Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thawte Protects The World From Crypto

Posted by timothy on from the strange-goings-on dept.

nutsaq writes: "Thawte.com, a South African Certificate Authority, in a move of astonishing wrong-headedness, has inexplicably changed it's developer certificate policy. To quote from the site: 'Due to current world circumstances developer certificates can no longer be issued to individuals.'Sucks to be working with crypto these days. Apparently I'll get no help from Thawte to encrypt stuff, oh wait, I didn't need it, the browsers did."

11 of 179 comments (clear)

  1. Wait a second... by weez75 · · Score: 5, Insightful

    Before we claim another atrocity forced upon the "little guy" let's take a look at the situation. Thawte is not the only provider of certificates out there. There are others and if individuals demand the ability to work with crypto (as they will) someone will provide the service.

    Thawte is not Microsoft. They cannot strongarm other businesses, let alone individuals, into working just how they see fit. There's no chance for Thawte to rule the world.

    So before everyone gets all up in arms realize that all you have to do to correct the situation is not use Thawte for anything until they reverse their stance or simply use another certificate provider. Write a nice email and let them know why you don't agree with them and move on. This isn't a crisis...

    --
    Of course we torture people, we need the information --Gen. Pinochet
    1. Re:Wait a second... by Insount · · Score: 5, Insightful
      To get your code to run on popular browsers, you need a certiticate (key pair plus some data) issued by a certificate authority that is available in all popular browsers. Otherwise, your users will get security warning popups to the tune of:
      This applet is signed using a certificate that was issued by an untrusted certificate authority. Run anyway?
      As a developer, you can't afford that.

      Thawte is one of the few certificate authorities that are in the default installation of all popular browsers. VeriSign is another, and in fact I can't recall any other common CA that's catering to the general public.

      The upshot is that VeriSign, which now owns Thawte, has a monopoly on code signing certificates for browsers. They're giving the appearance of competition by selling "lucrative" certs under the VeriSign brand and "economy" certs under the Thawte brand, but technically it's the same product. This is why they can charge $200 for 1-year Thawte certificate, and more for a VeriSign cert, even though effort involved is trivial. It's just like things used to be with domain registration and Network Solutions (which VeriSign also owns now). I don't believe potential liability issues would prevent this price from dropping significantly in the presence of other players.

      Given this, the change in Thawte's policy is quite disturbing.

  2. Shame... by karot · · Score: 5, Insightful

    I think this is a real shame, and is probably originated by some badly informed member of Thawte-management.

    How do they plan on catering for the self-employed? What about small companies where the corporate and technical contacts are the same person? Why should an individual have any less right to certifying their code than a corporate?

    Of course it is up to Thawte who they sell their product to, but given the mind-set of people they are selling to (technical staff), this is not going to do them any favours.

    Generally Thawte are very forward thinking... Their "Web of Trust" model brings free X.509 email certificates to the masses by using a PGP-like trust model (extended through face-to-face authentication) on top of the CA signing model.

    --
    Enjoy Y2K? Roll-on Year 2037!
  3. Get the story out! by ajs · · Score: 5, Insightful
    We need to get the story out to the media that strong crypto has been available to the masses for a long time, and can never be taken away. We need it to be understood that cryptographers are trying to make the world a better place by making private transactions more convinient, but that they've always been possible.

    Here are some first thoughts, if you end up talking to the media:
    • The strongest form of cryptography was invented in the 19th century and does not require a computer (XOR against one-time-pad), though computers certainly make it faster.
    • Cryptography technology that is available for free to the general public is very sophisticated. Weakening the cryptography available to shoppers on the Internet will not prevent the best and strongest software being used by "bad guys".
    • Stunting the public's ability to encrypt will hurt everyone from dissedents in oppressive countries to Internet retail companies to international corporations.
    It's time to fight back in the war of words. Make this "Internet shopper" vs. "public ignorance". Make it "my credit card for sale". Public opinion is carried on sound bites, so let's get some!
  4. Hey, wasn't this in a science fiction short story? by Rogerborg · · Score: 4, Interesting

    Actually, I know that it was, because I wrote it for the Wipout competition, which is spookily enough another /. story of the day.

    I wrote this story in early September, pre-11th. It postulates a society where knowledge of crypto is so strongly controlled that... well, read the story.

    At the time that I wrote it, it was science fiction. It now looks like I was way too conservative, and events are already on the way towards overtaking my predictions. Hey ho.

    --
    If you were blocking sigs, you wouldn't have to read this.
  5. Good to stop those induhviduals! by Metrol · · Score: 5, Interesting

    Now only real companies, like the MANY that bin Laden's network runs, can get encryption tools.

    --
    The line must be drawn here. This far. No further.
  6. Thawte responds: by Domini · · Score: 5, Informative

    I e-mailed them and got this response from Jeanne Fourie:

    Dear Marius

    Thank you for emailing me with regard to your concern. Due to the current
    international threat of terrorism we have been advised by
    our parent company VeriSign to refrain from issuing developer certs to
    individuals, for the mean while.

    As you will be aware, there is a need right now for companies like ourselves to be
    extremely cautious in all aspects that concern
    security and encryption.

    Developer certs are issued to individuals based on verification of passports and
    drivers licenses. These documents are however easily
    forged and we have therefore had to take the executive decision of not issuing
    certs where the verification process may be
    questionable.

    We are positive that we will be able to resume this service in the near future. I
    do apologize for any inconvenience that this may have
    caused you.

    Regards

    Jeanne

    As can be seen it seems to be Verisign who requested this....

    Hmm...

