Slashdot Mirror
Thawte Protects The World From Crypto
nutsaq writes: "Thawte.com, a South African Certificate Authority, in a move of astonishing wrong-headedness, has inexplicably changed it's developer certificate policy. To quote from the site: 'Due to current world circumstances developer certificates can no longer be issued to individuals.'Sucks to be working with crypto these days. Apparently I'll get no help from Thawte to encrypt stuff, oh wait, I didn't need it, the browsers did."
Are they only giving out certificates to corps then ? What an improvement ! This means that corporations again gain power over individuals.
Yes, I'm left. You have a problem with that?
Crypto is now one of those 6 letter words better left unsaid in public!
;)
Something else will come along... if that doesn't work, just form a Limited Partnership or some other 'legal' low risk corp....
On my first project that required crypto, I tested solutions from multiple vendors, including Thawte, before I made a final decision with the companies checkbook. Not making cert's available to individuals will only hurt them when developers want to experiment with their technology first.
My next Slashdot post will be ready soon, but subscribers can beat the rush and see it early!
Like the rest of the world , its only a matter of time before big companys rule things... and individuals are kept out... with systems like this...
its only the first step...
Cruise TT
This is about signing certificates, nothing with "oops, my browser encrypted" bla. This is a very interesting move, that I cannot quite follow. Why in the world would you only limit signing certificates and blame it on the "world". Excuse me? I mean if it was about global server IDs, strong encrpytion, etc. I might find some reasons in current events to limit the distribution. But code signing certs? Quote from the Site: "Your customers can be confident that a Thawte Developer Certificate will guarantee that your code remains tamper proof, and that the content originated from the source on the certificate. Important Notice:
Due to current world circumstances developer certificates can no longer be issued to individuals." Or am I totally missing the point here (probably too late here on Pacific Time)
Why would a US company want a certificate from a South African company ? I didn't realize that Zulu tribe members could write crypto programs in the first place ....!!
That is so a typical response from an arrogant American. It shows that your attitude towards some non-American countries has not changed. The company belongs to Mark Shuttleworth -- a South African that is of European origin.
Before we claim another atrocity forced upon the "little guy" let's take a look at the situation. Thawte is not the only provider of certificates out there. There are others and if individuals demand the ability to work with crypto (as they will) someone will provide the service.
Thawte is not Microsoft. They cannot strongarm other businesses, let alone individuals, into working just how they see fit. There's no chance for Thawte to rule the world.
So before everyone gets all up in arms realize that all you have to do to correct the situation is not use Thawte for anything until they reverse their stance or simply use another certificate provider. Write a nice email and let them know why you don't agree with them and move on. This isn't a crisis...
Of course we torture people, we need the information --Gen. Pinochet
I think this is a real shame, and is probably originated by some badly informed member of Thawte-management.
How do they plan on catering for the self-employed? What about small companies where the corporate and technical contacts are the same person? Why should an individual have any less right to certifying their code than a corporate?
Of course it is up to Thawte who they sell their product to, but given the mind-set of people they are selling to (technical staff), this is not going to do them any favours.
Generally Thawte are very forward thinking... Their "Web of Trust" model brings free X.509 email certificates to the masses by using a PGP-like trust model (extended through face-to-face authentication) on top of the CA signing model.
Enjoy Y2K? Roll-on Year 2037!
Did anyone other than me notice that this was for the "developers" cert - i.e. signing of programs (aka - the "Microsoft Authenticode")?
Doesn't appear to have a damn thing to do with web browsers (SSL Certs). Besides, you can always do a "make certificate" in the OpenSSL directory and make a "self-signed" certificate anyhow. They work just as well as the CA signed certs and they cost a whole lot less.
Ron Gage - Westland, MI
I my opinion, the concept of code signing is flawed. The user is tempted to think "this piece of code just loaded by my web browser is signed, so I can trust it."
In fact, the signature only proves that the code really comes from a specific developer and has not been tampered with during transmission. It says absolutely nothing about the trustworthiness of the developer. So, as long as I don't know if I can trust the developer, the signature doesn't help.
Here are some first thoughts, if you end up talking to the media:
- The strongest form of cryptography was invented in the 19th century and does not require a computer (XOR against one-time-pad), though computers certainly make it faster.
- Cryptography technology that is available for free to the general public is very sophisticated. Weakening the cryptography available to shoppers on the Internet will not prevent the best and strongest software being used by "bad guys".
