hip2b2 asks:
"SSL over HTTP is becoming a very popular way of securing websites for eCommerce and other forms of secure transactions. A vital ingredient of a SSL protected website is an SSL certificate.
In the Philippines, most of the secure website here buy their certificates from Verisign.
Why should we trust a certification authority that is located in a different country and charges and arm and a leg for a certificate instead of a local one? I can pay 349USD for a Verisign or 125USD for one from Thawte, which is not cheap here. With an exchange rate of around 48.50PHP per USD, this amount is beyond the reach of most local sites who just want to setup secure sites to try out the technology or use it for some charitable purpose. How do we expect to promote the use of SSL in our websites locally with these prohibitive costs? This problem is not limited to the Philippines, I presume that other countries could also relate to this issue." Right now, the cost of an SSL certificate is one of the prices for doing business on the internet (in addition to bandwitdh costs), but what would it take to start up another company that issues CAs, especially if you want to do it outside of the US?
"Is it a question of trust? Do local ecommerce and secure sites trust verisign more that say a local company that provides secure certificates? What confuses me is why is there no proliferation of trusted local institutional CAs? In the future, Verisign might end up being another Network Solutions.
Oh wait! Network Solutions is a Verisign company!
What are the barriers for setting up local country CAs? Right now, I presume that browser makers are the ones listing the trusted root CAs on their browsers by default. If my university were to setup a root CA how would we get netscape and the other browser makers to recognize us? or is there some sort of governing body for assigning root CAs like ICANN is supposed to be for name resolution? or could this be one of ICANN's eventual functions?"
Slashdot Mirror
"Why should we trust a certification authority that is located in a different country " why should the contry of origin of certification matter?
There's a good older article that can be found on just this topic. I've done a lot of reading on this topic on the web, and it's one of the simplest introductions I've found. The article is called Introducing SSL and Certificates Using SSLeay. Just read through the first four sections. They talk about how certificates are used, what a Certificate Authority does, and how SSL works. It's good stuff.
The thing is, 99% of the people who want to use SSL could care less about establishing their identity or the location of their server. They just want to encrypt the data to prevent casual interception. Unfortunately for them, SSL won't allow web sites to have one (encryption) without the other (identity) without imposing its own penalty: scaring web site visitors and making them affirmatively agree to accept it as "untrusted". In all likelihood, most USERS wouldn't care about the identity aspect either... if browsers didn't make such a big deal about it and give less astute users the impression that they'd be safer submitting their info in the clear. Untrusted certs aren't less effective as encryption keys... they just have zero worth for establishing identity.
A reasonable compromise that could be deployed by the Powers that Be (Microsoft & Netscape) would be to create an explicit category of untrustworthy SSL certificates whose only worth was encryption alone, and tell users exactly that the first time they encounter such a cert, and make it easy for users to check the "never bother me about this again" button.
Within a few months, it would de-mystify such certs, and users would dismiss the first instance of such browser-generated notices the same way they dismiss the notice generated during the first instance of insecure and SSL form submits now.
Considering the deprecated state of Netscape today on every platform for which MSIE exists, Microsoft could probably even do something like this unilaterally, and make it retroactive to older versions of MSIE too using Windows Update [the same way ancient 3.x versions of MSIE can still have the newest JVM and Javascript]. What's in it for Microsoft? They could create an option to differentiate between insecure SSL certs created by Win2k Server and Everyone Else's (making the option to differentiate between them default to Windows Only). Underhanded? Probably. A worthwhile sacrifice for the sake of getting something like this into MSIE ASAP? Yeah.
True, the keys themselves cost pretty much nothing to generate, but CAs do have to do an extensive check to prove that you are who you say you are, which is what gives them their value. The check probably does take a few hours of time. That doesn't necessarily justify $350 or whatever it is, but they can't sell them for $10.
In any case, it would be VERY nice to see more competition in this area, and get several more CAs authorized.
When (not if) most browsers are open source, this problem will likely resolve itself. A CA will just have to convince the open source projects (possibly by donating money and/or servers and/or people contributing to the browser code) to get their cert in the default setup.
Of course that could also lead to problems, where some browsers will recognize CA X and some won't.
Yes, the insurance aspect of the big-time cert companies is nice, but more important for many businesses that do B2C ecommerce is that the "VeriSign" logo, like one from the Chamber of Commerce or Better Business Bureau, helps assure customers that there's a substantial business behind the Web site they see. But plenty of businesses do well without joining a CoC or the BBB (the best auto repair shop I've found locally belongs to neither, for instance), especially those that foster close personal relationships with customers.
I have never taken credit cards directly online for my limo business. I started it in pre-Internet days and still have the same old XON credit card terminal I got in the late 80s, and it still works fine. Customers either hand us their cards when they get in one of the limos or, if it's something like a business person whose company is paying or a celeb whose travel is being covered by a production company (which is how most celebrity transport is handled, BTW), a secretary or other admin person usually calls or faxes directly with the trip/charter information anyway and includes the credit card number and expiration date in that call or fax.
My limo partner and I are considering taking cards directly online before long. Small businesses (like ours) that don't have (*cough*) huge amounts of VC or IPO cash tend to be far more conservative than wing-ding companies because if we don't make a profit almost every single month we go broke. (The garage where we take our limos is *just now* thinking about putting up a Web site.)
But if I decide to take credit cards online, I am *not* going to fork over $200 or $300 or $400 for a third-party cert. I'll just put an ordering page -- one page -- on Joes's server and ride on *his* cert in return for a small fee, like maybe a six-pack or two.
- Robin
Easily, just get a web programming job with any up to date company, they should exchange that code for money.
Posted by BigMal:
The real pain is having to get a certificate for each server in a distributed server network. We're deploying dozens of servers which are supposed to all have server certs. Do the math and see how annoying that is. We're actually concidering deploying less servers just so we won't have to buy so many certs. Way too expensive that's my input.
Posted by Kamel Jockey:
For most people doing e-commerce, there is no real need to go through the expense and hassle of getting a site certificate. Many good web hosting companies will provide use of their own site certificate for a fairly low fee. That is, for about $10-$30 per month, you can have your site hosted AND have a real SSL certificate for doing e-commerce.
If I just want to secure my personal web site (webmail, zope editing system, login page, etc) ala sourceforge's use of https, or secure my imap connection, why do I need to pay a few hundred dollars? Why can't I just use a $30 personal ssl cert, that's only good for so much trafic. I don't think the 10 or so time's a day I'd be checking the cert would really cost $300+ a year. And, the large number of users paying $30 vs not paying $300 would make up for the possible loss/slim profits from doing a check on a $30 cert.
Of course, you can always manually import a root CA, but this is generally beyond the scope of Joe Six-Pack just trying to login to check his stock quotes.
Granted, we're not exactly joe six pack, but we're comprable to a large corp. In the air force's ACC, we import our own root CA, almost all our trafic on internal websites is over ssl, even tho it's unclassified. I get my latest news on what's going on in the command over ssl, along with news on when the base picnic is. A few hundred certs for ssl on an intranet is expensive, so it makes sense to include another CA in our custom distributed IE anyway.
I just wish digital signature and secure email were everywhere, that would make the possibility of a paperless office that much closer to reality.
SSL is used for more than commerce. I use imap over ssl daily, but I use a self signed cert, I'd be nice to give my friends access and not have the security warning. I'm not going to a few hundred a year just so I can have security, so I do it halfway... Also, I use https to secure webmail when I'm not at home, but, it's not completly secure because of a self signed cert. Sourceforge uses ssl to log in, but they're not exactly selling thier open source software.
Not everythign on the internet is for making money.
The reason for having these expensive certs from these companies is that you are paying for that level of trust. If i was giving out certs for free there would be no reason at all to trust me. However having a big name like verisign as the provider of your cert is like wearing brand name cloths, its a status symbol and it brings with it a level of trust, which is very important for ecommerce sites to have.
