Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thawte Will End "Web of Trust" On November 16

Posted by kdawson on from the fencing-of-the-commons dept.

An anonymous reader writes "Thawte is ending their Web of Trust, including their free Personal Email Certificates, in less than 2 weeks' time. This hasn't been picked up by the media yet. Seems to me a lot of people, including myself, are hurt by this." Thawte is offering a 1-year free VeriSign cert to those holding valid Personal Email Certificates; after that you pay.

37 of 127 comments (clear)

  1. I knew it! by Rantastic · · Score: 4, Funny

    I knew I should not have trusted them and their web!

    --
    Ask Slashdot: Where bad ideas meet poor googling skills.
  2. Sad by understandable by chamilto0516 · · Score: 5, Insightful

    This saddens me but I understand it. Adoption of PKI for email in this multi-standard, multi-client fashion was just too difficult for the average email user. Yes, I usually have one or two accounts for secure messaging and I do use Thawte (I am a Notary) but it just doesn't work for most unless there is someone to walk them through. As much as I am aggravated by Lotus Notes, they self contained system (part of my aggravation) was able to pull this off 10 years ago and is still really the only app that I have seen do PKI well. Unfortunately it doesn't do a lot of other things very well.

    --
    Magic Eight Ball: Outlook not so good., Hmmm, how about Excel and Word?
    1. Re:Sad by understandable by Joiseybill · · Score: 4, Interesting

      Notary here too.
      I didn't see any notification yet, so I'm not sure if this is true.

      If it is, then I won't need to worry about those pesky " check ID" and "keep paperwork on file for 5 years" rules.
      I wonder if I can get my notary fees back.. I paid them since I couldn't find any other Notaries in my area.

      If this really is true, I might not be opposed to giving away 30 points to anyone that seems reasonable enough. If we get another few notaries on board, maybe we can register a couple thousand slashdotters in the next few weeks - so at least they all get free VeriSign email certs.

      PS - in addition to Lotus Notes, I've done a fair job with Novell GroupWise and individual Eudora and T-Bird clients as far as certificate management for the masses. At one point, (obviously a while back with Eudora) I had nearly three dozen non-IT folks using this appropriately to sign and verify their inter-office email. That 'trial' lasted about two weeks, and many still ask me to renew their certificates annually.

    2. Re:Sad by understandable by tobiasly · · Score: 2, Insightful

      Yes it sucks but I agree, none of us should really be surprised. Ever since Verisign bought Thawte I've been waiting for this to happen. I've been a notary in a fairly large metro area for years and can't remember the last time I was asked to notarize someone.

      Yeah, the concept itself was a bit difficult for a lot of people to grasp but their website also really sucked. It hadn't been updated in years and you had to navigate through that ridiculous hierarchical system instead of being able to just "find notaries within 25 miles of me".

      But really, email certs serve two purposes: sender verification and/or encryption (I guess proving an email wasn't tampered with could count as a third but it's really part of encryption). The first function is increasingly already being performed at the server level using SenderID/DomainKeys, and there are plenty of ways to accomplish the second if two parties so choose.

      It's one of those things that probably would have been a great idea if it were baked into the email standard since inception, but was just too unwieldy to bolt-on later.

    3. Re:Sad by understandable by storem · · Score: 3, Informative

      I'm a WOT Notary myself since 2002.

      <rant>To be very blunt, Thawte went downhill ever since VeriSign took over. I'm sure things would be different with Mark Shuttleworth still heading the company.</rant>

      I also did not receive any official information from Thawte yet about this. I guess they figured we read today's Internet newspapers anyway.

      Many of us Thawte WOT Notaries became CAcert ECCP Assurers during the last couple of years. While CAcert.org is a community-driven certificate authority that issues free public key certificates to the public, it still lacks inclusion of its root certificate in most popular browsers. I do however strongly think there is a need for this kind of service, as no communication is ever going to be really safe unless we all use encryption. It is way to easy to spot the important emails nowadays.

      I'm must also admit that less people are interested by the technology - and WOT notaries assert less people each year - mainly due to the complexity of PKI implementations in popular email packages.