- Stunting the public's ability to encrypt will hurt everyone from dissedents in oppressive countries to Internet retail companies to international corporations.
It's time to fight back in the war of words. Make this "Internet shopper" vs. "public ignorance". Make it "my credit card for sale". Public opinion is carried on sound bites, so let's get some!After all, no matter how well programmed or insightfully designed, every encryption system will eventually get broken by some 12 year old script kiddy. Look at SDMA. All that work, and it's useless.
Right now, strong crypto is either a pipe dream or a false promise. It isn't worth getting upset over changes to crypto laws yet, because cryptography is still in its infancy, and has a long way to go before we can consider our data to be secure.
Mark Shuttleworth -- a South African that is of European origin.
What do you want to say? Is he better than the Zulu's or isn't he allowed to become a tribe member?
Why you stayed on topic at all is questionable.
Why not just have a non-profit organization that issues certificates to anyone that wants one for a nominal fee?
Mea navis aericumbens anguillis abundat
Thwart?
Thought?
We need to export some dictionaries to Africa
pun : noun
: the usually humorous use of a word in such a way as to suggest two or more of its meanings or the meaning of another word similar in sound
Or maybe America should import some dictionaries from SA
Actually, I know that it was, because I wrote it for the Wipout competition, which is spookily enough another /. story of the day.
I wrote this story in early September, pre-11th. It postulates a society where knowledge of crypto is so strongly controlled that... well, read the story.
At the time that I wrote it, it was science fiction. It now looks like I was way too conservative, and events are already on the way towards overtaking my predictions. Hey ho.
If you were blocking sigs, you wouldn't have to read this.
Build your own certs that import into IE and Netscape easily..
The best JCE on the planet..
BouncyCastle
Now that closed source companies are starting to really restrict what end users can do, and what they can see, and what licensing they will even give out to people, it'll be a lot easier for open source organizations to really shine.
:)
While everyone else is adding restrictions, we should be in a mad dash to catch up where the closed source versions are leaving off, increasing public acceptance of how convenient and useful open source products are compared to the rest of the software industry.
CSS people are actually giving OSS people the opportunity to be BETTER, not just feature-equal! Yaaaay
"Look at me, I invented the stove!" -- Ben Franklin
Now only real companies, like the MANY that bin Laden's network runs, can get encryption tools.
The line must be drawn here. This far. No further.
I really doubt that much signed code is distributed with authority from certificates issued to individuals. Chill out. They will lose some money, and I'm sure Thawte doesn't like that, but crypto is not going away.
If you use GnuPG (GPG) - you can create your own circle of trust.
You sign your own certificates (verifying them over the phone or through some other means) and then you in turn publish your keys to open key servers around the world.
The more places your identity exists the harder it is for someone to steal it - that is why Slashdot allows you to put your public key into your account (you can see the box for it just below the signature box)
The key servers are run mostly by institutions around the world (I think Stanford is a main hub here in the US) - they basically hold a bunch of public keys that have been signed.
So this story isn't a big deal for jo shmoe because if you need to securely transfer something from yourself to someone else you can do that for free using GPG.
So let the companies have their closed ring of trust and you can create your own.
Derek
Comment removed based on user account deletion
I e-mailed them and got this response from Jeanne Fourie:
Dear Marius
Thank you for emailing me with regard to your concern. Due to the current
international threat of terrorism we have been advised by
our parent company VeriSign to refrain from issuing developer certs to
individuals, for the mean while.
As you will be aware, there is a need right now for companies like ourselves to be
extremely cautious in all aspects that concern
security and encryption.
Developer certs are issued to individuals based on verification of passports and
drivers licenses. These documents are however easily
forged and we have therefore had to take the executive decision of not issuing
certs where the verification process may be
questionable.
We are positive that we will be able to resume this service in the near future. I
do apologize for any inconvenience that this may have
caused you.
Regards
Jeanne
As can be seen it seems to be Verisign who requested this....
Hmm...
Am I right in thinking that this has no bearing on users actually using certificates as anyone can create certificates with Openssl on a i386.
So all they are doing is removing the convienience of the extra dialog box that the certificate was not from a trusted source.
I don't get the paying money for Certificates in the first place...
so now verisign can take more from the individual.. once verisign bought thawte, they wanted to raise the prices.. but couldn't.. this is a way that they can.