Form what I've seen, it's not at all hard to get a bogus cert. You're basically paying for a rubber stamp. The primary reason certs are used is simply to convince the browser to open an ssl session without popping open 6 dialog boxes worth of FUD.
The certs themselves are simple enough to create (including a CA cert).
What is really needed is various levels of cert from self generated ones that simply allow encryped connections all the way up to one that represents careful auditing and controls to surely verify the identity of the server on the other end.
I notice that it costs a lot more to get a wildcard cert (*.my-domain) than a single one (www.my-domain) even though the level of verification is the same.
and worse, there is nothing better.
There are so many issues here. At first it would seem that governments should issue certificates (possibly for free), since they already issue passports, IDs, and stuff, but imagine if your browser would need to have all government certification agencies registered in it. So many countries, nah. And don't forget that countries are usually clueless in the subject of tecnhology and data security/privacy. And there is also the case that some governments cannot be trusted at all. They could definitely certify companies interested only in scams. (sure, a certificate is not meant to certificate that a company is a good company, only certificate that they are who they claim to be). And to finish, there is also the problem that national borders are man made, and it is vey possible that a company would need to have many certificates in many countries, since that with the internet, the world is your marked.
Damn, this post is confusing.
It should be noted that the $349 cert is NOT a 40-bit crypto cert. It is a full-strength 128-bit cert, no matter what Verisign claims. This cert will support both 40-bit and 128-bit crypto. The rub is that older 'export' browsers, which only have 40-bit crypto, will not be able to use the 128-bit crypto when they encounter one of these certs.
The $895 cert is a "server gated crypto" cert. This means that those old 40-bit browsers will actually use 128-bit crypto when they encounter one of these certs.
These certs are mostly sold to banks, etc. And since all 'export' browsers are allowed to have 128-bit crypto now, they are becoming obsolete. Verisign is just trying to upsell customers by scaring them into thinking that the $349 cert isn't as secure.
"Tomorrow's forecast: a few sprinkles of genius with a chance of doom!" - Stewie Griffin
for some definitions of "low", anyway.
don't people ever get tired of "my dick is bigger than your's so I must be better than you"?
--
If your map and the terrain differ,
trust the terrain.
A lot of the point of expensive certs is that they involve having Someone Trusted (e.g. VeriSign) attest to your identity. This is, of course, expensive.
On the other hand, people generally don't care at all exactly who you are: they do a web serach on the product they want, find an site that sells it, go there, and then consider buying from them. Or they do care who they're buying from, but it's not a stranger they have to trust verisgn to identify: they have the catalog or have been to the store before.
In the former case, the customer wants to know that the site is some business in good standing. What they'd probably want is a certificate from the Better Business Bureau or from the place where the company is incorporated, neither of whom needs online verification of identity.
In the latter case, the customer wants to know they're ordering from the company with the flyer they have. So the company should really provide a self-signed certificate with a fingerprint in the catalog. The user gets the certificate, checks that it matches the catalog, and knows they're in the right place.
VeriSign is preforming some mixture of these tasks, checking that the site belongs to someone traceable and also that it isn't trying to be confused with someone else. But most users don't even consider the CA, so if the CA messed up, they wouldn't know which one to blame or even realize that someone supposedly checked out the site if it was using SSL.
Verisign bought Thawte sometime back (I believe it was May or June of last year). They're essentially the same company. I think by buying a Verisign cert over a Thawte cert, you're essentially getting a better support structure, although honestly, putting in a cert is brain-dead simple and shouldn't require much in the way of support (I do it every once in a while).
But take a look at the costs again. It's $125/yr. for a Thawte certs (the drawback to a Thawte cert is that it doesn't work in older versions of Netscape and IE which make up less than 1% of browser usage). That's roughtly $10/mo. for a secure site which is not at all expensive. It's really not that prohibitive to setup an SSL site. Prior to the release of the RSA patent into the public domain, that was your primary cost (passed on through purchases of software like Stronghold), and that cost is now basically gone.
If I was a small business, I would gladly pay only $10/mo. for secure server capabilities.
The essay asks Ten Important Questions and attempts to explore each one with some depth. These are not necessarily obvious issues; you might not think of them unless you spent some serious time pondering the ramifications of Trusted Third Parties (TTP) and Public Key Infrastructures (PKI). If you read the essay and consider it carefully, you will realize that using PKI to realize a TTP electronically has some pitfalls and while these may be addressed, it is labor-intensive (read: not cheap).
A lot of the posts on this story have been predictably dismissive of the issues laid out in Schneier and Ellison's essay. Part of the reason for this attitude is that some of these issues seem contrived or academic until you are in a situation where there are serious consequences for getting them wrong.
To borrow an example from the field of US law, consider the case of Colin Ferguson. Ferguson shot and killed several commuters before being wrestled to the ground when he ran out of ammo. When the police arrived, the witnesses probably said,"This guy shot some people," not,"This guy allegedly shot some people!" The next day, millions of break-room conversations no doubt mentioned "The guy who shot all those people on the train," not,"The guy who allegedly shot all those people on the train."
Why shouldn't they? After all, barring supernatural circumstances, there wasn't really any doubt that Mr. Ferguson has commited the crimes of which he was accused, yet any attorney or responsible news organization would have carefully referred to Mr. Ferguson as "the alleged attacker" until the point at which he was found guilty. In the US, people are legally considered innocent until found guilty in a court of law, and people who are responsible for maintaining this system (lawyers, legislators, judges, and to some extent, the media) will (or should) assiduously use the term "alleged" until a conviction is obtained; in the case of Colin Ferguson, this detail seemed absurd, but like many of the "overblown" details of PKI, and TTP, there are important issues at stake (just wait until you are accused of a crime you didn't commit!).
Now that you are thinking about that, how would you feel about a witness affadavid(sp?) that was validated only with a digital signature, rather than in-person testimony. Nervous? You should be. (Don't panic, this would probably be a violation of your VIth Amendment right to face your accuser.)
It should be little wonder that the boilerplate "Certification Practice Statement" (CPS), that any Certificate Authority (CA) should have, was drafted by the American Bar Association (the professional assocation of American lawyers).
What the referenced essay was trying to do was not to trivialize or malign PKI, but the highlight the issues that ultimately make it expensive to do PKIs and TTPs correctly. Before you run out, download OpenSSL and start cutting some free certificates, you should really understand why paying US$1000 for the same cryptography might be worth the money when this is something valuable at stake.
- I'm fairly sure that if you serve your root certificate with an appropriate Content-Type, and Netscape will happily import it after confirming with the user.
You are correct, but the real problem is steering Joe-Sixpack to that CA cert location. Typical end-users just aren't aware of them or used to downloading them. I addressed this in another post.- If they have *no* CA's, how do they import any other ones? Without a cerver cert, any imposter could (say) dos the CA, and spoof their address.
You have both failed to understand how CA certs work and brilliantly highlighted a little-considered problem with PKI.You need at least one cert in the browser
The CA certs that are embedded in the browser have absolutely nothing to do with downloading new CA certs. The new CA certs are just that -- new CA certs.
The problem you highlight is this: how do I know that the CA cert that I'm downloading actually contains the public key for the CA I think it does? When your browser quietly loads an SSL page, you have to just assume that the CA certificates that installed in that browser are valid.
The accepted solution to this problem is to publish CA certificates so widely that subverting a single channel would be unlikely to result in a signficant number of people obtaining the fake CA cert. Furthermore, a human can verify the "Certificate FingerPrint" (an MD5 or SHA-1 hash of the cert). This Certificate Fingerprint should be so ubiquitous that a fake CA certificate should be immediately obvious.
Of course, this assumes that you, the recipient of the CA Cert make some effort (or any effort, for that matter), to verify the CA Cert. Have you verify any cert you've ever recieved? I'd be willing to be that most people reading this have never done so.