      <product_placement>I hope efforts like the Comodo/DigitalPersona Privacy Manager product to make it easier for people to use PKI, revive the identity security awareness with people.</product_placement>

      More info from Thawte's Wikipedia page:

      Thawte Notaries have been submitting minimal information to the Gossamer Spider Web of Trust ("GSWoT"; a grass-roots OpenPGP PKI) for safe-keeping in hopes to increase the longevity of their earned trust points. The collaborative effort aims to bind Thawte Notary names and email addresses to their now-existing entry on Thawte's Web of Trust Notary Map. Thawte Notaries from within and without GSWoT are performing the validations. The initiative will bear no fruit if Thawte Notaries fail to find or create a WoT that will recognize their former status as a Thawte Web of Trust Notary. The Thawte Notary EOL List on GSWoT will die in one year's time - on November 16, 2010.

      --
      StarTrek.org Free Webmail
    4. Re:Sad by understandable by Lennie · · Score: 2, Informative

      Their is also a StartCom/StartSSL WOT, their free SSL-certs root cert recently got on the Microsoft list, although the update was still optional last time I looked.

      https://blog.startcom.org/?p=205

      --
      New things are always on the horizon
  3. Providing free certificates by igny · · Score: 3, Funny

    Can some other trusted company, like Google, step in?

    --
    In theory there is no difference between theory and practice. In practice there is. - Yogi Berra
    1. Re:Providing free certificates by Wowsers · · Score: 3, Insightful

      I trust myself, but how can I trust another company?

      --
      Take Nobody's Word For It.
    2. Re:Providing free certificates by Anonymous Coward · · Score: 4, Informative

      www.cacert.org has an alternative web of trust that issues both client and server certs.

    3. Re:Providing free certificates by martijno · · Score: 3, Interesting

      How about community driven efforts such as cacert.org? Requires the receiver to import their root certificate, though.

    4. Re:Providing free certificates by Lincolnshire+Poacher · · Score: 2, Informative

      > Whats the path to getting the root cert in popular browsers?

      The path is long and strewn with rocks:

      https://bugzilla.mozilla.org/show_bug.cgi?id=215243

  4. Should have stuck with PGP/GPG by argent · · Score: 4, Insightful

    Don't forget where the "web of trust" came from.

    1. Re:Should have stuck with PGP/GPG by Chrisq · · Score: 3, Interesting

      The problem is that PGP/GPG certificates are too open. If you trust a few certificates, say for software support, then trust the certificates they trust pretty soon you end up trusting almost everyone. Even worse GPG (and maybe PGP) by default will try and download a certificate from a public server when encountering an unknown certificate. This makes it as easy to set up a trust certificate for a "throw away" email account as to create a throw-away account in the first place.

      True if you follow the guidelines in the GPG manual, find a trusted friend, verify the fingerprint of their email by phone, both agree only to sign certificates where you have gone through the same process, you can set up a trusted web - but its not as easy as having someone verify it for you.

    2. Re:Should have stuck with PGP/GPG by Anonymous Coward · · Score: 5, Informative

      You're post is an example of how people don't understand PGP, not that there are any technical limitations. Looking in my enigmail key manager, I have a whole list of keys (automatically downloaded) that are not trusted. The few that I have verified are trusted. If someone signs "almost everyone's" keys and isn't trustworthy you don't trust them. If they are trustworthy, then you just made use of the web of trust.

    3. Re:Should have stuck with PGP/GPG by buchner.johannes · · Score: 5, Informative

      You don't have to trust everyone in a Web of Trust that originated from you. It just tells you who trusts that person. What you do with that information is up to you. Also, there are several levels of trust. You don't have to sign anyones key, just the ones you met.

      GPG is right to download the public key from a server, because that tells you nothing about how much you trust that person. If it would set that person automatically to fully trusted, that'd be a different story.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  5. It's Just That by Anonymous Coward · · Score: 2, Funny

    Thawte had been hurt so many times and it's going to take a long time before Thawte can learn to trust again.

    1. Re:It's Just That by GaryOlson · · Score: 2, Funny

      This is a technical discussion; find a non-technical support group therapy session to work thru your personal issues.

      --
      Every mans' island needs an ocean; choose your ocean carefully.
  6. You didn't expect this? Really want to help? by Uzik2 · · Score: 5, Insightful

    What were you thinking?
    If you really want to do something worthwhile campaign the browser makers to change their browsers. The whole "encryption = authentication" idea is stupid and wrong. The scary warnings when someone wants to encrypt the traffic between you and their website using their own certificate is commercialism at it's worst.