1. letters to newspapers. this can be the first, lowest-effort thing to do. the net is full of good examples of how crypto is good, first of all the writings of Phil Zimmermann, that could be at least inspiring. here's the link and a quote:
"You don't have to distrust the government to want to use cryptography. Your business can be wiretapped by business rivals, organized crime, or foreign governments. Several foreign governments, for example, admit to using their signals intelligence against companies from other countries to give their own corporations a competitive edge. Ironically, the United States government's restrictions on cryptography in the 1990's have weakened U.S. corporate defenses against foreign intelligence and organized crime."
.2Euros :)
2. for those of you who have good capabilities/reputation, start spreading the word. Not only among your friends (no matter how commputer-illiterate they are, public opinion is independent from tech skills, unfortunately), but also at work.
3. the main goal is to make the idea of 'banning crypto can make more damage to your business than give benefits to the country' reach the higher levels. letters to newspapers will perhaps lighten a few minds, but enlighten a CEO of a multinational or a big company will help things better. It may seem unreal, but if you think that anyone in the world is just seven hops away, why don't try it? Never underestimate the power of coffee-break gossiping.
4. all the 'geeks' and technician all over the world have a great power over "regular user". When a techie or a sysadmin talks, everybody is listening. Make good use of it. Be responsible, and be clear. Make people think. 5. talk to newspaper writers, friends working for the media, whoever you think can spread the world.
6. wait
7. repeat
8. listen to other ideas and possibly invite your "opponent" to post it somewhere, to publish it, basically don't treat who does not agree with you as a stupid.
that's what I'm doing with my friends, parents, et cetera. I'm posting opinions on public forums in newspapers, and although I cannot see an immediate feedback, I'm positive about it.
Just my
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
make conferencies about that, give interviews, talk about it in any public place where the argument may be of some interest. Don't be shy, if you're there to listen to someone else opinion, so are all the people sitting near you - and it's your opinion that they may consider.
...any other idea?
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
One of my personal mottos has been for quite a while this:
"Humans are by nature optimists. Try to think the absolute worst thing that other human beings could come up with. Wait a few years. Note how optimistic you really are."
There is no such thing as good luck. There is only misfortune and its occasional absence.
Recently, thawte has also decided to change the way they issue wildcard certificates. What used to be a great way to use one certificate for all hosts on the same domain, has now become just a way to do mass certificate licensing. They are charging people a fee for each host that they use the wildcard ceritificate on, although I don't see how this could work. The price per host gets lower as you buy more licenses. But still. Come on!!
I just hope that when the company I work for goes to renew their wildcard certificate that they don't try to switch us to the new wildcarding system.
Veri$ign - the recent purchaser of Thawte - is simply using "world circumstances" as an excuse to increase their own revenue by eliminating the one source of relatively inexpensive certificates.
Make your homebrew CA private key:
openssl genrsa -des3 -out ca.key 1024
Create your CA self-signed public key:
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
OK, you're set up as a homebrew Certificate Authority (CA) and ready to start signing your own home-brew certs:
First, create a homebrew private key:
openssl genrsa -des3 -out server.key 1024
Create the unsigned public key (AKA certificate signing request) At one point in the process, it asks for "Your Name" - if this is for personal identification, then put in your name. However, if this is for a development web server, then put in the web site address "dev.www.wherever.com" when it asks for "Your Name"
openssl req -new -key server.key -out server.csr
Get the sign.sh script from the Apache mod_ssl distribution, use this to sign the certificate:
There you go, you now have the private (server.key) and public (server.crt) keys. Install them on your webserver.
They will work, but your browser will whine about them being signed by an untrusted source. No problem there, give a copy of CA.crt (NOT CA.key!!) to any developers using your web server and have them install it on their machine, from then on, their browser will consider any certs signed by your homebrew CA key to be valid. To install the cert on IE browsers, a hint: you do not use your browser to do it, even though there is an "Install Cert" button on the window that pops up to let you know that the cert is signed by an unknown CA. Instead, you give them CA.crt, have them save it to their hard drive, then open up Windows Explorer, right click on CA.crt, and pick Install Cert from the menu, a Certificate Wizard will pop up, go with the defaults, then your machine will trust the homebrew certs.
The root certificate game has always been just a money scam, especially for dev certs.
The trust associated with a certificate from Thawte is that you can trust that code signed with a Thawte certificate is definately written by the company 'XYZ' specified on the certificate - I don't believe (m)any people believe Thawte are recommending their code - who knows who / what Thawte are apart from developers anyway?
