Slashdot Mirror

In September of 2014, NetCraft confirmed there to be over 1 billion websites on the world wide web. There are over 140 million .com and .net domains alone, as well as millions of websites for each country code top-level domain (ccTLD), such as .de for Germany and .cn for China. But in North Korea, the number of websites the country has registered for its top-level domain is in the double digits. Motherboard reports: On Tuesday, apparently by mistake, North Korea misconfigured its nameserver, essentially a list that holds information on all of the domains that exist for .kp, allowing anyone to query it and get the list. In other words, a snafu by North Korea's system administrators allowed anyone to ask the country's nameserver: "can I have all of your information on this domain?" and get an answer, giving everyone a peek into the strange world of North Korea's web. North Korea has only 28 registered domains, according to the leaked data. "We didn't think there was much in the way of internet resources in North Korea, and according to these leaked zone files, we were right," Doug Madory, a researcher at Dyn, a company that monitors internet use and access around the world, told Motherboard. Some of the sites aren't reachable, perhaps because after Bryant discovered them, they are being deluged with traffic.

Some of the major companies that provide the basic infrastructure that makes the internet work have seen an increase in DDoS attacks against them, says Bruce Schneier. He adds that these attacks are of much larger scale -- including the duration -- than the ones we have seen previously. These attacks, he adds, are also designed to test what all defense measures a company has got -- and they ensure that the company uses every they have got, leaving them with no choice but to demonstrate their defense capabilities to the attacker. He hasn't specifically shared details about the organizations that are under attack, but what little he has elaborated should give us a chill. From his blog post: [...] This all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there's a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes (PDF) a DDoS trends report. While its publication doesn't have the level of detail I heard from the companies I spoke with, the trends are the same: "in Q2 2016, attacks continued to become more frequent, persistent, and complex." There's more. One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services. Who would do this? It doesn't seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It's not normal for companies to do that. Furthermore, the size and scale of these probes -- and especially their persistence -- points to state actors. It feels like a nation's military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US's Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.

raceBannon writes "The authors, Steve Winterfield and Jason Andress, cover everything you will want to consider when thinking about how to use cyberspace to conduct warfare operations. The primary concepts have been bouncing around US military circles for over a decade but they have never been collected into one tome before. Clarke and Knake's book, Cyber War: The Next Threat to National Security and What to Do about It, discusses how weak the US network defenses are and offers suggestions about how to improve. Carr's book, Inside CyberWarfare: Mapping the Cyber Underworld, presents threat examples and nation state capabilities. Libicki's book, Cyberdeterrence and Cyberwar, attacks cyberwar from a policy viewpoint and does not really address operational considerations. Stiennon's book, Surviving Cyberwar, is a good place to start if you are new to the subject and is almost a prerequisite for this book." Read on for the rest of raceBannon's review. Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners author Jason Andress and Steve Winterfield pages 289 publisher Syngress rating 10 reviewer raceBannon ISBN 1597496375 summary A consolidation of the current thinking around the topic of cyber warfare. Although the content has been around for a while, it is striking how little the main concepts have changed. In a world where new innovations completely alter the popular culture every eighteen months, the idea that Cyber Warfare's operational principals remain static year after year is counter-intuitive. After reading through the various issues within though, you begin to understand the glacial pace. These difficult concepts spawn intractable problems and the authors do a good job of explaining them.

I do have a slight issue with the subtitle though: "Techniques, Tactics and Tools for the Security Practitioners." The way I read this book, the general purpose (GP) Security Practitioner will not find this book very useful except as background information. Aside from the chapters on Logical Weapons, Social Networking and Computer Network Defense, most of the material has to do with how a nation state, mostly the US, prepares to fight in cyber space. There is overlap for the GP security practitioner, but this material is covered in more detail in other books.

The book is illustrated. Some of the graphics are right out of military manuals and have that PowerPoint Ranger look about them. Some are screenshots of the various tools presented. Others are pictures of different equipment. One graphic stood out for me in the Cyberspace Challenges chapter (14). The graphic in question is a neat Venn Diagram that encapsulates all of the Cyber Warfare issues mentioned in the book, categorizes the complexity of each issue and shows where they overlap in terms of Policy, Processes, Organization, Tech, People and Skills. My only ding on the diagram is that in the same chapter, the authors discuss how much each issue might cost to overcome. It would have been very easy to represent that information on the Venn diagram and make it more complete.

