Slashdot Mirror
Thawte Bought by Verisign
ChrisKnight was of the many people that wrote with the story on news.com that VeriSign has purchased Thatwe Consulting. Purchase price was reportedly $575 million, although the deal must still be approved.
← Back to Stories (view on slashdot.org)
On overpriced-scames....
You can go ahead and create your own keys and certificates... What you're paying Verisign for is not 100% related to your keys.
First, you're paying to have a certificate that's been signed by an authority that just happens to be preinstalled in 99% of the browsers out there.
You're also paying for the "trust" factor that goes into getting a certificate. Yeah, the lowerst level ones aren't much more than filling out paperwork, but (AFAIK) in order to get one of the more expensive ones, you must go through more steps to establish "who" you are.
If all you want is to establish secure connections, you don't need either of their services. If you want to be able to do so without having a little warning pop up on a users screen, you need to enlist their services.
That all said, if the merger/acquisition goes through, close attention should be paid to their pricing... If they immediately yank the low-cost certificates, or even if it's an eventual thing, a big stink will need to be made IMMEDIATLEY...
Until then, though... More power to them.
Why is this a problem? *ANYONE* can run a CA, it's a matter of how you get your CA recognized by current browser that I wonder about.
They are the only two who happen to be handing them out; many other CA's are preloaded in NS and IE.. they just aren't in the business.
You know, I felt good knowing there were 20 some other organization CAs preloaded in NS and IE....
but now that Verisign ownes all but 4 or 5 of them, I wonder... this is sleazy!
Really, though.. run your OWN ca, and direct people to a page that explains how the whole process works (more than Verisign does!) to the common man, and have them simply accept the key into their browser.
Better yet, offer them client keys as well!
Heck, I don't weigh that much less than that. Neither do a bunch of my friends. Maybe we should get together and beat up on Verisign and steal its lunch-money.
These companies really have to learn that it's not that impressive if they weigh only slightly more than the average American male. Even if America is a chronically obese nation.
Maybe Microsoft would like to help them out by hooking them up with some of that combination bovine-growth hormone and human-g rowth hormone regimen that's keeping Gates's hair so glossy and thighs so sexy. They'll help make Verisign a man. How do I know this? Try searching Google for "make you a man". Microsoft comes up as #2. Does Judge Jackson know about this?....
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Is...
I understand PKI. I understand x.509 certificates.
What I don't understand is why, in the first place, X.509 certificates were required to use SSL. It should not be necessary. Why are modern browsers set up so that you cannot use SSL unless you have appropriate x.509 certificates? I mean, I have no problem with the browser telling me it's unsigned, or untrusted, but I should still be able to use session encryption.
Feh.
"Most harmful of all is the message that Verisign's buy-outs have conveyed to every company with the potential to innovate in the securities industry. Through its conduct toward Netscape, Thawte, Compaq, Microsoft, and others, Verisign has demonstrated that it will use its prodigious market power and immense finances to harm any firm that insists on pursuing initiatives that could intensify competition against one of Verisign's digital-certificates products. Verisign's past success in hurting such transactions and stifling innovation deters investment in technologies and orders that exhibit the potential to undermine Verisign. The ultimate result is that some innovations that would truly benefit customers never occur for the sole reason that they do not jive with Verisign's vision."
With appologies to Brunchi ng Shuttlecocks.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
In certain circles in industry (like financial services), Verisign was primarily looked at as a service bureau who was willing to deal with small businesses. I realize that from the perspective of the consumer and small ISP they look like the only game in town. But, this was never the case at the high end.
I think this is a good acquisition for Verisign. It solidifies their position in the small and mid-sized business marketplace. This also creates an opportunity for a competitor, although it may not be a small company that tries to enter this market.
--
Dave Aiello
-- Dave Aiello
There is a simple out for this though.. browsers like MS and NS simply have to recognize OTHER CA's as authoritative. This is the only thing giving them power.
(gee, is that somewhat similar to the current DNS structure that gave Verisign so much power? ie: it only works because our products all use it by default.)
Cheers,
ZicoKnows@hotmail.com
First of all, good move, Thawte. They've successfully maximized shareholder value. In other words, they've sold out at the right time. Verisign, having grabbed a lot of the big names, will probably go on to increase its market share; Thawte, having failed to, may be at the peak of its value - especially when, not if, the net stock bubble collapses.
:-), and a 200-lb gorilla, with enough marketshare, can drive the market into inferiority and incompetence quite easily. Look at the consumer operating system market if you don't believe me :-).
Bad move, Verisign. First of all, the net stock bubble is called a bubble for a reason. However, when acquiring other companies, you should buy for value or make acquisitions strategically. Does Thawte own anything, other than marketshare, that Verisign doesn't already have? In most mergers and buyouts, the purchaser usually ends up losing equity when the euphoria wears off. I doubt that this will be an exception to the rule.
