)

But can I trust the site I'm connected to?

This is a common misunderstanding about the purpose of certificates. Certificates don't help you trust the entities that you are doing business with. They only help you trust that you are talking to who you think your are talking.

A certification agencies job is not to assess the financial solidity of a bank, or the honesty of an online shop. Their only job is to make sure that only that bank, or that shop can get a certificate saying that it is indeed that particular bank or that particular shop.

A certificate confirms that you are indeed connected to aShadyDatingSiteThatIJustDiscovered.com rather than to your spying spouse.

Unfortunately those newfangled EV certificates confuse the issue about purpose of certificates...

Re:You didn't expect this? Really want to help? (1)

thegreatemu (1457577) | about 5 years ago | (#29656215)

But the worst part is that absolutely no warning is given when submitting info on a completely unencrypted page. So the message is that somehow encryption via self-signed certificates is worse than just no encryption at all.

We get all these retarded warnings about "You are viewing an encrypted page, but some of the information is not encrypted! Oh noes!" But how freaking hard is it to pop up a warning on any form you try to submit that's unencrypted? Or if you think that would be too annoying, any form that includes a password field?

Re:You didn't expect this? Really want to help? (1)

ArsenneLupin (766289) | about 5 years ago | (#29656569)

Or if you think that would be too annoying, any form that includes a password field?

Exactly! And even better: have a user-maintainable white list of sites that have an unencrypted password field (so that you aren't bothered with noisy warnings whenever you log in to your favorite low-security chat site).

In order to avoid attacks against redirection, key the white list on both the form submission URL and the last URL entered by the user (through address bar or bookmark).

Re:You didn't expect this? Really want to help? (3, Interesting)

ArsenneLupin (766289) | about 5 years ago | (#29655581)

The whole "encryption = authentication" idea is stupid and wrong.

Well in many cases, encryption is used to transmit authentication tokens of some kinds (passwords, credit card numbers...). And certificates are needed to make sure nobody plays man in the middle...

The scary warnings when someone wants to encrypt the traffic between you and their website using their own certificate is commercialism at it's worst.

Indeed. Warnings are needlessly scary, because non-certified SSL is still more secure than no SSL at all (non-certified SSL at least protects against passive listeners).

So, in all logic the warnings should even be more scary for the plain unencrypted http case.

Indeed, nowadays, the smart men-in-the-middle just redirect the hijacked connection to a http page, and doesn't bother with https, because most users won't notice the missing s in the address bar anyways...

Re:You didn't expect this? Really want to help? (1)

icebraining (1313345) | about 5 years ago | (#29655671)

Missing s? I don't about yours, but Firefox show a green bar before the URL with the name of the entity, and all browsers show a "lock" symbol, and most people I know expect them in banks other important websites.

Re:You didn't expect this? Really want to help? (2, Interesting)

ArsenneLupin (766289) | about 5 years ago | (#29655811)

Missing s? I don't about yours, but Firefox show a green bar before the URL with the name of the entity,

Mine shows a very short blue bar.

all browsers show a "lock" symbol

Yes, a small lock icon in the lower right corner.

most people I know expect them in banks other important websites.

So geeks (and their friends...) know about these. But most others don't, and wouldn't notice without anybody drawing attention to it.

Compare this now with the very noisy warnings that you get when trying to access a site with a bad certificate. Any man-in-the-middle worth his salt is going to opt for the missing lock icon rather than the very obnoxious "add exception" page of Firefox.

Re:You didn't expect this? Really want to help? (4, Informative)

ArsenneLupin (766289) | about 5 years ago | (#29656387)

O, and some sites (such as facebook or hotmail) only use https for the form submission, but not for the template. Theoretically this is secure (because it's the submission of login data that you want to protect, not the mask that is displayed on screen), but in practice it means that neither of the usual tell-tale signs (green/blue bar, https, lock icon) will be present.

The only way to see whether the form is secure or not is then to view source and check whether the form action has https or not. I don't really believe that grandma is going to bother...