One last observation about the graphics that I really liked is the author's use of "Tip" and "Note" boxes throughout the book. Scattered throughout the chapters are grayed-out text boxes that talk about some technology or procedure that is related to the chapter information but not directly. For example, in the Social Engineering chapter (7), the authors placed a "Note" describing the various Phishing forms. You do not need the information to understand the chapter but having it nearby provides the reader with a nice example to solidify the main arguments. The book is full of these examples.

The first three chapters are my favorites. Winterfield and Andress do agood job of wrapping their heads around such entangled concepts as the definition of cyber warfare, the look of a cyber battle space and an international view of current doctrine It is fascinating.

In the middle of the book, the authors take on the task of describing the Computer Network Operations (CNO) Spectrum; a spectrum that ranges from the very passive form of Computer Network Defense (CND) through the more active forms of Computer Network Exploitation (CNE) and Computer Network Attack (CNA). It is indeed a spectrum too because the delineation between where CND, CNE and CNA start and stop is not always clean and precise. There is overlap. And somewhere along that same spectrum is where law enforcement organizations and counter-intelligence groups operate. You can get lost fairly quickly without a guide and the authors provide that function admirably. The only thing missing from these chapters is a nice diagram that encapsulates the concept.

Along the way the reader gets a nice primer on the legal issues surrounding Cyber Warfare, the ethics that apply, what it takes to be a cyber warrior and a small glimpse over the horizon about what the future of Cyber Warfare might bring. In the end, Winterfield and Andress get high marksfor encapsulating this complex material into an easy-to-understand manual; a foundational document that most military cyber warriors should have at their fingertips and a book that should reside on the shelf of anybody interested in the topic.

Full Disclosure: One of the authors, Steve Winterfield, used to work for me when he and I were both in the US Army wrestling with all of these ideas right after 9/11. I ran the Army Computer Emergency Response Team (ACERT) and Steve ran the Army's Southern Regional CERT (RCERT South). He and I have been friends ever since and he even quoted me in one of the back chapters.

You can purchase Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

darthcamaro writes "In case you needed further proof of China's breakneck pace of growth on the web, InternetNews is reporting on data from Verisign that the .cn Top Level Domain (TLD) has now become the second biggest TLD worldwide, surpassing Germany's .de and second only to .com. The number of .cn sites grew by 76 percent in 2008, which is significantly more growth than .com and .net, which only grew by 16 percent combined. A graph in the Verisign report (PDF) shows how quickly China's internet presence has grown in the past two years."

An Anonymous SAIC Employee writes "The 'independent' company hired by ICANN to advise them on who should run the .com and .net registry has recommended that Verisign (fact sheet) should be chosen to continue to run the registry. Is it any surprise? Telcordia was owned by SAIC (Fact Sheet) during the time the study was conducted. SAIC bought Telcordia (fact sheet) (then Bellcore) in Nov. 1997 and sold it March 15, 2005. Network Solutions was bought by SAIC in 1995 and sold in 2000. Also, Telcordia worked with Verisign on the ENUM project. Is the fox guarding the hen house?"

mikrorechner writes "As reported previously, ICANN is looking for a new registrar for the .net tld. The biddings are in now, and The Register has a lengthy article about the five contenders. Their guess is that only two really have a chance: VeriSign and DeNIC. We will know more in two months."

belmolis writes " The New York Times is reporting that the bidding is on for the .net domain currently administered by VeriSign. VeriSign's current contract expires June 30th; applications are due today. Three companies are known to be interested: NeuStar, which currently manages .biz, Afilias, which manages .info, and Denic eG, a non-profit that manages the German .de domain. ICANN is bending over backward to avoid any suggestion of bias due to its conflict with VeriSign over VeriSign's Site Finder "service" and has appointed an independent team to evaluate the applications. VeriSign has been lobbying hard to keep the domain and is reported to have received letters of support from Microsoft and IBM."

An anonymous reader writes "Community outrage forced VeriSign to kill SiteFinder, but they vowed to bring it back. Looks like SiteFinder is alive and well in the .cc TLD. Just enter your own favorite unregistered name to check it out."