In summary, the bootstrap issue is a big deal, although you are mistaken that you need a CA cert in the browser to verify subsequent CA certs; they aren't related.
- Very often, CA's certify each other.
No, they don't. You must be confusing one of two things.Sometimes a CA will sign the credentials of a subordinate CA. The new CA usually operates within a narrow context. When we have been talking about CA in this discussion, we have been talking about root CA's that are not certified by any other CA.
What I think you are talking about is cross-certification. Let's say that my company trust Verisign and your company trusts Thawte. If we want to work together, we can take the option of using the same CA, which means one of us has to go through the process of forming a new trust relationship. Instead, we can have a cross-certfied CA set up. This CA is endorsed (signed) by both Thawte and Verisign, meaning that my company will trust certs sign by the new CA and so will yours, although neither of us form a new trust relationship.
Even if you were correct, you still haven't solved the problem. Let's say I've got Verisign's root CA certificate signed by Thawte. How do I know it was really signed by Thawte? I need Thawte's root CA cert... and well, we're back at square 0.
Sure, but then you have no way to be certain that your encryption isn't being compromised by a man-in-the-middle attack. Seem my other comments on this article.
Once I find a root CA that is trusted by most browsers, inexpensive, and is run by people I don't dislike so much, I'll certainly switch.
In the mean time, I'm reasonably happy with recommending Equifax to people who don't want to pay more money for Verisign/Thawte.
You do not at any time in the registration process (or afterward) give your site's private server key to Verisign. You only send them your public key, and that is what they sign.
This is not a back door, because ANYONE connecting to your SSL'd server gets that very same public key.
If the NSA can break the public key crypto and use your public key to compute your private key, they certainly don't need (or want) Verisign involved in the process.
You're missing the other use of certs - they prevent the man-in-the-middle attack, because VeriSign/Thawte (a trusted party with a known public key) can validate that they are giving you the "true" public key for that site, instead of giving you the public key for a middle-man machine.
Engineering and the Ultimate
1) The certificate authority also prevents man-in-the-middle attacks, because the CA has a known public key.
2) It is up to the browser vendors to decide who has a trustworthy network and who doesn't. If you can't trust your browser vendor on security issues, who can you trust(another reason not to use IE)?
Engineering and the Ultimate
Because this still doesn't solve the man-in-the-middle attack
Engineering and the Ultimate
The problem is that the certificate holders hold secret information (namely, your private key). Passport issuers don't have the same problem. There is nothing that guarded that they are holding. I trust my goverment with a picture, a name, and an address. I will not trust them with my private keys.
Engineering and the Ultimate
he doesnt have a low ID, i do.
Its spelt "L-I-N-U-X", but pronunced as "Free Beer"
Netscape takes plenty out of Mozilla. Fixed positioned layers have always worked in Mozilla but do not work in Netscape 6.
> My proposal, thus, is to transfer the handling of digital certificates to a governemnt
> (ideally international, thus UN) sponsored body which achieves thrustworthiness trough legal > backing.
> This anihilates the market and the situation of near-monopoly we presently face.
Only by going to a total monopoly system. And why do you make the assumption that governments are trustworthy? *I* certainly dont trust them.
> I mean, your passport is issued by the state and I'd venture to guess nobody even among the > most extreme libertarians would challenge that...
Sure I will. What gives governments the right to control my movements?
The situation may be bad now, but the solution you propose will only make it worse; who says SSL and the CA system is the final word in authorization/authentication? Why not let the market decide?
But none of this matters. Certificates aren't meant to be valuable or signify elite status. They're meant as identification. "Just anybody" should have a certificate.
And I agree. The problem lies in that the certificate has to be trusted. As a number of posters have stated, nothing prevents you from giving out your own certificates. Nobody would (rightly) trust it, but at least you have one. And that impression of trust is influenced by the points I wrote about above.
Sure, use a certificate from 'Johnnys tattoo, piercings and certificate authority', but wouldn't you agree that it would be overly trusting to take that certificate at face value? People that impression of value and solidity.
Trust the Computer. The Computer is your friend.
As a prevoius poster stated, if you or me gave out certificates for free, the value of the certificate fould be seen as low. This is in part because I'm not perceived as well known, stable, trustworthy entity (just ask my friends:) ). The other reason for distrust would be for the very fact that it is given for free; in other words, it's the same kind of effect taking place when people perceive linux of xBSD as being worse than Winxx because it doesn't cost anything.
Let's say a large, trusted entity (like IBM, or a large bank) would start giving out certificates for little or no money. Many would be concerned that they won't do a good background check, or be vigilant for abuses of certificates when the customers aren't paying for it. Also, the customers would get the sense that 'just anybody' could get hold of a certificate, which would seem to cheapen its value in itself. Basic psychology, really (and this is a large part of the reason why a Weight Watcher program works - at least temporarily - whereas magazine diets don't).
Trust the Computer. The Computer is your friend.
Why not become your own CA? If the user can't trust you, why are they visiting your site? (*) Complete instructions are here.
Sure, the browser asks the users to confirm (once only per browser per cert), but if you link from an unsecured splash page that tells them what to expect and how to react to it, they get over the shock just fine.
Expensive trust? Think of the RIAA: to artists, ``trust us because we can get you royalties''; to buyers, ``trust us because our stuff is legal [implication: and other people's stuff is at best second-rate]''. But it's similar to the one liner about big government: any organisation big enough to give you everything you want is also big enough to take everything you have.
(*) Note: IE ``the browser that reaches the places the other browsers miss'' has all manner of exciting ways to obliterate or export your precious data without warning you, and in some cases without you being aware that it happened. Oh, and it matters not whether this happens over an open link or through an SSL link sprinkled with with Thawte holy water. Where do you want your data to go today?
Got time? Spend some of it coding or testing
I'm with you cyberdonny - I don't know what kind of crack sharkey is smoking...
I haven't personally contacted any CA for any purpose, but from offhand discussions with those who have, at least Thawte requires original official stamped and signed papers of corporate identity (don't know what those papers are called in English or US Legalese) and proof that the domain has been registered to that specific company.
To me that looks like enough to trust certificates issued by Thawte - if they really, really require that always and make no exceptions. And if the papers proving that information are issued by an authority that can be trusted (which governments do we trust?) and if we can trust that those papers aren't forged.
I believe verifying that information isn't easy. I certainly hope that Thawte does verify that information, by contacting authorities that issued those papers and verifying that the issuer is authoritative within the jurisdiction in which the paper was issued, and so on.
That's why the certificate costs money. Why do different certs cost different amounts? The verification job is the same anyway.. There probably isn't any other justification except "those who want better certs are willing to pay more and then we make more money".
Now, is there any public repository of knowledge regarding how these CAs act, how they verify and what, and so on? Hopefully one that is trusted to verify the information stored, which leads to a very hard problem.. How would we trust THAT information?
Two main reasons:
Trust - These certs are often a stamp of approval when conducting electronic commerece, etc, that the connection is secure, and that the party is who they say they are.
The first part is fairly straightforward. If you are using SSL then the connection is encrypted, and very likely secure.
It is the second part that makes certificates expensive. The Certificate Authorities (CA's) require a certain amount of information from you upfront before they issue a certificate. This is then used whenever you certificate is used to verify that you are indeed the person who originally received the certificate.
There are varying levels of assurance for this process. Most people opt for the basic level of assurance, which requires some paperwork and verifiable contact information.
There are additional levels which in some cases require your physical presence, a notary public, and some other contraints which I cannot recall, however, these are not used to my knowledge.
So, the root of the problem is that of trust. And trust is not cheap, when accounting for processing, maintenance, liability, etc. I beleive there is also a fair amount of cost to be considered a 'trustworthy' CA by the big browset CO's. Like Internet Exploder and Nutscrape.