  7. ok, let's try to write down some strategies by kipple · · Score: 4, Insightful
    I'm throwing in some thoughts of things that can be done on a worldwide scale or at least independently from the country you live in:

    1. letters to newspapers. this can be the first, lowest-effort thing to do. the net is full of good examples of how crypto is good, first of all the writings of Phil Zimmermann, that could be at least inspiring. here's the link and a quote:

    "You don't have to distrust the government to want to use cryptography. Your business can be wiretapped by business rivals, organized crime, or foreign governments. Several foreign governments, for example, admit to using their signals intelligence against companies from other countries to give their own corporations a competitive edge. Ironically, the United States government's restrictions on cryptography in the 1990's have weakened U.S. corporate defenses against foreign intelligence and organized crime."
    2. for those of you who have good capabilities/reputation, start spreading the word. Not only among your friends (no matter how commputer-illiterate they are, public opinion is independent from tech skills, unfortunately), but also at work.
    3. the main goal is to make the idea of 'banning crypto can make more damage to your business than give benefits to the country' reach the higher levels. letters to newspapers will perhaps lighten a few minds, but enlighten a CEO of a multinational or a big company will help things better. It may seem unreal, but if you think that anyone in the world is just seven hops away, why don't try it? Never underestimate the power of coffee-break gossiping.
    4. all the 'geeks' and technician all over the world have a great power over "regular user". When a techie or a sysadmin talks, everybody is listening. Make good use of it. Be responsible, and be clear. Make people think. 5. talk to newspaper writers, friends working for the media, whoever you think can spread the world.
    6. wait
    7. repeat
    8. listen to other ideas and possibly invite your "opponent" to post it somewhere, to publish it, basically don't treat who does not agree with you as a stupid.

    that's what I'm doing with my friends, parents, et cetera. I'm posting opinions on public forums in newspapers, and although I cannot see an immediate feedback, I'm positive about it.

    Just my .2Euros :)

    --
    -- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
  8. Re:What difference does this make in the long run? by gregor_b_dramkin · · Score: 5, Informative

    Thanks for opening up your skull and letting us peek at the cavern inside. I normally wouldn't reply to flamebait such as yours, but I'll make an exception in this case to try to stem the flow of ignorance that pours from your keyboard.

    1)
    Script kiddies do not break ciphers. They do not find exploits. They do not reverse engineer systems. If they could do any of these things, they would not fall under the derogatory category, "script kiddie".

    2)
    Pick any of the following algorithms and break it: IDEA, 3DES, RSA, DH. I guarantee you will be famous, at least within security/cryptography circles. These are algorithms that have been scrutinized for decades by professors and professionals. I don't think a 12 year old could break these, except in a movie.

    3)
    SDMI (I assume this is what you mean by SDMA), was a copyright protection system not an encryption system. Anyone who believes they can create a secure, stand-alone, software copyright protection scheme is either ignorant or a genius. Given the ratio of ignorance to genius in the world, I know how I'll bet.

    4)
    The reason so many crypto systems are broken usually falls into one of two categories
    a) The developers think they can design a system just as strong as the professionals who have devoted their lives to making and breaking ciphers.
    b) The designers were forced to use limited strength crippto due to stupid crypto laws.

    Incidentally, the DVD CSS system was broken by the combination of government-mandated 40 bit key length, and a home-made algorithm that reduced the effective keylength to around 30 bits. This makes it possible for an attack to be completed in seconds. FWIW, a 40 bit key search takes 1024 times longer than a 30 bit key search.

    --
    You can never equivocate too much.
  9. Make your own developer certs by KlomDark · · Score: 5, Informative
    It's amazingly easy. Get OpenSSL, install it...

    Make your homebrew CA private key:

    openssl genrsa -des3 -out ca.key 1024

    Create your CA self-signed public key:

    openssl req -new -x509 -days 365 -key ca.key -out ca.crt

    OK, you're set up as a homebrew Certificate Authority (CA) and ready to start signing your own home-brew certs:

    First, create a homebrew private key:

    openssl genrsa -des3 -out server.key 1024

    Create the unsigned public key (AKA certificate signing request) At one point in the process, it asks for "Your Name" - if this is for personal identification, then put in your name. However, if this is for a development web server, then put in the web site address "dev.www.wherever.com" when it asks for "Your Name"

    openssl req -new -key server.key -out server.csr

    Get the sign.sh script from the Apache mod_ssl distribution, use this to sign the certificate:

    ./sign.sh server.csr

    There you go, you now have the private (server.key) and public (server.crt) keys. Install them on your webserver.

    They will work, but your browser will whine about them being signed by an untrusted source. No problem there, give a copy of CA.crt (NOT CA.key!!) to any developers using your web server and have them install it on their machine, from then on, their browser will consider any certs signed by your homebrew CA key to be valid. To install the cert on IE browsers, a hint: you do not use your browser to do it, even though there is an "Install Cert" button on the window that pops up to let you know that the cert is signed by an unknown CA. Instead, you give them CA.crt, have them save it to their hard drive, then open up Windows Explorer, right click on CA.crt, and pick Install Cert from the menu, a Certificate Wizard will pop up, go with the defaults, then your machine will trust the homebrew certs.

    The root certificate game has always been just a money scam, especially for dev certs.

    1. Re:Make your own developer certs by Vapula · · Score: 4, Informative
      Distributing a CA cert under Netscape is very easy.

      You just have to use the little CGI that follows...

      #!/usr/bin/perl -Tw use strict; $|++; open(FP, "); close(FP); my $len = length($cert); print "Content-type: application/x-x509-ca-cert\r\n"; print "Content-length: $len\r\n"; print "\r\n"; print $cert;

      A link to that CGI with the mention "install the certificate into my Netscape" and you're done. (I don't know if it works with MSIE... I never use it !!!)