To become a registered company in Germany, you need to get a license. In the smallest case, that's going to cost you all of 15 DM ($7.50).
What a stupid and useless move at the side of Thawte...
You can hit my pages with http or https. If you do the https version with Netscape, you get a happy little dialog telling you Netscape doesn't know who signed the page. Fortunately the dialog box defaults to "Trust for this session only" as it's pretty well certain that most users, conditioned to hit "OK" when a dialog box pops up, will do so. I make a note that you really shouldn't trust my certificate permanently on my page.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Don't forget about the other type of CA - corporate (or educational) internal CAs. These CAs don't issue certs to the general public, they issue them to employees, students, whatever, so the individual can access corporate or school resources.
This solves a *lot* of problems, since you can assume all authorized users have a valid cert. If someone is fired, leaves school, whatever, you can revoke their cert immediately. Some resources might not check the CRL, but others definitely will.
But this, of course, requires installing your own cert. Oh, to be sure, you can outsource this operation to a commercial CA and be covered by their root cert. At a modest cost of something like $20-$100 per employee per year. (It's been a while since I checked the prices.) A lot of organizations won't mind that cost, but others will. It's not like this system is hard to maintain, once installed.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
This is not only about trust; it is about economics. Small development studios representing a single owner, or a partnership, produce a vast amount of software for the Internet. OpenSource development teams likewise have no corporate presence, and rely on the identities of individuals.
This may sound like an innocuous move now, but consider the general direction of the intellectual property movement. The only way to truely secure digital content is to tie it to an identified user. That means hardware capable of decrypting content on the fly using a user-specific key. It is unreasonably difficult to reencrypt each piece of content for different hardware, so a license certificate is used to associate the content key securely with the user's identity.
CPUs already exist to do this for secure computing applications, and its hardly improbably that Intel and/or MS have considered this as a route for development. Whether it is the hardware or the OS that enforces it doesn't matter awfully much: at some point a corporation is responsible for issuing a license certificate which will marshall the association between your software certificate and a user's identity certificate.
In other words, someone has the power to determine if your software is allowed to run on their hardware, or not. By denying you a developer certificate, they can prevent your software from running.
Right now that's not a reality. Unsigned code isn't prevented from running, it just causes a miriad of warning and threats which most users will back away from.
So the moral of the story is be a big corporate, pay lots of money, and your product will be used. Otherwise you're sleeping in the sewer, my friend.
Twylite
i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
but can someone please tell me the point of making your own certificate which you then tell your users machine to trust.
'Oh I trust the software from Dave because Dave made his own pretty certificate for it and put gold and silver stars on it and everything'.
If the certificate has no trustworthy third-party, it's a waste of time innit...
The only use for a code signing certificate is to tell a user that a piece of code is safe to use.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Well, not a lot of people/companies anyway.
Half the time I try to download an application/plugin I get the message 'this code was not signed'. This happens so often that the average user will simply click 'run anyway'.
This will only affect companies that have actually taken the time to set the system security policy to 'never run unsigned software'. Which nobody on this planet has done, because all the really useful software has not been signed. *sigh*
Code signing is rather useless anyway, it's a good concept. However, the certificate issuers only certify that a company writes software (which you knew anyway, you just downloaded a piece of their work), they do *explicitly* not certify 'this is software written by a company that will not copy all files from your harddrive and publish them on IRC'.
In it's current implementation it makes software somewhat tamper proof. Which is nice...
that someone already cracked their system and there are bogus personal certs out there now but to say that would RUIN Thawte. I have a personal cert from them but I've given up using it in general.
errr....umm...*whooosh* *whoosh* Is this thing on ?
No, not at all.
You said ...
/trying/ for the idiot-of-the-day award?
-----
Important Notice:
Due to current world circumstances developer certificates can no longer be issued to individuals.
Please note that the following restrictions will apply to companies applying for developer certificates:
Both corporate and technical contacts must work for the company
No ISP and Hosting Partner may be the technical contact if they are not working for the company applying for the certificate.
Should you need any clarification on the above please email us at
developer@thawte.com
-----
Gee, let's think about this for a minute.
Corporate contact: secretly a terrorist.
Technical contact: secretly a terrorist.
'Secretly", that is, not telling others, like the anti-terrorist certificate issuing authorities?
Meanwhile, you deny certifcates to the non-terrorist individuals, in the expectation that they are terrorists.