Why would your connection be any more secure if the certificate was signed by Verisign or Thawte assupposed to yourself? Since you signed it yourself, just memorize your key fingerprint, and from other locations, you'll still be sure that your communicating via the certificate you yourself signed, and are therefore just as safe as if you'd used a CA's certificate. You'll just have to click i simple box when the browser says "I don't know who signed this certificate, is it okay to proceed?"
If a non-profit cert company got set up with sufficient "trustability" (and that would actually take some serious legal doing) then their cert could be put in Mozilla. This may mean that it ends up in Netscape 6.x "by default" - as in, Netscape can't be arsed to take it out...
But I suppose "might" isn't good for a business model... on the other hand, the Mozilla organisation would almost certainly be sympathetic to any company wanting help to bring down the cost of SSL certs.
Gerv
Because I have had to work with them. The clue level was rock bottom, as they basically insisted that we were doing things that weren't possible, that there was no way in Hell that they would update their software to not require direct access to the hardware (ie. modem), and they felt that we were serious losers for not buying all our PCs an analog line and modem. Granted, they did use a SCO box to answer the phone at their end, but it was broken constantly, and each time they fixed the SCO box it required a painful reconfiguration and repair to their app, since they would never tell us when something went flooey. Very, very difficult to deal with as a company, but the were a couple of very helpful and easy to deal with front-line and support people. They were just as screwed as me, since they had to deal with their shit software and policies on a daily basis.
Obviously, I have a lasting impression of them that does not incline me to expect anything but a headache from them.
Have you had contact with them? Do you use them? Has the way they do business changed to the point where I could reassess them favorably?
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Trouble is, you probably have to run the server on an MS-DOS machine, using M-LINK to communicate. Even after 2-3 months of talking to them, I couldn't get them to understand that our modems were not attached to the PCs, were not on COM2 and did not work with DOS. Their answer? Buy more phone lines, and a modem for each PC. It's 1999, you should have a modem for each PC.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Exactly, PKI is no joke... sure you can have peer authentication, but everyday people are *going* to make mistakes and add someone to their trust network that they can't neccessarily trust.
You are buying trust, and liability... if Verisign's infrastructure fails then they are liable for any damage to their customer's trust infrastructure. It may be that Verisign isn't setup for catastropic failure (do the research yourself). You need to see their contracts specify liability and how much, and who pays and who is backing them. Who provides their insurance? What does that policy cover? What's their PKI policy, how is this ENsured? How is that procedure audited?
This is why you pay.
Listen, if you are doing ecommerce and requiring SSL certs, you should be able to afford them. It's enough of a barrier to entry that the joblow who won't secure their site properly can't get the stuff set up. He should outsource it instead, and since SSL costs $$$ he does. Not so sure it is black and white.
And what would Verisign be forwarding, exactly? They never see the private key.
--
--
Mod up a post Rob doesn't like and you'll never mod again
Verisign bought Thawte for around 600 million USD a while back. Thawte are based in Cape Town South Africa which is as outa the way as the phillipines, but the fact that they captured enough of the CA market to allow Verisign to use them to get critical mass implies that geography isn't really an issue.
Thawte were included by Netscape as a CA though which is how they got their foot in the door and that helped alot back in the days when people still used Navigator. *duck*
You'll probably find though that you're going to have to co-locate servers in Europe and the USA and invest in decent pipes on both ends just to get started. Based on your exchange rate, that's gonna hurt a little. (Although the South African Rand wasn't too healthy when thought were establishing themselves)
So a customer can use SSL secured sites with knowledge that they have gone through a lot of work to make sure of thier identity, yet these very sites they visit may be operating through some ISP who offers SSL to a whole group of people!
Great, when my credit card number is stolen we can track down the trouble to an ISP that can just say "Sorrry, common carrier".
That's what really irks me about certificates. There is no gaurantee of trust whatsoever as far as I'm concerned, and it's just extortion at this point.
What does a certificate buy you? As a consumer, ALL I care about is that my communication is secured. Even if a company has (or seems to have) a certificate from a valid CA there is still NO WAY I am going to trust them with my credit card number until they have a reputation. What really needs to happen is a seperation of encryption and identification which are all wrapped in the same bundle right now.
I think all sites should just start generating thier own certificates. All it would take is a few big sites like Amazon to switch away from Verisign and the root CA's would be finished. The message you get isn't even all that bad, it looks so much like the message you normally see most people would just click right through it.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Besides, if everyone uses Verisign, then NSA does not have to work so hard to break into our communications.
Its a large, closed source, company. I trust it about as far as I can throw it.
You need at least one cert in the browser
openssl req -new > new.cert.csr
openssl rsa -in privkey.pem -out new.cert.key
openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 3650
Of course, your certificate wasn't signed by a known CA, but getting a certificate signed by a CA only says "this certificate really belongs to this person", it doesn't say "this person is trustworthy" or "this person knows how to code a website that can't be hacked." And really, the latter two are much more important. Most users don't get this, so for an e-commerce website, getting an official cert is a good idea. Heck, for ecommerce, $150 for a cert is a relatively small business expense. But for your own use, you may as well just stick with self-signed certs.
- Morty
What possible reason could there be to base the pricing on crypto strength ?
Because they can, it's as simple as that...
CA's are used to avoid man-in-the-middle attacks. SSH survives without CA's because it is assumed that a client will only be connecting to a handful of hosts, and therefore the user is able to personally verify each host key through physical means *. This assumption fails when applied to the web.
Your web browser currently ships with two (maybe more?) hard-coded keys: Verisign's and Thawte's. These keys are used to securely transfer the host keys of secure web sites you connect to.
I think each country needs its own CA, and I think browsers should ship with keys for all of those CAs. But it's really up to the browser vendors (by that I mean Microsoft, realistically).
* I know this doesn't often happen in the real world, but it should. You never know if your SSH connection is being relayed through another host unless you can verify the authenticity of the host key.
Hands in my pocket
The use of the word "legitimate" in this case refers to the identity of the organization who have recieved the certificate. Verisign has gone to some length to verify that the certificate has been issued to the correct organization. So sure, Versign will ensure that the certificat they issue to Visa is actually being isued to Visa and not some Joe Scamartist looking to fish for credit card accounts.
But once again - this does not mean the business in question has legitimate business practices. Just because the Verisign certificate was issued to Joe's Imports, it doesn't guarantee that Joe's Imports will really honor the order for a PS2 I just placed and paid for with my credit card.
It might be worthwhile to point out that Verisign DOES support an ADDITIONAL program called WebTrust ( http://www.aicpa.org/webtrust/index.htm ). This seems to be a further step to linking a legitimate identity to a legitimate business practice.
For all the customer knows, the "Vendor Company" CA could actually be run by a malicious hacker trying to eavesdrop on his communications with your site. > when was the last time those who did know check the validity of a cert or the company that issued it?
A long time ago... Indeed, most of the times, the browser does it for me. However, it can only do this automatically if the cert is signed by a CA recognized by the browser.
> No thank you I would rather create, monitor, and control our own certs in house, and ensure that our information is to be used by our company solely.
This is ok as long as you only care about in-house communication, but what if you sell to outside consumers who have no way of doublechecking your certificates? First they'd somehow need to get your public key, or a fingerprint of it via a secure channel (telephone? postal mail? Neither is 100% secure), which would cost you lots of processing costs.
Next, if you're really so worried about whether Verisign and Trust-E are able to guarantee the security of their infrastructure, why should your customer believe that you are able to properly secure your private key?
There are some situations where you don't need to bother with CA-signed certificates:
- In-house use: install your own CA certificate in all user's browsers
- Customers with whom you deal in meatspace: hand them floppy disks with your certificate or public key, or hand them cards with your certificate fingerprint
- You just want to stop the casual eavesdropper, but are not concerned about sophisticated man-in-the-middle attacks
However, in the general case of e-commerce with customers that you never met physically, and where you care about security, certificates are indeed very useful.Very often, CA's certify each other. So Thawte could for example certify Verisign's certificate or vice-versa. That way, you'd only need one of them installed on bootstrap, whereas the other could be loaded dynamically in a 100% secure fashion.