Re:You didn't expect this? Really want to help? (0)

Anonymous Coward | about 5 years ago | (#29655833)

You'd think those clues (gr) would be big enough, but study after study has found people just don't notice. You can't really expect people to passively notice that items witch are ok to be missing 99% of the time are suddenly alarming to be missing on that last 1%. That amount of diligence is just not part of the average computer user's interaction.

Re:You didn't expect this? Really want to help? (0)

Anonymous Coward | about 5 years ago | (#29656141)

*You'd think those clues (green bar, lock, etc)...
[stupid editing fail]

Re:You didn't expect this? Really want to help? (1)

mpe (36238) | about 5 years ago | (#29657961)

Warnings are needlessly scary, because non-certified SSL is still more secure than no SSL at all (non-certified SSL at least protects against passive listeners).
So, in all logic the warnings should even be more scary for the plain unencrypted http case.


There are also situations where warnings are not generated when they should be. e.g. a signed certificate changing.

Re:You didn't expect this? Really want to help? (3, Insightful)

zwei2stein (782480) | about 5 years ago | (#29655609)

Encryption without authentication is stupid and wrong too.

The scary warnings are there to make sure that you are not luled to false safety because man in middle attacks can work just fine with encryption as long as you trust their certificate.

Talking securely to someone is implied by fact that you really know who you are talking to.

Re:You didn't expect this? Really want to help? (1)

Sloppy (14984) | about 5 years ago | (#29655849)

Encryption without authentication is stupid and wrong too.

No more wrong than plaintext without authentication.

Hey dude, we get it: we want authentication. Sometimes we even need it. But that's a totally separate issue from encryption.

Encryption with a MitM has an active spy. Plaintext has an infinite number of passive spies. One of these two situations is better than the other.

Re:You didn't expect this? Really want to help? (0)

Anonymous Coward | about 5 years ago | (#29655969)

So, who can sniff your traffic, who doesn't already own the network you're traveling through?

Re:You didn't expect this? Really want to help? (1)

ArsenneLupin (766289) | about 5 years ago | (#29656639)

So, who can sniff your traffic, who doesn't already own the network you're traveling through?

Some attacks on switches (ARP spoofing, ARP table flooding) would allow passive spying, but no reliable interception. This is because such an attack duplicates switch traffic to both the intended target and the attacker. If the attacker intercepted, rather than just passively listed, it might become obvious that the client is suddenly getting to replies to each packet, and it might start acting strange (dropping connections, etc.)

Also, some physical taps (picking up the elecromagnetic fields outside of a cable using a pick-up solenoid) allow to listen, but not modify communication.

Also, passive listening is easier to set up (basically, just a tcpdump...) whereas active interception is more complicated (a proxy)

Re:You didn't expect this? Really want to help? (1)

IBBoard (1128019) | about 5 years ago | (#29655933)

Talking securely to someone is implied by fact that you really know who you are talking to.

Huh? A->B does not mean B->A. Knowing who you talk to doesn't imply it is secure. The two can be separated out quite clearly - obvious real-world examples being "talking in a crowded room to a friend" (authentication without security) and "whispering to someone you've just met" (not the greatest example, but it should be fairly secure even if you don't have a clue who the hell they are).

Re:You didn't expect this? Really want to help? (1)

ArsenneLupin (766289) | about 5 years ago | (#29656721)

"talking in a crowded room to a friend" (authentication without security) and "whispering to someone you've just met" (not the greatest example, but it should be fairly secure even if you don't have a clue who the hell they are).

It's not about the security of your communication partner, but about security of the communication medium.

Try "passing notes in a classroom":

  • "notes written on small sheets of paper": somebody of the people on the way to your target could read the note as well.
  • "notes sealed in plane jane white envelopes": more secure, but somebody en route could open the envelope, read the note, and stuffed it into a new envelope.
  • "notes sealed in fancy, hard to find envelopes": most secure, as the interceptor will not have the correct envelope to put the note into.

Nowhere does the trustworthiness of the final target enter into play, only the trustworthiness of those students that pass the message on (i.e. the communications medium).