Tee Emm writes "VeriSign's DNS Rapid Update notice period (as announced on NANOG mailing list) expires today. Beginning September 9, 2004 the SOA records of the .com and .net zones will be updated every 5 minutes instead of twice a day. The format of the serial number is also changing from the current YYYYMMDDNN to a new one that depicts the UTC time." We first mentioned this back in July, but it's finally launching now.

Robert Accettura writes "Network Solutions has updated its whois interface, giving it an interesting new twist. On top of regular info provided, it shows data that appears to be from Alexa, including a screenshot of the homepage (though not terribly recent), as well as looks up your IP, and displays lots of information on it. It even shows the server type, if it supports SSL, DMOZ, Yahoo listing, traffic ranking, and lock status. This comes right after they announced rapid DNS updates. Perhaps they are trying to win over the geeks before they turn on sitefinder?"

Changeling writes "According to Matt Larson, a representative of VeriSign Naming and Directory Services, on September 8, 2004 Verisign will be switching from performing 2 updates per day of the .com and .net zones to performing updates every few seconds. According to Matt, 'After the rapid DNS update is implemented, the elapsed time from registrars' add or change operations to the visibility of those adds or changes in all 13 .com/.net authoritative name servers is expected to average less than five minutes." Full story can be found here."

ixs writes "CircleID has an interesting article by David Monosov about Verisign's plans to reintroduce Sitefinder. The article presents the thesis that the Internet engineering community is partly to blame for Verisign's ability to mess with the .com and .net root zones. According to the author we spend too much time with our systems and not enough with politics. The writeup was previously posted to NANOG and received a favorable response from Paul Vixie."

JamesD_UK writes "Verisign has been given the contract to develop a national RFID directory by EPCGlobal. Under the directory scheme each company will maintain an Object Name Service analogous to DNS with Verisign running the root server. Verisign has already setup the infrastructure at six different global sites."

We had to do a little sleuthing today. Many readers wrote in with problems that turned out to be related. A certificate which Verisign used for signing SSL certificates has expired. When applications which depend on that certificate try to make an SSL connection, they fail and try to access crl.verisign.com, the certificate revocation list server. This has effectively DOS'ed that site, and Verisign has now updated the DNS record for that address to include several non-routable addresses, reducing the load on their servers. Some applications affected include older Internet Explorer browsers, Java, and Norton Antivirus (which may manifest itself as Microsoft Word being very slow to start). Hope this helps a few people, and if you have other apps with problems, please post about them below.

Perianwyr Stormcrow writes "Verisign shot off a message today saying that they're selling off Network Solutions to Pivotal Private Equity (a firm specializing in picking up and turning around 'under-performing' businesses.) Perhaps Sitefinder was an attempt at maximizing shareholder value for the sale."

kiddailey writes "Claiming that their own independent examination of their controversial redirection service has found 'no security or stability problems', and that 'Internet users consider the service a helpful tool to navigate the web', Verisign has announced that it will give a 30- to 60-day notice before resuming the SiteFinder 'feature' that it voluntarily shut-down a couple of weeks ago."

dmehus writes "A third lawsuit has been filed late Friday in a federal district court in California against VeriSign, Inc. over its controversial DNS wildcard redirection service known as SiteFinder. According to the article, it was filed by longtime Internet litigator Ira Rothken. In addition, while two other lawsuits have been filed by Go Daddy Software, Inc. and Popular Enterprises, LLC. in Arizona and Florida, this is the first lawsuit to seek class-action status."

dmehus writes "A third lawsuit has been filed late Friday in a federal district court in California against VeriSign, Inc. over its controversial DNS wildcard redirection service known as SiteFinder. According to the article, it was filed by longtime Internet litigator Ira Rothken. In addition, while two other lawsuits have been filed by Go Daddy Software, Inc. and Popular Enterprises, LLC. in Arizona and Florida, this is the first lawsuit to seek class-action status."