    --
    -- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
    1. Re:You didn't expect this? Really want to help? by ArsenneLupin · · Score: 3, Interesting

      The whole "encryption = authentication" idea is stupid and wrong.

      Well in many cases, encryption is used to transmit authentication tokens of some kinds (passwords, credit card numbers...). And certificates are needed to make sure nobody plays man in the middle...

      The scary warnings when someone wants to encrypt the traffic between you and their website using their own certificate is commercialism at it's worst.

      Indeed. Warnings are needlessly scary, because non-certified SSL is still more secure than no SSL at all (non-certified SSL at least protects against passive listeners).

      So, in all logic the warnings should even be more scary for the plain unencrypted http case.

      Indeed, nowadays, the smart men-in-the-middle just redirect the hijacked connection to a http page, and doesn't bother with https, because most users won't notice the missing s in the address bar anyways...

    2. Re:You didn't expect this? Really want to help? by zwei2stein · · Score: 3, Insightful

      Encryption without authentication is stupid and wrong too.

      The scary warnings are there to make sure that you are not luled to false safety because man in middle attacks can work just fine with encryption as long as you trust their certificate.

      Talking securely to someone is implied by fact that you really know who you are talking to.

      --
      -- Technology for the sake of technology is as pathetic as eschewing technology because it's technology.
    3. Re:You didn't expect this? Really want to help? by nedlohs · · Score: 4, Insightful

      No he means what he says, encryption.

      If I'm buying stuff then yes some authentication/certification that I'm actually giving my credit card details to the company I think I am is a good thing.

      If I am entering my password for a shitty forum web site, then having the session encrypted is nice to have. I don't really care about man-in-the-middle attacks since the alternative is no encryption at all.

      Sometimes partial coverage is good enough. But web browsers make it appear that an encrypted connection without authentication is worse than an unencrypted connection without authentication by throwing up scary warnings about evil hackers.

    4. Re:You didn't expect this? Really want to help? by ArsenneLupin · · Score: 2, Interesting

      Missing s? I don't about yours, but Firefox show a green bar before the URL with the name of the entity,

      Mine shows a very short blue bar.

      all browsers show a "lock" symbol

      Yes, a small lock icon in the lower right corner.

      most people I know expect them in banks other important websites.

      So geeks (and their friends...) know about these. But most others don't, and wouldn't notice without anybody drawing attention to it.

      Compare this now with the very noisy warnings that you get when trying to access a site with a bad certificate. Any man-in-the-middle worth his salt is going to opt for the missing lock icon rather than the very obnoxious "add exception" page of Firefox.

    5. Re:You didn't expect this? Really want to help? by ArsenneLupin · · Score: 4, Informative
      O, and some sites (such as facebook or hotmail) only use https for the form submission, but not for the template. Theoretically this is secure (because it's the submission of login data that you want to protect, not the mask that is displayed on screen), but in practice it means that neither of the usual tell-tale signs (green/blue bar, https, lock icon) will be present.

      The only way to see whether the form is secure or not is then to view source and check whether the form action has https or not. I don't really believe that grandma is going to bother...

  7. Disappointing. However, this is still the year by Anonymous Coward · · Score: 2, Funny

    of personal digital certificates on the Linux desktop, over IPv6.

  8. WoT by smoker2 · · Score: 4, Interesting

    I was a member of the WoT back in '99. It took several weeks (nearly a month) to find accessible notaries, and their method of meeting was suspect to say the least. For one I had to travel 30 miles to another town and meet in a supermarket car park. After I got my cert. no-one I sent signed messages to knew how to handle it - encryption was pointless. I let it lapse after about a year, and haven't bothered since.

    Unfortunately, unless the govt. mandates personal electronic signatures, it ain't going to happen. And no-one will want to use it under govt. mandate anyway. This stuff is geek only territory.

    1. Re:WoT by macterra · · Score: 2, Interesting

      Unfortunately, unless the govt. mandates personal electronic signatures, it ain't going to happen. And no-one will want to use it under govt. mandate anyway. This stuff is geek only territory.

      I respectfully disagree. Google could easily add PK security to gmail, initially as a new feature that works only with other google accounts, and this would increase pressure for other email providers to adopt the standard.

    2. Re:WoT by Domini · · Score: 2, Insightful

      I disagree. Google cannot do this unless they change the way gmail works. I will not let them touch my private key lest I end up not trusting my own private key. You can say they can then kinda leave it on your PC and access it with client side JS, but then you sit again with the problem that it becomes hard to manage and understand by the masses.