Re:You didn't expect this? Really want to help? (1)

IBBoard (1128019) | about 5 years ago | (#29657023)

Depending on which angle you're looking at the communication from, I agree with what you're saying. The thing is that most of those examples are the wrong way around for HTTPS (which is what we'd strayed towards as an example). In those analogies HTTPS is more like *makes random example* the person you're passing the note to sending you a padlocked box first and they've signed it in permanent marker. You know you've got something secure to send your response and you know it is from them because it has their signature on it.

The comment I was replying to explicitly said that security is implied by talking to a known individual, which isn't true since even when talking to a known individual then you're still liable to interception (which is breached security).

Re:You didn't expect this? Really want to help? (1)

ArsenneLupin (766289) | about 5 years ago | (#29657655)

This is actually an excellent example, especially since it is the recipient (web site) which signs the padlocked boxes. This makes it much closer to the real https (where web sites are certified, and generally not clients) than mine with the "fancy envelopes". Also, it addresses the case where the interloper does not care whether his attack has been detected after the fact.

Thanks.

Re:You didn't expect this? Really want to help? (1)

buchner.johannes (1139593) | about 5 years ago | (#29655955)

But it is stupid that we have scary warnings for encrypted, not authenticated traffic, but unencrypted, not authenticated websites have no warnings.
It makes HTTP look more secure than HTTPS. Encrypted, not authenticated/verified HTTPS is as secure as HTTP.

Joey (-1, Troll)

joeyjuviyani (1651051) | about 5 years ago | (#29655503)

ARM and GLOBALFOUNDRIES today announces a long-term strategic relationship to provide their mutual customers with an innovative SoC enablement program. To support the long-term relationship, GLOBALFOUNDRIES and ARM have signed a broad agreement on processor implementation and circuit optimization to provide mutual customers with a robust enablement program geared towards next-generation applications. Read more here - http://www.techarena.in/news/13803-arm-globalfoundries-partner-build-arm-soc-products-28-nm-hkmg-process.htm [techarena.in]

Disappointing. However, this is still the year (2, Funny)

Anonymous Coward | about 5 years ago | (#29655537)

of personal digital certificates on the Linux desktop, over IPv6.

WoT (4, Interesting)

smoker2 (750216) | about 5 years ago | (#29655631)

I was a member of the WoT back in '99. It took several weeks (nearly a month) to find accessible notaries, and their method of meeting was suspect to say the least. For one I had to travel 30 miles to another town and meet in a supermarket car park. After I got my cert. no-one I sent signed messages to knew how to handle it - encryption was pointless. I let it lapse after about a year, and haven't bothered since.

Unfortunately, unless the govt. mandates personal electronic signatures, it ain't going to happen. And no-one will want to use it under govt. mandate anyway. This stuff is geek only territory.

Re:WoT (1)

Victor_0x53h (1164907) | about 5 years ago | (#29655903)

I agree, it was great certifying my email, but nobody else I knew was using even the free cert, so I let mine lapse too. It's a great concept, but just won't work out until fully integrated into all clients, or mandated.

I tried contacting several trust members in 2003ish, and never received a response.

Re:WoT (2, Interesting)

macterra (75505) | about 5 years ago | (#29656821)

Unfortunately, unless the govt. mandates personal electronic signatures, it ain't going to happen. And no-one will want to use it under govt. mandate anyway. This stuff is geek only territory.

I respectfully disagree. Google could easily add PK security to gmail, initially as a new feature that works only with other google accounts, and this would increase pressure for other email providers to adopt the standard.

Re:WoT (2, Insightful)

Domini (103836) | about 5 years ago | (#29657111)

I disagree. Google cannot do this unless they change the way gmail works. I will not let them touch my private key lest I end up not trusting my own private key. You can say they can then kinda leave it on your PC and access it with client side JS, but then you sit again with the problem that it becomes hard to manage and understand by the masses.

Re:WoT (1)

Domini (103836) | about 5 years ago | (#29657153)

Same here. Was quite a process... had to drive around a lot and meet weird people. After that it was denied by the same government that had an official policy to accept it. And my bank preferred even a plain e-mail over it.

No one had a clue what to do with it.

The only thing I used it for was for secure e-mail... pah... could just as well stooped to PGP then.

Me.