Installing a new CA root certificate in your browser should be a concious choice. By doing so, you say that you trust the CA to properly verify the identities of parties to whom it grants identity certificates, that it appropriately manages its own security, and that it doesn't lightly delegate its CA authority to untrusted parties. There are some doubts about this last point, as it seems.
If your browser now doesn't warn you about potential security breaches caused by Equifax' carelessness, this doesn't mean that your browser is no more secure than IE, it just means that you, the user made a bad judgment by including Equifax's CA certificate in it.
While it costs almost nothing to make the certificate per se, checking the identity of the requestor, and maintaining the security of your certificate DB and CA private keys does have a cost. And what happens if somehow somebody tricks the CA into issuing him a fraudulent certificate which will then be used for hacking? Would the CA be liable for damages? Does it have to take out an insurance to cover these kinds of risks? What is the price of this insurance?
Why would they care what OS you run and how you are connected? Oh, they don't, they even list Apache + ssleay in their list of supported servers.
Imagine trying to explain the difference between a simple encrypted link and a fully authenticated connection in an unconfusing manner?
I don't think it's really that hard. You could put up a red, yellow, or green lock (or stoplight next to the the lock, to take into account the colorblind). You could make the lock clickable to bring up a dialog that showed a nice Alice, Bob, and Eve diagram with question marks or exclamation points slapped on the insecure points, along with a short description of how trusted the transaction should be considered. People are far smarter than most interface designers seem to be, so don't fault the users when they complain things are confusing.
I think that even more than Network Solutions'
land grab of the DNS, the SSL certificate game
is the biggest rip-off being run on the net.
I believe many more people would like the encryption features of SSL, and do not care
much about authentication. By making you buy
both at the same time, the browser companies and
certificate companies are colluding to force
people to buy services they do not need.
I want security on my web site, but I don't care
if I am authenticated by Verisign. It is easy
enough to get a fake certificate from them; they
care much much more about getting their hands on your dollars than on dong anything more than
a rubber stamp check of your authenticity.
I think this situation arose from people's ignorance and fear about security, and Verisign
and the browser companies did *nothing* to explain
to people the difference between encryption and
authentication.
Equifax offers certs for as little as $79 per server. http://www.equifaxsecure.com/ebusinessid/
----- LoboSoft specializes in Digital Language Lab
> Right now, the cost of an SSL certificate is one of the prices for
> doing business on the internet (in addition to bandwitdh costs),
and of course, what if i just want to run an encrypted web-based email system on my personal box? self-signing is hardly fun with browsers throwing up warnings every time you access it...
> but what would it take to start up another company that issues CAs,
> especially if you want to do it outside of the US?
I've got a question here... I know you can set up HTTPS services using a self-signed certificate if you don't mind browsers screaming at it. However, what if I were to use 2 of my own boxes to create a certificate? Although not "credible" enough for an ecommerce site, would it be fine for personal use?
I agree that SSL certificates are too expensive.
Personally, i don't give a rats ass about the 'Certification' aspect, i just want to be able to secure my web traffic in a user-friendly way.
It'll all be fun and games till we find out that Verisign promptly sends every key registered with them to the NSA for monitoring.
I gots ta ding a ding dang my dang a long ling long
I had no trouble setting up an Equifax certificate with Apache 1.3.11 (now 1.1.14 with no issues) and mod_ssl. Their instructions were clear, and everything worked with no problem.
Their customer support followed up to be sure I made everything work.
Yet neither Verisign or Thawte do any kind of
security auditing on the sites they 'Certify'
so it's really just a scam. A Verisign brand
certificate might make some sense if along with
that came the knowledge that Verisign did some
kind of security audit to verify that the data
you send secure stays secure afterward, but they
don't.
Btw, it is entirely possible for any SSL
site to make their own certificates, signed by themselves. I've done it for years.
While some may argue that skipping a third party
signature verification on an SSL certificate is
a bad idea, I suggest it's a very good one.
I don't need to verify that this key is from
this company when I've already done that to some
degree by the simple fact that I'm already at
their website and getting the certificate from their website. Some people may start yelling about
site impersonation at this point, but there
is a reason the credit card industry would rather
absorb the costs of credit card fraud rather
than persue every single case to the end.
It's cheaper to just let some incidents slide.
If someone did succesfully masquerade as a known
(read "trusted") site and you accepted their certificate and sent them sensitive information,
and if they then abused that information to
run up your credit card bill, you wouldn't be
responsible for more than $50 of it, so what's
the point? Consumers don't really need to fear
online fraud the way some have suggested.
In essence, the 'root CA' 'feature' is really
just a way to artificially control the issuance
of SSL certificates , and to impose the need
for a third party to sign these certificates
to prevent an evil dialogue box from popping
up and frightening away a potential purchase.
I'd like to see the W3 consortium address this
issue by putting forth a standard for web browsers to accept all SSL Certificates
sans third party verification signatures.
They are not needed for most SSL transactions.
void this_is_a_stack_issue(){this_is_a_stack_issue();}
Current prices mean that almost any hobby site in the USA can afford a trusted SSL certificate, but even most business sites in the Philipines hardly can afford one.
I think that the security of the WEB and thus e-commerce in most cases, in any country, is a matter of international importance that would better not be in the hands of a small group of companies. Instead an international (UN?) organization should supply certificates for a very low fee as a service for the common good.
You know what a troll is? And what moderation is for: not to state your opinion but only to judge the quality of responses, regardless of whether you agree with them or not.
Maybe I should get into meta-moderating somewhat more to "punish" inserious moderators that are frustrating the moderation system.
Yes, you could moderate this as off-topic. With that I would not have a problem.
Certificates at my company (Digital Signature Trust, at www.digsigtrust.com) aren't cheap either, but unlike most we have guarantees on our services. We're the only company in the world that's certified for many things like buying a house in the US with a purely digital signature (due to agreements with groups like Fannie Mae and the American Banking Association). We go through extensive (& expensive) industry and government audits to qualify (and we're the only ones who have passed in some cases). Make sure you are actually getting something valuable (proper authentication!) when you purchase digital certificates from anybody. A certificate without proper authentication and guarantees is worthless.
but, how do we make browsers access CA's automatically such as those assigned by verisign. the root CA (verisign) must be quite buddy-buddy with the browser makers to get their root CAs in.
and country root CAs are in a better position to verify the company or requestor in question.
***chicken wolf***
after reading a lot of your comments, i am given the impression that verisign and thawte certificates are given without that much scrutiny after all. They cannot be completely trusted?
Yes, they do save a few browser clicks and can prevent the users to not accidentally place an untrusted site into their trust network. But for most people, this is important. The two to six new windows that pop out before the user are enough to scare the user from visiting the site. Most users do not really know who secure is secure. all they know is that if the little padlocked is locked in their browsers everything is okay. however, if they see these annoying windows they might get confused and latter scared.
Country-controlled CA are in a better possible to verify the existence of the said company or site. Since, they have access to local business registration records. They can do all these and at the same time not charge an arm and a leg for a measly certificate.
SSL is important.Aside from securing the http connections from evesdropping, it is also able to prevent sessions from going a stray. we have been using horde/imp in our university and before forcing people to use the SSL connection other people can "accidentally" login to another persons account. which should not be the case!!Even little things like this can be solved by the use of SSL over HTTP.
***chicken wolf***
it's called the BORG my friend.
if UUNET is the borg of IP transit
if MS is the borg of desktop software (and the world)
then verisign must be
***chicken wolf***
"they are liable for any damage to their customer's trust infrastructure."