MrClever writes "In this article over at the Sydney Morning Herald (AU), it looks as though ICANN may actually be doing something about the VeriSign changes to .com and .net TLD's. Apparently, while they have been noticably quiet, they have been reviewing community reaction and analysed data from a technical perspective. Here's hoping ICANN pull the plug on VeriSign's TLD administration rights!" And TALlama writes "RSS.com.com (dear $DIETY, will it ever stop?) is reporting that ICANN has asked VeriSign 'to voluntarily suspend the service' of wildcarding DNS, 'pending further study.' Calling it a 'service' is a little bit of a misnomer. If I punch people in the face, can I call that a service, too?"

dmehus writes "It was only a matter of time, the pundits said, and they were right. Popular Enterprises, LLC., an Orlando, Florida based cybersquatting so-called 'search services' company, has filed a lawsuit in Orlando federal court against VeriSign, Inc. over VeriSign's controversial SiteFinder 'service.' While PopularEnterprises has had a dodgy history of buying up thousands of expired domain names and redirecting them to its Netster.com commercial "search services" site, the lawsuit is most likely a good thing, as it provides one more avenue to pursue in getting VeriSign to terminate SiteFinder. According to the lawsuit, the company contends alleges antitrust violations, unfair competition and violations of the Deceptive and Unfair Trade Practices Act. It asks the court to order VeriSign to put a halt to the service. VeriSign spokesperson Brian O'Shaughnessy said the company has not yet seen the lawsuit and that it doesn't comment on pending litigation."

DragonHawk writes "As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising." Read on below for some more information.

"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)

This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.

Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.

VeriSign has published white papers about their implementation and also made some recommendations."

DragonHawk writes "As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising." Read on below for some more information.

"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)

This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.

Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.

VeriSign has published white papers about their implementation and also made some recommendations."

DragonHawk writes "As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising." Read on below for some more information.

"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)

This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.

Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.

VeriSign has published white papers about their implementation and also made some recommendations."

zaqattack911 asks: "In the workplace today it is becoming more and more common for everyday applications to be accessible over the web. Just about all the booking and tracking systems at my job are handled via web-apps these days. Along with this trend, is the increased need for secure transactions over the web. Just about all of the apps on my webserver are going to be SSL only. Some of them are for internal use only, some for the outside internet to use. Is there a cheap alternative to getting your certificates signed? Self signing my certificates works of course, but just about all browsers make a big fuss about it. Verisign asks for about 400$ initially, and 300$ to renew a certificate every year. This seems like a scam to me, and I'd love to know if anyone knows of alternatives out there? Is there a way to get around the certificate signing business? I looked at a company called RSA Security which allows a company to 'self sign' and use their accepted signature. The website doesn't mention the price, and I'm sure it's not very affordable. What else is there?"

An anonymous reader writes "VeriSign Inc has stopped providing access to information about the .gov internet domain, which is restricted to US government bodies, over concerns the data could be used in planning internet attacks."

the special sauce writes "A few months back, our customers (we run a regional ISP) started receiving deceptive domain renewal notices from Verisign and Verisign partners such as Interland. A couple of our customers temporarily lost their domains in the process as the registrant, contact information and hosting company was all changed. Yesterday, I received an e-mail from a customer. He was forwarding a "reminder" e-mail he had received. It was an SSL certificate "renewal" notice from a UK company, Comodo. It instructed him to "upgrade" his current certificate (issued by Equifax) before it expired." More information on this charming practice follows... the special sauce Continues: "For those who don't know, Equifax was just bought out by GeoTrust, who offers a QuickSSL product. Comodo's e-mail was advertising an "InstantSSL" product, which I myself mistook for the GeoTrust product on first reading the e-mail. When I realized my mistake, I contacted Comodo and inquired as to their relationships with Equifax and GeoTrust and how they came by my customer's information. The response: "We have no relationship with Equifax or GeoTrust. The information on a certificate is public information which we have used to inform this company that they have an option when they come to buy their certificate."

My interpretation: Comodo is harvesting contact information from certificates in bad faith, to market a competing product. Furthermore, I think they have targeted Equifax customers because the company was just bought out. In any buyout, confusion exists as to the "new" company's identity. I think they are offering a product whose name is confusing similar to a GeoTrust's product. The language in their e-mail does everything possible to obfuscate the fact that they are not affiliated with Equifax, encouraging customers to "renew" and "upgrade" their certificates. In reality, if my customer had clicked the links in the e-mail, he would have been purchasing a new certificate from a company with which he had no previous relationship.