Re:WoT (1)

Hurricane78 (562437) | about 5 years ago | (#29657711)

Well, in Germany, electronic signatures issued by your bank are valid signatures for contracts and the like. So you can actually sign an e-mail, send it to a government office, and they have to accept it as if it were a physical letter with signature.

Of course, if you really try that, they will fail, and if you're lucky ask you what that was, instead of ignoring it as an "error". But you *can* sue to enforce it being accepted. But you would have to actually sue. Because they would ignore or not believe that they have to comply and that you would sue otherwise.

I personally accept these digital signatures in my business.

How unexpected... (5, Funny)

Admiralbumblebee (996792) | about 5 years ago | (#29655673)

I never thawte this would happen.

Re:How unexpected... (2, Funny)

angrytuna (599871) | about 5 years ago | (#29656623)

mod parent up +1 inthawteful, plz.

Will the freeware java developers effected? (2, Interesting)

Ilgaz (86384) | about 5 years ago | (#29655739)

I have seen many Java signed opensource/freeware coming with that Thawte free mail certificate. I hope they won't be effected with it and if brain dead Sun offers some kind of special treatment to those, it won't be any matter.

Of course, it is Sun we talk about and even Oracle couldn't still change anything.

90% of reason Thawte brand was known among professional users was "Thawte free certificate" which was supported perfectly by mail clients. Thawte has no clue what kind of harm they did to brand value/recognition to save couple of CPU cycles and couple of gigabytes.

People thinking GNU PG or free PGP will be implemented by those: No, they will simply move to another way of pkcs signing their mails or buy commercial PGP.

Re:Will the freeware java developers effected? (1, Interesting)

Anonymous Coward | about 5 years ago | (#29657381)

What does that say about their business model if 90% of their professional users didn't pay them anything? And I bet Thawte know exactly what they're doing with regards to their brand value/recognition. Tell me where else are people likely to go for certs if not to Thawte? VeriSign? Geotrust?

As a VRSN stockholder, I'm loving it.

Re:Will the freeware java developers effected? (1)

Hurricane78 (562437) | about 5 years ago | (#29657791)

<italian mafia accent>Umm... about your subject:
Need a bag of English? We've got some on sale. With nice words like "be" and "affected". We even have a special today, where we include a whole capital letter "J" for free!
Only $5! Beautiful fonts! Nice kerning! Buy now, before it's too late!
</italian mafia accent>

In order to end their "Web of Trust"... (1)

John Hasler (414242) | about 5 years ago | (#29655751)

...they would first have to start one. Since Thawte is part of Verisign and Verisign is not worthy of trust...

Comodo? (1)

hedrick (701605) | about 5 years ago | (#29655983)

Any reason not to use Comodo's equivalent?

Java WebStart, J2ME, Java applets (3, Insightful)

Gollum (35049) | about 5 years ago | (#29656073)

One thing that a lot of people are ignoring is that Thawte FreeMail certs are used by a lot of small developers to publish Java apps, and this would kill off that ability quite quickly.

That said, I have not seen a word of this on the Thawte web site, which makes me wonder if the submitter is trying to perform a DoS on Thawte for some reason, and are tricking the slashdotters into being that DoS. The page linked takes an enormous amount of time to decide that there is nothing to return, meanwhile slashdotters are beating on the server over and over. Sorry for the OP, though. The rest of their site still seems to be just fine.

Re:Java WebStart, J2ME, Java applets (1, Informative)

Anonymous Coward | about 5 years ago | (#29656627)

1. Why have you stopped offering thawte Personal Email Certificates?

Over the past several years, security compliance requirements have become more restrictive, while the technology infrastructure necessary to meet these requirements has expanded greatly. Despite our strong desire to continue providing the Thawte Personal E-mail Certificate and Web of Trust services, the ever-expanding standards and technology requirements will outpace our ability to maintain these services at the high level of quality we require. As a result, Thawte Personal E-Mail Certificates and the Web of Trust will be discontinued on November 16, 2009 and will no longer be available after that date.

2. What is Thawte going to do for customers with active Thawte Personal Email Certificates?

Customers with active Thawte® Personal Email Certificates will be given the option to enroll for a free one year VeriSign® Email Certificate.