Heh... Did you read their liability disclaimer? =)
Why not generate your own signing CA and then provide instructions to your customers (via a webpage) how to import the CA into their browsers. Then, certificate that you sign with it will be accepted by their browser. Yes, it might be one additional step that your customers would have to go through, but if you explain that it is providing them security then it should be worth it to them. Of course, whether or not they decide to trust you is another story. :-)
> But what about individuals buying certs to > secure private information - seems reasonable if > you can get the cost below $40/year. If you are an individual, your user base is most likely not going to be very large---use a self-signed certificate which costs nothing.
Very true, but ssh can be attacked via a man in the middle attack, especially on a persons first connection to a site (in theory, once you have the key, it will complain if the key changes (which would be a necissity for a man in the middle) - however, in practice, noone pays attention.
At least with a CA, you have someone certifing that "Certificate X is real", an dyou can verif that signature. So a man in th emiddle would need to get his bogus cert signed by verisign (or another trusted ca) - good luck on that.
Should just make a "web of trust" style system. Have sysadmins from ISPs and web hosters sign eachothers keys, and sign the keys of the peopel they host for etc...and build a big web.
hmmm its an idea anyway
-Steve
"I opened my eyes, and everything went dark again"
From the point of view of a customer, having a trusted third party to verify a web site's identity can help you know that a web site is probably who they claim that they are.... If people started scamming IDs with thawte or verisign ID,s it would break the trust that people have in thawte/verisign Certs -- that would lessen the value of getting thawte/verisign certs -- and browser builders (Netscape, MS, Mozilla, etc.) might stop putting their public root cert in their default cert list.
If all you're doing is talking to yourself, and people who know you personally, you can give them a copy of a floppy/CD with your root cert on it and they (you) can install it on the remote machine.
If you then generate your cite cert, and then remove the private key of the root cert from the machine then -- barring a breakin where your root private gets stolen/coppied, you have some physical certainty that your key is not compromised.
This, of course, requires that your machine remain otherwise secure.
----
I use my own, private cert, on my personal web site. I trust it completely. If I was going to be doing sensitive work remotely, I'd use it in preference to a thawte or verisign key -- however, I'd personally install the (my) root cert on my remote machine(s).
--
Free Software: Like love, it grows best when given away.
Yup, Verisign bought out thawte, though blessedly Thawtes prices have not gone up to the silly levels that Verisign puts them at.
"We're so tough we're made of nerf!" --D&D Character Tagline
Didn't Verisign buy out Thawte a while ago? How can there be a difference?
Also, the internet is a global thing, just cause something's in a different country doesn't mean it's evil.
--
Peace,
Lord Omlette
ICQ# 77863057
[o]_O
Does it require people to manually update their master certificates? This usually doesn't go down too well with joe-sixpack.
Then provide an "installer" program to update the certs. If Joe Sixpack will run elfbowl.exe or sextris.exe, then he'll probably run install-certs.exe. And if you play some cheesy animation while the certs are being updated, this program will spread just as fast as elfbowl.
All your hallucinogen are belong to us.
Will I retire or break 10K?
The kind of trust you get when you buy a certificate is one of traceability. You get the assurance that that magic number you hold can be traced physically to an established institution. Which means, there must be an office and all the installations of a company to pay for. There must exist a person who is ultiamtely responsible for those certificates, and there must be some way to locate and punish that person if the certificates are false. One cannot emit certificates from a virtual address, that would break the accountability chain and would be a logical impossibility.
- Except as expressly stated in an agreement between you and Verisign, all content, services, products and software provided on this web site are provided "as is" without warranty of any kind
What? Me worry?I/O Error G-17: Aborting Installation
Good point. Not that I don't trust verisign, but why would I trust some relatively unknown certificate provider in the Philippines?
I think it would be wrong to try to convince browser makers to add every kind of certificate authority by default. Instead, you should team up with the major ISP's in the Philippines (and ideally the government) to create a local one.
Now, why do you need the support of ISP's? Well, because (at least this is the case in my country, it might not be true in the Philippines) most users get a disk from their ISP when they sign up, and generally keep on using that software without bothering to download updated versions of the software over the net. These disks could add local modifications, such as adding the local certificate provider among the trusted authorities. This would most likely make 90% of the users happy, and the rest should probably be technical enough to understand how to add an additional authority themselves.
Ok, perhaps less than ideal, but I think it would solve the Philippine problem. If your site deals with international customers, you would probably have to resign to an expensive verisign certificate, or accept loss of customers due to confusion or mistrust. But from my understanding, the problem was mostly relating to Philippine websites targeting Philippine users. Case closed.
I don't know specifically about SSL, but I know when it came to buying something else from VeriSign, it was *cheaper* to go through a VeriSign affiliate than it was through VeriSign. It doesn't make a whole heck of a lot of sense, but companies that resell VeriSign products sell for less than VeriSign.
Go figure.
Maybe the state's highest function is to grind out insoluble problems. (Zelazny, Hall of Mirrors)
Silly me... I always thought it was their massive installed base of merchants that made these names valuable to consumers. Just goes to show how little I knew.
PJRC: Electronic Projects, 8051 Microcontroller Tools
So with that little marketing gem in the back of your head, go poke around the web and view the certificates for every SSL site you come to. Since I bought a cert last summer, I've taken a peek here and there, and the vast majority of sites with SSL certs are using Verisign, with a minimum price of $349.
The conventional marketing wisdom of pricing, Thawte is a give-away at $125. Verisign acquired Thawte some time ago, and they still haven't raised Thawte's long-standing price that's about 1/3rd of when Verisign charges. Since I use Thawte, I hope they don't raise the price... though it would probably be a good business decision, absent of other considerations (they're probably smarter than most monopolies and know they'd be acused of monopoly pricing).
Now these slashdot threads often are all sorts of comments about what's "right", when "should" and what "ought" to be. I'm sure a number of slashdot regulars reading this post will feel it's morally wrong... but before flaming, remember that setting prices is about Marketing. If some marketing guy came to me and starting spouting off about how to write code and design circuitry, he'd be just as far outside his area as I'd be (an engineer) trying to tell marketing experts that a price "ought" to be low because some small customers in other countries can't afford a cert (or at least will complain about the price).
Are the Thawte/Verisign prices a "rip-off"? Even if the product costs absolutely nothing (which isn't the case here), a good metric for pricing is what the market will accept. Thawte did quite well offering a lower cost alternative, but the truth is that they didn't overtake Verisign offering the same product at 1/3rd the price, so for most customers the price certainly isn't too high.
There was a brief time when I wasn't happy about having to pay $125. Maybe I even felt is was a "rip-off" for a while. The truth though, in the larger picture, is that even Verisign's price, at nearly three times when Thawte charges, isn't a big deal to most customers. It would be a very bad business decision to lower the price based on whining from a tiny fraction of the potential customer base.
PJRC: Electronic Projects, 8051 Microcontroller Tools
It has little to do with trust. For all practical purposes, web users trust exactly the CAs that their browser distributor "trusts". Except that "trust" is not the right word for the latter relationship. Probably only a few people really know a CA gets into the default "trusted" list of the major browsers, but it's not likely to be trust.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
Really? I'm fairly sure that if you serve your root certificate with an appropriate Content-Type, and Netscape will happily import it after confirming with the user. You can check Netscape's MIME mappings (in the preferences under "Applications") to see the handler and MIME type. I'd be rather surprised if Internet Explorer doesn't also support this.
If you've got a secure connection, who gives a crap?
My school runs a mail server running debian, and they've signed their own cert. We don't give a crap that verisign hasn't signed it. All we care is that it _is_ secure.
We'll probably get around to changing the date soon.
---
Desperation is a stinky cologne
You guys need to check out http://www.freecert.org. The project is designed to provide free or low-cost SSL certificates to individuals and qualifying organizations. It's a great project - and it would get a big boost with some more people. So go check it out and volunteer!
The biggest problem with starting up a low-cost SSL certificate authority is getting the corresponding root certificates distributed with the Big Browsers. Until you can get distributed, you're not a "real" CA. Users get awfully antsy when they get the ol' "This certificate isn't trusted blah blah blah" dialog box when they visit a site.