So I ask, is this not cert slamming? I don't expect this to be as big a problem as Verisign's domain slamming: we simply host less certificates than domains so it is easier to warn all of our customers with secured web sites. Nevertheless, I've reported the practice to the FTC."

wdb writes: "A NY Times article (free subscription required) describes the competition surrounding control of the .org domain, which Verisign coughed up in order to keep .com and .net from going to the highest bidder. Open source and Internet pioneers Paul Vixie and Carl Malamud have entered the fray; central to their bid is their announced intent to place all the software necessary to manage a TLD in the public domain. 'This shouldn't be a dot-com opportunity,' Mr. Malamud said. 'There has been a lot of smoke and mirrors, but what we need is actually a public utility that is well managed in the public interest.'"

LinuxDeckard writes "According to this article at FindLaw, VeriSign will soon be offering its 'NetDiscovery' wire tapping services for a monthly fee. NetDiscovery will allow Telecoms to comply with court ordered wire taps." Verisign's press release is informative. This appears to be tapping of voice calls rather than internet usage. I assume it would work something like this: telecom company gets a wiretap notification from the FBI or local police; it routes all calls to/from $TARGET through a Verisign switch; Verisign does the tapping and reporting to the tappers. If you think this doesn't affect you, keep in mind that under the PATRIOT Act the barrier for wiretapping is set very low indeed.

Keith M Ellis asks: "I've decided it's about time to fully utilize privacy and digital id technology into my internet use. I've used PGP off-and-on for years, of course; and have been half-aware of other services like VeriSign et al. However, now that I'm looking more closely at these technologies, I've been disappointed to find that there doesn't seem to be anything that seamlessly and relatively unobtrusively plugs-in to my various applications and OS. What are the current options for achieving this level of integration; and, if there really aren't any, I'm interested in any thoughts anyone might have about why this is the case and what the future might hold."

Mike Damm writes: "As everyone is so worried about Microsoft these days, another monopoly is slipping through the cracks. VeriSign has paid the country of Tuvalu $45 million in cash for The .TV Corporation, as stated by this press release. Same great service, different obscure TLD!"

Mike Damm writes: "As everyone is so worried about Microsoft these days, another monopoly is slipping through the cracks. VeriSign has paid the country of Tuvalu $45 million in cash for The .TV Corporation, as stated by this press release. Same great service, different obscure TLD!"

issachar asks: "While it seems that almost everyone at Slashdot believes that the ICANN / Verisign monopoly on TLD's is a bad thing, there doesn't seem to be a lot of agreement on which is the best alternate root server. While it might be impossible to give a simple answer to this question, perhaps some sort of unity would be a good thing. The recent story on Name.Space, doesn't do anything to clear up the confusion for people who are trying to pick an alternate root server. Furthermore, it seems that co-operation isn't working very well as OpenNIC doesn't recognise the ORSC yet. The frequent suggestion to get one of the major ISP's such as AOL on board won't fly until we have a leader (or at least a group of leading root servers that agree on basic principles). Any thoughts?"

hip2b2 asks: "SSL over HTTP is becoming a very popular way of securing websites for eCommerce and other forms of secure transactions. A vital ingredient of a SSL protected website is an SSL certificate. In the Philippines, most of the secure website here buy their certificates from Verisign. Why should we trust a certification authority that is located in a different country and charges and arm and a leg for a certificate instead of a local one? I can pay 349USD for a Verisign or 125USD for one from Thawte, which is not cheap here. With an exchange rate of around 48.50PHP per USD, this amount is beyond the reach of most local sites who just want to setup secure sites to try out the technology or use it for some charitable purpose. How do we expect to promote the use of SSL in our websites locally with these prohibitive costs? This problem is not limited to the Philippines, I presume that other countries could also relate to this issue." Right now, the cost of an SSL certificate is one of the prices for doing business on the internet (in addition to bandwitdh costs), but what would it take to start up another company that issues CAs, especially if you want to do it outside of the US?

"Is it a question of trust? Do local ecommerce and secure sites trust verisign more that say a local company that provides secure certificates? What confuses me is why is there no proliferation of trusted local institutional CAs? In the future, Verisign might end up being another Network Solutions.

Oh wait! Network Solutions is a Verisign company!