3. Why are you revoking my Thawte Personal Email Certificate?

After 16 November 2009, the system that supports Thawte Personal Email Certificates will shut down and as a result, active email Certificates and enrollments of email Certificates will no longer be available.

4. When is Thawte going to revoke my Thawte Personal Email Certificate?

Your Thawte Personal Email Certificate will be revoked on 16 November 2009 on the same date that we stop offering Thawte Personal Email Certificates.

5. Does Thawte have an alternate product available to replace my active Thawte Personal Email Certificates?

Yes, Thawte is offering a free one-year VeriSign Email Certificate for each active Thawte Personal Email Certificate you own as of 24 September 2009.

6. How do I replace my Thawte Personal Email Certificate?

You may replace your Thawte Personal Email Certificate by redeeming the token that you received in the email from Thawte by 16 January 2010, and enrolling for your free one-year VeriSign Email Certificate at the link below:

Microsoft Internet Explorer Browsers: https://digitalid.verisign.com/client/class1MSToken.htm

Mozilla, Firefox, Netscape, or Apple Safari Browsers:
https://digitalid.verisign.com/client/class1NetscapeToken.htm

7. Will I be required to provide any documentation in order to request my replacement VeriSign Email Certificate?

No documents will be required when you request a replacement VeriSign Email Certificate.

8. Up until what date can I request my replacement VeriSign Email Certificate?

Requests for replacement VeriSign Email Certificates must be submitted by 16 January 2010.

9. When should I request my replacement VeriSign Email Certificate?

Thawte recommends that you replace your Thawte Personal Email Certificate as soon as possible to allow you sufficient time to install and test your new VeriSign Email Certificate. In any event, the last day to request a free replacement Certificate is 16 January 2010.

10.How do I renew my Thawte Personal Email Certificate?

Thawte Personal Email Certificates may not be renewed. Instead, you received a token in an email from Thawte, which may be used for a free one-year VeriSign Email Certificate. You may redeem your token and enroll for the Certificate at the link below:

Microsoft Internet Explorer Browsers: https://digitalid.verisign.com/client/class1MSToken.htm

Mozilla, Firefox, Netscape, or Apple Safari Browsers:
https://digitalid.verisign.com/client/class1NetscapeToken.htm

11. Can I revoke my Thawte Personal Email Certificate before Thawte stop offering Thawte Personal Email Certificates?

Yes, you may revoke your Thawte Personal Email Certificate before 16 November 2009 by logging into your portal at:

http://www.thawte.com/secure-email/personal-email-certificates/index.html?click=main-nav-products-email and selecting
1. Certificates
2. Revoke a Certificate

12. Will Thawte offer refunds for revoked Thawte Personal Email Certificates?

Thawte is offering a free one-year VeriSign Email Certificate as a replacement for each active Thawte Personal Email Certificate you own as of 24 September 2009.

13. What will happen to the documents that I sent to Thawte to validate my identity?

Thawte will continue to store the documents that we received to validate your identity pursuant to the guidelines set forth in our Certificate Practice Statement (CPS) and Privacy Policy.

14. What will happen to the documents I gave to the notary to validate my identity?

The notary who validated your identity is required to store your identification documents for a minimum of 5 years.

15. What will happen to the applications that I have signed / encrypted with my current Thawte Personal Email Certificate?

Certificates that are revoked can no longer be used to sign or encrypt email. Existing Certificates will continue the ability to decrypt emails as long as they remain on the same machine as the encrypted email. A warning message will display indicating that the certificate has been revoked when decrypting the email.

16. How do I request my replacement VeriSign Email Certificate?

You may request a replacement VeriSign Email Certificate by redeeming the token that you received in the email from Thawte and enrolling for your free one-year VeriSign Email Certificate at the link below:

Microsoft IE: https://digitalid.verisign.com/client/class1MSToken.htm

For Mozilla, Firefox, Netscape, or Apple Safari:
https://digitalid.verisign.com/client/class1NetscapeToken.htm

17.What information do I need to provide during enrollment in order to request my free VeriSign Email Certificate?