Are you
Perhaps you are secretly a terrorist organization.
:) me
What about Who needs any other crypto solution?
So Thawte now thinks their verification process is flawed. So they're not revising their verification process, or revoking their existing certificates (which they presumably issued based on their flawed process). And it's not like someone planning to do something with a developer certificate would wait until the last minute to actually get the certificate.
In any case, PKI is inherently broken in a number of ways, including that the signer doesn't specify what about the key is being certified. So there's no way for Thawte to certify that they checked a passport and you look like the photo. There's no way for them to say, "This person is who he says he is, unless he accidentally emailed his private key to a total stranger or duped the Portugese passport authority."
(For the record, the issue under discussion has nothing to do with terrorist attacks, as the other AC troll reply implies.)
What developer certs let you down is put ActiveX controls on your web pages that the user can download without going through a scary dialog saying "the browser can't tell who created this file". You do get a dialog saying "This file was created by so-and-so, click 'yes' if you trust them" but that dialog is designed to not be scary, and encourage the user to download whatever crap is about to take over his computer.
There are also developer certs for signed objects in Netscape browsers, but not too many people care about those any more. :(
But OpenSSL allows you to create a CA cert as well. Just preload your clients' browsers with your CA's public key cert and then you are every bit as safe against man in the middle attacks as you would be if Verisign or Thawte had signed your server's cert, SO LONG AS you keep your private CA key safe on your servers.
Which you have to do in the presence of a Verisign or Thawte-signed server cert anyway. All that having Verisign or Thawte sign your cert gets you is convenience (so you don't have to distribute your public cert keys to your browsers) and the ability to provide data to a wider audience.
The big hole that I wonder about is that most browsers have cert keys for a whole lot of CA's.. do they cross-check with each other to ensure that more than one Cert Authority among them are issuing keys for a given host or domain? If my web servers' keys are signed with Verisign and someone else can get a cert for the same domain signed by Joe Fourth Party CA, then new visitors to the fake site would be none the wiser.
- jon
Ganymede, a GPL'ed metadirectory for UNIX
A certificate signer like Thawte is explicitly in the business of managing reputation. Their certificates are as valuable as their certification process. If they see existence of a formalized organization as a good predictor of future behavior, then they should incorporate that information into their ruleset.
The amount of reputation information in a certificate from a high volume provider like Thawte is pretty small, and anything Thawte does to reduce the volume increases the amount of information. What they have done is a legal and completely relevant technique.
What they haven't done is provide more contextual information about the meaning of their certificate. What they _sell_ is a statement of reputability. What they _ship_ is a statement of having matched the claimed identity with a civil identity. Those are different things. In the long run I can't imagine that certificates won't become more closely matched with context.
The whole decision is silly. All thawte is doing is loosing business. If a terrorist wants to encrypt a webpage, it's easier and faster to just set up OpenSSL/mod_ssl and sign your own cert.
If the visitor is another terrorist looking to download encrypted content, all he has to do is click OK to the browser box that says it's not trusted and then the encrypted stream of content will begin.
All thawte is doing is removing the part where the cert is trusted. I doubt a terrorist would care.
Do you actually trust ALL corporations because they are a corporation? There are many corporations I do not trust. For me, Verisign and Thawte are slipping over the edge now, and might find themselves in the heap with Microsoft, Intel, and Dell.
now we need to go OSS in diesel cars
That's stupid. That would be like a terrorist calling up the FBI and saying, "I here's my name and phone number and proof of who I am."
If the FBI intercepted a message encrypted using a Thawte cert, even if they can't read the message they can read the certificate to see who it came from.
The whole point of a certificate authority is that they vouch for the identity of who the certificates came from, it's for the *receiver's* benefit, not the sender's.
I doubt any terrorists want to have foreign companies vouching for their identities.
only criminals use individual ssl certificates therefore they should be banned for individual use.
Hmmm... it's not difficult to set yourself up as a root CA. It really just boils down to "trust".
/. crowd. Of course throw in some terms and conditions to encourage appropriate use, whatever... I highly doubt the Bin Laden's of the world have anything relevant to say on /. so you can don't have to worry about THEM getting the 25 karma.
Verisign, Thawte, etc. are where they are because of the "trust" that corporations and individuals alike have placed in them. If Verisign (Thawte is owned by them) feels that it cannot issue developer certificates because of an inability to safely verify the authentifiy of applicant credentials, then that is their business. I don't like their decision anymore than anyone else here, but They DO have a reputation to maintain.