What are the barriers for setting up local country CAs? Right now, I presume that browser makers are the ones listing the trusted root CAs on their browsers by default. If my university were to setup a root CA how would we get netscape and the other browser makers to recognize us? or is there some sort of governing body for assigning root CAs like ICANN is supposed to be for name resolution? or could this be one of ICANN's eventual functions?"

hip2b2 asks: "SSL over HTTP is becoming a very popular way of securing websites for eCommerce and other forms of secure transactions. A vital ingredient of a SSL protected website is an SSL certificate. In the Philippines, most of the secure website here buy their certificates from Verisign. Why should we trust a certification authority that is located in a different country and charges and arm and a leg for a certificate instead of a local one? I can pay 349USD for a Verisign or 125USD for one from Thawte, which is not cheap here. With an exchange rate of around 48.50PHP per USD, this amount is beyond the reach of most local sites who just want to setup secure sites to try out the technology or use it for some charitable purpose. How do we expect to promote the use of SSL in our websites locally with these prohibitive costs? This problem is not limited to the Philippines, I presume that other countries could also relate to this issue." Right now, the cost of an SSL certificate is one of the prices for doing business on the internet (in addition to bandwitdh costs), but what would it take to start up another company that issues CAs, especially if you want to do it outside of the US?

"Is it a question of trust? Do local ecommerce and secure sites trust verisign more that say a local company that provides secure certificates? What confuses me is why is there no proliferation of trusted local institutional CAs? In the future, Verisign might end up being another Network Solutions.

Oh wait! Network Solutions is a Verisign company!

What are the barriers for setting up local country CAs? Right now, I presume that browser makers are the ones listing the trusted root CAs on their browsers by default. If my university were to setup a root CA how would we get netscape and the other browser makers to recognize us? or is there some sort of governing body for assigning root CAs like ICANN is supposed to be for name resolution? or could this be one of ICANN's eventual functions?"

pipeb0mb asks: "I recently had to get a Verisign Digital ID [Verisign uses X.509 compliant ids] in order to securely communicate with some overseas co-workers, and unfortunately, I am limited to only a few programs in which I can utilize my encrypted e-mail. And all of those, so far as I can tell, are for Windows only. Does anyone know why we don't have a VeriSign compliant secure e-mail program in Linux? And if we do, where the heck is it? Also, how does the Verisign Public Key correspond to a PGP key?"

"I have already checked a previous Ask Slashdot on this, as the title would suggest being close, but it seems to be more about sending anonymous e-mail through a secure POP/SMTP connection for an ISP which is a tad different and a tad more complicated than my needs.

In my particular case, I have this Digital ID that confirms that any mail a recipient gets is actually sent from me. The way it works, every time I send mail, it pops up a dialog and asks for my password. After confirmation, it encrypts the contents and attaches a security certificate that the recipient can view to confirm authenticity. In this way, even someone on my machine can't send mail as me. The certificate allows me to encrypt mail also, so only people that have my specific key can read it. It has several other useful features as well. (Here's a quick FAQ link)

I have to do this because, at work, I deal with about 100 developers that live in an unnamed former Soviet bloc country, and are QUITE security concious. The Verisign DigitalID allows them to be sure that the mail they are getting comes from me. It's quite cool, and I would LOVE to have this capability in Linux. Unfortunately, there seem to be no solutions to this problem, at least none that are obvious."

EraseMe asks: "I have a great idea for an open source project, but I don't know where to begin. I'm tired of paying large cash for SSL Certifications from companies such as VeriSign. It would be great to provide companies and individuals with free certifications, with one central server providing the solution. I would imagine this wouldn't be terribly difficult to implement over exisiting applications such as OpenSSL and mod_ssl." This would be a cool idea, but if the certs are free, how would such an entity stay afloat and pay for things like servers, office space and bandwidth?

thor writes, "According to CNBC, Verisign (VRSN) will purchase Network Solutions (NSOL) for approx. $21B ($531/share). Looks like the story of the day for a lot of people on and off of Wall Street. Network Solutions closed at $360 5/8 yesterday is trading up $100 in early hours trading. " I've also found the story on CNNfn. Why does this merger scare me?

First submitted by AC: "VeriSign has announced the availability of their 128 bit global server IDs for the Covalent SSL module, Raven. This looks very promising for the Apache community especially with the easing of encryption export controls by the U.S. Bureau of Export Administration."

andyr writes "Independent Online has a report that Entrust Technologies is challenging Verisign's buyout of Thawte consulting. Verisign is the world's largest SSL Certificate issuer, with 60% of the market, with Thawte the second-largest, with about 40%. Combined, they own 99% of the market. "