S.
SSL certificates are all well and good, but what I think we really need are A/S/L certificates! That way that 16/F/LA can't turn out to be 54/M/next door...
and what are the units? functions? lines of code? files?
Recursion (n): See recursion
I've setup certs. from entrust.net, which is not a root ca in the browsers. They use a "chain" cert on the server... which, as far as I know, tells the browser that the cert issuer is trusted because it has a cert from a root ca, which is in the browser. It would seem to me someone could get a "chain" cert (probably very expensive) from a root ca in the browsers (i.e. Verisign), then resell to the masses cheap. OpenSRS offers 128-bit for only $99, if you are a reseller with them. That's like 1/3 of what everyone else charges.
I think there are also business models were you can purchase a certificate from a root CA that is valid for signing other certificates. The resultant certificates will chain back to the root CA, and be judged OK. This makes you a registration authority (RA) for the CA from memory.
If only well-known friends of yours access these services, why don't you prepare a Web site for them where they can download your CA root certificate and install it at their site?
While it's clear that these prompts come up for new visitors, one can tell them the few steps they need to do to get not bothered again.
Joachim
People don't write Manifestos any more -- what's going on in this world? [Frank Zappa]
That might be true for US companies. From Europe, all it takes to get a Global Id, is a phone number where Verisign calls back and verifies that the other side knows about the Global Id application.
And the real bummer is, they don't even require that the phone number is at the actual company the certificate is for. In our consulting company, we ordered many certificates for our clients and "verified" these certificate applications by being the point of contact for Verisign. And we were open about this against Verisign - we didn't make up a fake identity that we were actually our client.
Some of our clients do online banking. Needless to say, we regularily [sp?] point out to our client's management that these Verisign certificates are not worth a penny from the point of security. OTOH, as one needs a CA where the respective root certificate is already in the end user's browser, there is no possibility to use other certificates.
And, to be honest, from a risk management point of view, it's not so problematic. The damages that may occur by some imposter (who also would have to fake DNS on the Internet and/or hijack TCP/IP connections at a grand scale, btw) are not high enough to let the business opportunity slip away. It all boils down to the fact that there is no 100% security. You have to look at the risks, the damages that may occur, analyze them and decide if your're going to use this technology nevertheless. And for most B-to-C business, it's good enough.
Now, for B-to-B business, that's an other story because the sums involved are much higher and one usually doesn't have a money limit on the transfers.
Joachim
People don't write Manifestos any more -- what's going on in this world? [Frank Zappa]
Dunn & Bradstreet? Verification? Huh?
Just go to their website and enter your info. A rep will call you at the number given and ask a few simple questions. That's it.
Anybody could do it.
More to the point if you have a site that would benifit from SSL and you can't run to $125 you've got bigger problems top solve.
Never underestimate the bandwidth of a truck load of tapes
What would it take to create an "open" certificate authority? It could be run by the FSF, or some other non-profit organization. It's hard for me to imagine that all the geeks out there couldn't unite and create a system that issues low cost or free certificates. Heck, slashdot could get into the CA biz! Just about anybody could, yahoo, amazon, wal-mart. What's so hard about it anyway? The only challenge I can see is verifying that people are who they say they are - right now an almost monumental task to prove to the CA's. Seems they want everything but a DNA sample.
I think no one has really complained about the price of a cert much because businesses mostly use this type of service, and for a business $125/year isn't that much. But what about individuals buying certs to secure private information - seems reasonable if you can get the cost below $40/year. There is a market here. I bet it's only a matter of time before someone starts to offer a lower priced solution.
I run a discount web hosting and web design company, and I think a lot of our customers would be interested in having some type of secure cert if the price wasn't above $40/year. Right now we just resale the use of our cert because the price is too high for them to get thier own. Something to think about anyway.
This might be viewed as the "Internet tax" so many legislators are slobbering for.
This next song is very sad. Please clap along. -- Robin Zander
I wish they werent so expensive so then i could use a java ssh thing on my companys website. I am baseing my companys website eventually on Slashcode and going to use java ssh with a digtal security certificate. (Though i don't know how to do that :-0) They said that to not be vunerable to man in the middle attacks and I don't want that to happen to my ssh server.
--this mesage will self distruct in five seconds--
No, it shouldn't. But in reality, it does. Most people tend to things that are nice/clean looking over something that's been cut and pasted together. That's why marketing is everything. And good marketing comes from good image making. And you need money to make a good image.
Unfortunately that "one click" is owned by Amazon.
No, but if you had read the price sheet, you would see that they do add some consulting services with the 895$US package. (I don't know what they actually do for those services, but it is something other than just the extra 88 bits)
Not only is it a temporary offer, but at the very end of the registration process, you have to produce your companies' articles of incorporation. So it's great for a small business, but still doesn't help private individuals. Is there a solution for us?
Accoring to this article Verisign's public key is built-in to both Netscape and IE.
What's a sig?
Well, I run a few web sites, and I've thought about getting a cert from verisign, but thought better of it... It's just too expensive! At the moment I've just signed my own cert, but I am getting a free cert from GlobalSign. It seems though, that it is only a temporary offer - But I'm hoping they'll keep offering free ones, for charity or very small companies ;-)
I hope you can use it!
Any technology distinguishable from magic, is insufficiently advanced.
um, purchasing a SSL cert from a known authority isn't absolutely necessary to allow your visitors an encrypted session. they just have to hit OK one time to a dialog box question, big deal.
gol
I work at an ISP that offers web hosting along with pretty much anything else a company would need to get online, including use of our SSL cert. We recomment that most companies get their own, but because of the cost, many smaller companies just use ours. The only real drawback is that the address does not use their domain name, but it works great for submitting forms and such in a secure manner. I have always thought that this kind of service would be pretty popular with all hosting companies. Possibly one could setup a secure hosting service that would specifically offer this kind of setup for lower budget companies that want to have secure access to their site.
The situation is following: One man was selling the chicken at the market. Then another man came to him and asked for the price. "Thousand bucks," - seller replied "Is it made of gold?" - buyer worndered "No, but I LOVE money". Seems that the reason behind rediculously overpriced CA's is exactly the same.
In Hong Kong, that's what the Post Office is doing. We also have an Electronic Transactions Ordinance to back it up legally. The Ordinance gives the Post Office CA official recognition by the government. This gives the CA much better legal authority than simple inclusion in major browsers.
Verisign practically have a monopoly market here, they bought up Thawte a few months back, and I believe they now own the certificate services that belonged to RSA. So if you want a SSL cert, Verisign have the monopoly.
Also, you have to remember this isn't a fundamental part of the net like DNS, whoever manages to "persuade" the browser makers (read: MS) basically gets complete access to the market.
*Pheersum slaps CmdrTaco around a bit with a large trout
The truth about Michael
Why do people prefer MasterCard, Visa, or AMEX? These are credit companies with history, and a somewhat good repulation. When I login to a secure site, and my brouser presents me with a cert, I like to see that Verisign or Thawte has "branded" that cert. While most slashdot users remember that https = secure, more "average" users just don't have a clue. Why Verisign? be cause they are the one that the masses know, and think that they trust.
As to startig your own CA, i quote from Webopedia
The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company, which provides it with information to confirm an individual's claimed identity
So, you have to have money and connections, but it is possable to start one, even outside the US, as proved by this artical that talks about a CA in asia. Again with references to close ties with financial institutions.
Maybe there is hope, but it seams a pretty slim chance that just anybody can come up with code for encryption and then start selling them...
The reason for having these expensive certs from these companies is that you are paying for that level of trust. If i was giving out certs for free there would be no reason at all to trust me. However having a big name like verisign as the provider of your cert is like wearing brand name cloths, its a status symbol and it brings with it a level of trust, which is very important for ecommerce sites to have.
Oh Well, Whatever, Nevermind...