How would Slashdot like to get into the certificate business? Let's say that once you get to the coveted 25 Karma you gain the privilege of being able to purchase certificates from Slashdot, just as you would from Verisign and the like. If you get yourself up to 25 karma that's kind of like a sign of "communuty trust" at least within the
Thawtw was good. Then they became a "Verisign company". Now you can expect the same spectacular service that you can get from NetWork Solutions.
This is related to Microsoft's concept of blaming others for security problems. Since they demonstrably can't make their OS secure, and chose a fundamentally insecure technology (Active-X) for their browser, their answer is to require that all code run on their systems be signed by somebody who can be blamed for problems. Microsoft may also use this to obstruct free software from running on Microsoft boxes. Remember that Windows XP can be configured to run signed code only.
I'm no crypto expert, but my guess is that they would want to minimize the risk of an individual acquiring a certificate in a bogus name, creating a virus or something and then signing the virus code with the cert - thus making it appear more valid
In other words, you claim Thawte has restricted granting code signing certificates to avoid another debacle like this where Verisign granted a certificate to "Microsoft Corporation".
Will I retire or break 10K?
If you use GnuPG [gnupg.org] (GPG) - you can create your own circle of trust.
Yes, but does the Java platform's code signing mechanism recognize OpenPGP style certs? Java applets cannot access the local hard drive or any host other than the server they were served from without being signed, and they pop up a scary (to AOLers) FUD-box if the cert used to sign the applet wasn't signed by VeriSign (the most significant root CA now that VeriSign owns Thawte).
Will I retire or break 10K?
The code might be doing nasty stuff without you ever knowing it.
A contract between the CA and the developer effectively prevents that from happing, because if too many users complain to the CA, the developer loses the cert.
Will I retire or break 10K?
Half the time I try to download an application/plugin I get the message 'this code was not signed'. This happens so often that the average user will simply click 'run anyway'.
Exception: Java technology. Applet viewers do not open the dialog at all but simply throw an exception whenever an unsigned applet tries to access the local filesystem or any host other than the host that served the applet; the only way to let users upload a file through an applet is to sign the applet with a code signing certificate, and I don't think OpenPGP (GNUPG, etc.) counts.
Will I retire or break 10K?
Let's say that once you get to the coveted 25 Karma you gain the privilege of being able to purchase certificates from Slashdot
NO NO NO! It's surprisingly easy to whore a troll account to 25 Karma, and your nick has no connection to a Real World Identity that can be thrown in jail for violating the terms of a CA agreement, which for code signing include "do not sign malicious code".
Will I retire or break 10K?
Extnay t'lliay ebay llegaliay otay alktay otay ouryay riendsfay niay onguestay.
When shit hits the fan get some of these https://youtu.be/pY-GncsZ-UE
Comment removed based on user account deletion
I've always thought that PGP was a better way to sign software anyway.
Not really, I'm speculating that it may be a (the?) cause for their behaviour. I have no trouble believing that many people routinely accept any signed website, program or aardvark without bothering reading through the provided information first.
With corporate certs, the CA can atleast make rudimentary background checks (I don't know if Thawte bothers though) and assign some kind of responsibility to their use.
Money for nothing, pix for free
Maybe I'm a dunderhead but I didn't see anything funny at MSN.com using netscape 4.77 in linux. The head page came up OK, looked like crap, it's IE optimized but it's their world. I didn't try to sign in, don't know my passworld or UID do to passport signin years ago. Guess that one bit'em in the kester.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Dahlmann tightly grips the knife, which he may have no idea how to use, and steps out into the plain.
Of course you know the solution to the problem presented in the story: sign it if you have to, then route the illegal stuff through people who don't care. Don't give 'em a reason to make an example of you, until you've got your fingers on the puppet strings too.
Why would a US company want a certificate from a South African company ?
Yeah, after all we all know how excellent the USA is at writing software ;)
The saddest thing is, your post would be obviously a troll if it weren't for the fact that there really are a lot of arrogant/ignorant Americans that think like that - in other words, you might even have meant what you said :/. And then Americans still wonder why some other countries hate them so much.
You can build a reputation around your identity, and insure that no one would be able to tear that down using the authentication aspects of the encryption. I think in the long run, the authentication aspects will be more important than the data hiding aspects.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?