  9. How unexpected... by Admiralbumblebee · · Score: 5, Funny

    I never thawte this would happen.

    1. Re:How unexpected... by angrytuna · · Score: 2, Funny

      mod parent up +1 inthawteful, plz.

      --

      It is a solemn thought: dead, the noblest man's meat is inferior to pork.

  10. Will the freeware java developers effected? by Ilgaz · · Score: 2, Interesting

    I have seen many Java signed opensource/freeware coming with that Thawte free mail certificate. I hope they won't be effected with it and if brain dead Sun offers some kind of special treatment to those, it won't be any matter.

    Of course, it is Sun we talk about and even Oracle couldn't still change anything.

    90% of reason Thawte brand was known among professional users was "Thawte free certificate" which was supported perfectly by mail clients. Thawte has no clue what kind of harm they did to brand value/recognition to save couple of CPU cycles and couple of gigabytes.

    People thinking GNU PG or free PGP will be implemented by those: No, they will simply move to another way of pkcs signing their mails or buy commercial PGP.

  11. Java WebStart, J2ME, Java applets by Gollum · · Score: 3, Insightful

    One thing that a lot of people are ignoring is that Thawte FreeMail certs are used by a lot of small developers to publish Java apps, and this would kill off that ability quite quickly.

    That said, I have not seen a word of this on the Thawte web site, which makes me wonder if the submitter is trying to perform a DoS on Thawte for some reason, and are tricking the slashdotters into being that DoS. The page linked takes an enormous amount of time to decide that there is nothing to return, meanwhile slashdotters are beating on the server over and over. Sorry for the OP, though. The rest of their site still seems to be just fine.

  12. Facebook Friends by muckracer · · Score: 5, Interesting

    Since people are quite adamant about adding each other as 'friends' on social networking sites like Facebook etc., why can't something like the Web-of-Trust be riding along somehow? Or at minimum a GPG key exchange requiring no further steps? There's gotta be a way! Firefox/Thunderbird Plugin that has access to all keys of your 'friends' and uses them automatically? Something like that.

  13. Re:why hasn't the media picked this up? by muckracer · · Score: 2, Funny

    > People give up privacy and security every 10 seconds for a free hand job it seems.

    Free hand job? Want my address? :-)

  14. I'm starting with the man in the middle by tepples · · Score: 2, Interesting

    Putting up scary warnings when all that is required is an encrypted connection is silly.

    Without some sort of authentication, you don't know that a man in the middle isn't proxying and decrypting your encrypted connection. These man in the middle attacks are happening. Self-signed certs are good for verifying that the proxy hasn't been added between connections, but that doesn't help if you've got a proxy and have always had it.

  15. So they're charging for it... by vanyel · · Score: 2, Insightful

    $20/yr is not an onerous fee, big deal. I'm surprised it's gone free this long. If you really can't stand to pay for the service you're using, go to cacert.org.

  16. re: "after that you pay" by macraig · · Score: 2

    "Thawte is offering a 1-year free VeriSign cert to those holding valid Personal Email Certificates; after that you pay."

    Does this strategy sound familiar? It should... it's the same business strategy practiced by drug pushers: get 'em dependent and addicted, and then start demanding money. Make 'em an offer they can't refuse.

    So is Thawte run by former drug pushers?

    (Yes, I know the same question could be asked of Comcast and thousands of other companies. I'm singling Thawte out because of that word "trust" being involved here.)

  17. *NOT* Related to "Web of Trust" Web Safety Add-on by the+JoshMeister · · Score: 2, Informative

    Although I'm familiar with Thawte, I hadn't heard of its "Web of Trust" prior to this article. However, there's a popular browser add-on with the same name, so I thought I should point that out to avoid any confusion, especially since both products are related to Internet security in some way.

    Web of Trust is also the name of a Firefox and Internet Explorer plug-in from a company called WOT Services Ltd. (until recently known as Against Intuition Inc.). It helps protect users from harmful Web sites and puts safety rating badges in search results on Google, Bing, Yahoo!, and other search engines, similar to McAfee SiteAdvisor and Symantec's Norton Safe Web (although in my experience, WOT is much more effective). This completely unrelated Web of Trust is not being killed off.

    I hope that clears up any potential confusion.

    --
    the JoshMeister on Security