It's called price discrimination. Take in more revenue by creating cost-neutral differentiations in your product line that will sort out your clients based on their willingness to pay.
It's the same thing used by airlines when they requre a Saturday-night stay for discount fares. Perfectly acceptable business practice, in the absence of a monopoly (in which case the mildest of things can become abhorrent).
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
With Verisign being a Network Solutions company... ooh wait, It's vice versa.
There should be different country "verisign" type SSL cert. providers, just in case of different currency interests. Nationalism is a slight concern here, as when currency is involved, most countrys like to deal with that "inside"
That's just mho tho
blah
Now this is crap. What possible reason could there be to base the pricing on crypto strength ? There is absolutely no difference in trust or work for them.
That's like going to a notary and paying more if you like his signature readable...
--
The idea is quite simple: I do NOT trust my government!
So far, the only thing my passport has brought me is trouble: not being a European Union citizen has prevented me from getting dream jobs, having a passport issued by a country that does not represent the 7-million minority from my state constantly gives people the wrong impression about what my mother tongue might be, and the only thing my passport guarantees is who "owns" me as far as visa-issuing authorities are concerned.
Overall, I simply cannot trust a government that was not elected through a republican system that would guarantee a proportional sample of elected representative that is likely to include the interrests of people like me. Sorry to say, but the parliamentary system is as anti-democrtic as is gets, since it routinely gives absolute control over anything to a single winning party, instead of a coalition that represents the wider spectrum of views found in the population. If a country doesn't use a proportional republican electoral system, it simply is not democratic.
Finally, my government routinely legislates on matters it cannot understand and systematically does so only to accomodate the corporate demands, in total disregard of individual rights and against the voting population's will.
Because of all the above, I simply cannot grant any credance nor trust to my government's authority in any matter, especially not when it comes to Internet technology. Centralizing Internet authentication using PKI only looks good in the eye of an incompetent beholder and is as ridiculous as driving licenses and passports; I adamantly disapprove of their use and explicitely challenge any government's authority in those matters.
--
Software is not supposed to be about how to work around a useability issue. - Ken Barber
Amen!
-------
"People who do not break things first will never learn to create anything." -Philippine Proverb
You should read the article... Think about the CA business really good for a second.
CA sells certificates to ensure your data is encrypted between client and server. You, yourself as a vendor can create your own certificate which costs nothing. Now... do you know entirely that the CA company is entirely secure, simply because they claim to be?
Things to think about:
Who gave the right to these companies to issue certificates, their is no governing entity to monitor these companies security policies. Are their employees trustworthy, is their network trustworthy, whats the difference between seeing a "Trust-E" certificate and "Vendor Company" certificate?
Most people aren't really keen on whats going on between SSL on the client and server side, and when was the last time those who did know check the validity of a cert or the company that issued it?
So you mean to tell me you would dish out a couple of grand because a company "says its so and xxx certificate is the definitive line on secure services?"
No thank you I would rather create, monitor, and control our own certs in house, and ensure that our information is to be used by our company solely.
who's that girl?
360 degrees of Karma
Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier
Very informative (mirrored) document explaining this question and others in detail.
Swedishporn
360 degrees of Karma
Anyone can generate their own SSL certificate, but what assurance does the customer have that you are who you say you are. It doesn't much matter if your transactions are done securely if they aren't go to a legitimate company. As anyone who has applied for an SSL certificate knows, it's not a 5-minute process. You have lots of online forms and paperwork to fill out, credit checks are done, and you need to provide documentation that your business is legitimate before companies like Verisign or Thawte (now owned by Verisign) will issue you a certificate. The have already done the footwork to ensure that the company you are dealing with is legitimate and not just some scam artist looking to collect credit card numbers. While the pricetag might not be cheap, $125/year is a relatively small expense for a business. Most commercial ISPs provide a secure server for their customers for little or no charge on top of their regular hosting fees anyway. It is money I'm willing to spend to gain my customers' trust. If your company can't afford $125 to gain my trust, I don't think I would be comfortable doing business with them in the first place.
The original article says the price of a VeriSign SSL cert is $349 USD.
I think it should be noted that according to VeriSign pricing the $349 is only for a 40-bit cert. The 128-bit cert is now $895 USD.
Well this article has prompted me to look up some info on SSL certificates and Certificate Authorities. What I've read is disgusting.
/* And you'll never guess what the dog had */
We have some very few companies (the number of which is shrinking rapidly, whitness Netsol-Verisign) having a stranglehold on this market because only a select few have agreements or can pay MS and Netscape enough to be included by default into their browsers. If an upstart CA where to try to bypass this, its certificates would appear as untrusted in the browsers, prompting an ugly alarm dialog. Enough to inspire FUD into the customers mind.
However, a certificate has next to no monetary value, it's a proof of identity, and market dynamics should have no role in this process.
My proposal, thus, is to transfer the handling of digital certificates to a governemnt (ideally international, thus UN) sponsored body which achieves thrustworthiness trough legal backing. This anihilates the market and the situation of near-monopoly we presently face.
I mean, your passport is issued by the state and I'd venture to guess nobody even among the most extreme libertarians would challenge that...
/* in its mouth... */
/* And you'll never guess what the dog had */
/* in its mouth... */
--Larry Wall in stab.c from perl
This is the crux of the problem EXACTLY
.
....
Yes. An open authority would be a good solution. Right now, the only thing that establishes you as a trusted CA in the browser is a truck-load of money. Money SHOULD NOT == TRUST.
.
....
I am more likely to trust a cert issued a not-for-profit organization like say W3C than a monopoly like Microsoft.
Of course, they would still have to charge for their cert's, as there is lots of leg-work involved in verifying a company as trustworthy
Root CA's are not just added to the browser's by default. The companies representing the CA must PAY Netscape and Microsoft to have them in there. And trust me, it is ALOT of money. I worked for a company that has a CA, and when we wanted to put it in the browsers, it cost us on the order of $200,000 US$ to get it in both. And if you don't have your CA in the browser's, and you try to setup SSL with the browser using a certificate issued by your unlisted CA, the browser freaks out, basically telling the user the site is NOT TRUSTED. This is a good mechanism in theory, but when the browsers charge this kind of money, it borders on holding a company hostage.
.
....
Of course, you can always manually import a root CA, but this is generally beyond the scope of Joe Six-Pack just trying to login to check his stock quotes.
This way it will be attractive for browser makers to support these institutes. We do not need numerous mom-and-dad shops handing out proprietary certificates. I'm thinking of a few institutes, just like we have now a couple of 'leading' open software licenses like GNU, BSD-licence.
This will only be positive for acceptance. Think of IBM and other large companies now more or less supporting open software and putting such a license on some of their software. The same thing can be done for security certificates.
Of course, the fact that now a handful of commercial companies are the only players in the game is normal. This happens with lot of new technologies. But, also as in a lot of technologies, there comes a time when the technology should be available to more people without having to support a few commercial players.
The idea of trust, which is what the main point is here, can also be handed to an open institute without the goal of profit making.
Just like open source software exists because it fulfills a legitimate goal (slashdot-readers know all about that), the trust needed to secure a website can also be laid in the hands of a trustworthy open institute.
The intellectual property isn't an issue here. A group of people in the know would relatively easy be able to set up such a secure institute for handing out certificates. It's not like this idea is patented. And I expect after a while this will be accepted by the Internet community, including browser makers etc.
Effectively, this will be accepted just like all the Internet protocols are accepted (and are in fact the basis of the complete Internet).
Just cut Netscape out of the equation and in doing so, bargain with IE for a substantial 'exclusive browser' discount. Besides, if Netscape is trying to charge more than their piddily few percentage share of the browser market out of that $200k, they're ripping you off and you'd be supporting an aol bastardized company that will never properly adhere to w3c standards. Let them die asap.
Slashdot: rejecting tech news in favor of rubber band guns since 1997.