First Name: Nickname or middle initial allowed
(example -- Jack B.)
Last Name:
(example -- Doe)
Your E-mail Address:
(example -- jbdoe@verisign.com)
Challenge Phrase

18.What is the difference between the replacement VeriSign Email Certificate and the Thawte Personal Email Certificate?

Both certificates will sign and encrypt emails on email clients capable of S/MIME. The VeriSign Email Certificate will also include your name.

19.Will the replacement VeriSign Email Certificate support the same applications as the Thawte Personal Email Certificate?

Yes, both VeriSign and Thawte Email Certificates will sign and encrypt emails on email clients capable of S/MIME.

20. How long will it take to issue my VeriSign Email Certificate?

VeriSign Email Certificates are usually issued within one hour after the enrollment process is completed.

21. What format is the VeriSign Email Certificate available in?

The VeriSign Email Certificate is available in the following formats:

Generic X509
MSIE
NetscapeNav
Opera
Lotus Notes

22. Will I have to pay for the renewal of my VeriSign Email Certificate?

Your free VeriSign Email Certificate is valid for a period of one year from the date of issuance after which you will have the option to renew your VeriSign Email Certificate at the current price of US$19.95.

23. When will my token expire?

Your token will expire on the 16 January 2010.

24. I have just enrolled for a Thawte Personal Email Certificate and it has not yet been approved. What will happen to my application?

Unfortunately the application will no longer be processed.

25. How do I enroll for my VeriSign Email Certificate:

Microsoft Internet Explorer:
https://digitalid.verisign.com/client/class1MSToken.htm

For Mozilla, Firefox, Netscape, or Apple Safari:
https://digitalid.verisign.com/client/class1NetscapeToken.htm

26. How do I install my VeriSign Email Certificate:
https://knowledge.verisign.com/support/digital-id-support/index?page=answers&startover=y&question_box=ar849

27. How do I setup my VeriSign Email Certificate:
https://knowledge.verisign.com/support/digital-id-support/index?page=content&id=AR654&actp=GETTING_STARTED

28. How do I back up my VeriSign Email Certificate:
https://knowledge.verisign.com/support/digital-id-support/index?page=content&id=AR226&actp=GETTING_STARTED
 

Re:Java WebStart, J2ME, Java applets (1)

Mal-2 (675116) | about 5 years ago | (#29657993)

This is directly from the website [thawte.com] :

1. Why have you stopped offering thawte Personal Email Certificates?

Over the past several years, security compliance requirements have become more restrictive, while the technology infrastructure necessary to meet these requirements has expanded greatly. Despite our strong desire to continue providing the Thawte Personal E-mail Certificate and Web of Trust services, the ever-expanding standards and technology requirements will outpace our ability to maintain these services at the high level of quality we require. As a result, Thawte Personal E-Mail Certificates and the Web of Trust will be discontinued on November 16, 2009 and will no longer be available after that date.

Hmm.. Can't find a definite reference (1)

ivan_w (1115485) | about 5 years ago | (#29656181)

That's the second source that's telling me the Free e-mail certs/WOT program is coming to an end..

However, looking at http://www.thawte.com/ [thawte.com] doesn't reveal anything as such..

But I can't say I'm *that* surprised..

--Ivan

why hasn't the media picked this up? (0)

Anonymous Coward | about 5 years ago | (#29656211)

Because this is not make for good news. The majority of webans don't use certs. Also things are heading in the other direction ... for example I can log into facebook and see who just took a shit, who's dog pissed on the rug, etc. They install apps with access to all there personal data. People give up privacy and security every 10 seconds for a free hand job it seems. I could get 99% of webans to send me something secure over plain open email and they would do it without question.

Re:why hasn't the media picked this up? (2, Funny)

muckracer (1204794) | about 5 years ago | (#29656335)

> People give up privacy and security every 10 seconds for a free hand job it seems.

Free hand job? Want my address? :-)

Re:why hasn't the media picked this up? (1)

mdm42 (244204) | about 5 years ago | (#29657827)

Free hand job? Want my address? :-)

Naah... but send me your bank details.

Facebook Friends (5, Interesting)

muckracer (1204794) | about 5 years ago | (#29656253)

Since people are quite adamant about adding each other as 'friends' on social networking sites like Facebook etc., why can't something like the Web-of-Trust be riding along somehow? Or at minimum a GPG key exchange requiring no further steps? There's gotta be a way! Firefox/Thunderbird Plugin that has access to all keys of your 'friends' and uses them automatically? Something like that.

Re:Facebook Friends (1)

Hurricane78 (562437) | about 5 years ago | (#29657831)

Because that would be the complete opposite of how the web of trust is meant to work?

I mean the sole concept of putting "Facebook" and "Trust" in one sentence...! What were you thinking? ;)

Finally! A source! (0)

Anonymous Coward | about 5 years ago | (#29656325)

Thawte's FAQ on the matter:

https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO12658

Needs a new innovator (1)

krisbrowne42 (549049) | about 5 years ago | (#29656467)

This is the perfect realm for someone like Google to change the space...

As of now PKI for email is just too much work for a normal user, and single emails, or single users, using encryption stand out as people to monitor, anomalous activity.

Someone like Google could add a checkbox in their Labs features that automatically encrypts email between users who have the feature enabled on their system, and publicizes the spec so others can implement on the server side. It doesn't address the authentication side of the equation, but at least could raise the traffic level of encrypted email enough to make purposely encrypted emails noise instead of signal.

Authentication can still be handled by other means, including SSI and self-signed keys.

Re:Needs a new innovator (1)

RMH101 (636144) | about 5 years ago | (#29657721)

it's a bit hard to do keyword/traffic analysis on an encrypted exchange of email, though, which is what pays for your free Gmail...

Re:Needs a new innovator (1)

metamatic (202216) | about 5 years ago | (#29659277)

Someone like Google could add a checkbox in their Labs features that automatically encrypts email between users who have the feature enabled on their system, and publicizes the spec so others can implement on the server side.

We already have a spec, S/MIME. But Google doesn't even support that, let alone make it easy to use with Gmail.

Less than two weeks? (1)

Brad Mace (624801) | about 5 years ago | (#29656511)

Submitter might want to recheck their calendar. They must have gotten some weird looks when they were trick-or-treating this weekend.

Let us not forget (1)

xrayspx (13127) | about 5 years ago | (#29656653)

That Verisign acquired Thawte 10 years ago in a deal that made Mark Shuttleworth a brazillionaire capable of sustaining a swell OSS project. Are they then just shuffling people from a free product to a for-pay model, or is there a significant advantage to the Verisign product? It seems they are replacing a whole community of users and trust with email certs that offer none of that extended web of trust.

Re:Let us not forget (1)

shadwstalkr (111149) | about 5 years ago | (#29657663)

As I understand it the paid certificates don't need a "web of trust" because verisign will verify your identity directly. The web of trust was just a way for them to save on administrative costs.

Options (0)

Anonymous Coward | about 5 years ago | (#29656663)

Do we have any options now? Do I need to self generate cert's and email them to people I wish to send encrypted email to?

What about the calendar of trust? (1)

greenguy (162630) | about 5 years ago | (#29657479)

You know, the one where November 16 is two weeks after October 6th.

We're My Email? (1)

fast turtle (1118037) | about 5 years ago | (#29657521)

The last official email I've recieved from Thwate was a year ago when my certs expired. As to whether this is actually happening, I simply have to say it's a bogus message put out by someone who's got an axe to grind with Thwate. As to Verisign purchasing thwate 10 years ago, I wasn't aware of that as there was and is no information about such a purchase on their website, which is a critical piece of information that must be provided (of course I've not looked at their SEC filings to okay/deny).

Fake? (1)

Nikademus (631739) | about 5 years ago | (#29658385)

It seems the post has been removed at the moment... Was it a fake one?

I now get:
Article is unavailable or has been removed, please try a new search.
        The article was not found, or is no longer available. Please try a new search..

So they're charging for it... (2, Insightful)

vanyel (28049) | about 5 years ago | (#29658647)

$20/yr is not an onerous fee, big deal. I'm surprised it's gone free this long. If you really can't stand to pay for the service you're using, go to cacert.org.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?