I can deplore Microsoft's mania in acquisitions, but more often than not they acquire intelligently - taking out possible competitors, buying into new technologies. They don't acquire just for the hell of it. Paradoxically, they have too much money to do that.
Bad move, for the global net. Thawte is a South African company, and so the purchase takes an international venture with global reach and sucks it into the gaping maw of Silicon Valley. Not that there's anything intrinsically wrong with the valley. It's just that something sticks in my craw with one location dominating an entire industry.
Bad move, for everyone. A 200-lb gorilla in any industry is bad for business. A 200-lb gorilla in the security industry is worse. The security industry is based on trust (or at least mistrust)
--
--
There is no premature anti-fascism. -Ernest Hemingway
Please moderate this up!
You can submit your comments on this matter to:
newcase.atr@usdoj.gov
I have sent my comments and sent this email to my friends, do the same!
I believe that one was about a 7.x. Woke me up, shook me up a bit, but caused essentially no damage. The only injuries came from an Amtrak train that got unlucky.
But even the Northridge earthquake, with an epicentre right in the middle of a heavily populated area, only killed 16-odd people. It was a smaller earthquake, but the really big ones are only expected to occur in the boonies. The effects of the 7.x in a distant area of Southern California were way less than the effects of a 6.x in a major population centre.
D
----
Hi!
Thawte provided signing support for SSLeay keys very early on. Verisign is slow to change.
On the other hand if things get complicated (if your verification documents for a certificate are not "normal") then dealing with Thawte can be a pain. Thawte has its head office in Africa. Have you ever tried to send a long fax to Africa? If you get a clean line you might get one or two pages through at a time.
Looking at the list of the 27 root certifications in IE 5, i see that 21 of them are either held by Thawte or Verisign. Now, I've been a Verisign customer for a long time, and I like the fact that I can count on their root certificate being in 99% of browsers out there, but there was always a peace of mind that came with knowing I had Thawte to go to if i was ever dissatisfied. Well, no more.
Yikes.
Anyone notice that you can't just buy a server certificate anymore from Verisign. They want to sell you a whole package deal of services and other things for 128 bit certificates.
http://www.verisign.com/server/prd/g/index.html
I also don't like the fact there is now no competition to Verisign and that they have huge requirements and slow to respond to problems and can't track documents within their own company that you send them. If you can't do everything the Verisign way then God help you since they will drag everything out forever and loose documentation you send them.
I also see they are buying Signio E-Commerce payment service for busines to business e-commerce transactions. Where will they stop, they are starting to sound like they want to be like Microsoft only they want to control all secure and E-Commerce stuff on the internet.
Verisign also charges more or at least use to charge more for basic secure certificates. Looks like the days og just buying a certificate for your server are over. Now you have to buy a whole package of services and you probably won't be able to get wildcat certificates any more either. Which is a real problem since I shouldn't have to pay $950*x just for a few servers in my own domain for easier adminstration purposes to do internal stuff via a secure web page.
This just plain sucks!
Verisign is sure to jack up their prices if and when the deal goes through. There should be a market for cheap certificates sold to small sites that want to be secure without paying a Verisign tax.
There's already open-source software out there for generating certificates. The other barriers to entry are:
1. Name recognition. If you're in charge of security at a medium to big size company, your chief goal is to protect your own ass. To that end, you'll spend the extra money to buy Verisign, because nobody ever got fired for using Verisign.
2. Being in the browser. This is a big one; your CA cert has to be pre-loaded into your user's browsers. This involves paying many thousands of dollars to MS and Netscape.
The other things you need to be a CA are:
1. Legal staff and Certification Practice Statement.
2. Clerks for researching and verifying identity.
3. A killer operations and security infrastructure to protect the CA's key and prevent unauthorized signing.
CAs can and should be a commodity. The thing to watch out for is Verisign introducing proprietary technology into their certificates, or making exclusive deals with the browser manufacturers.
Entrust.net is another certificate provider on the net. They are trying to go head to head with Verisign in the web server market. (They own the enterprise in Canada, and are one of two in the US Gov't PKI architecture)
They did not want to pay the gazillions that it cost to have their CA cert embedded in the browsers, so they got THAWTE to cross cert with them.
This now means that the Entrust.net intermediate cert is OWNED and could be YANKED by Versign. And Verisign could be the only major player.
If this does not happen, then at least we will still have more than ONE choice for server certs.
Just my $0.04 Euro.
Nice thought, but there are two central problems:
AlterNIC tried this with DNS, and all it required was the cooperation of folks who ran DNS servers all over the world (a relatively small group, actually.) Didn't work.
I definitely won't take the odds on anyone being able to convince the Internet-using public (most of which is stupid, frankly) to install new certs in their browsers. Also, forget about getting them preinstalled in the browsers -- M$ is buddy-buddy with Verisign, and without IE support, no one will use our CA.
If sites are all directing folks to download new certs (I know this will happen anyway with the root rollovers, but bear with me), we will be training folks to accept any cert that they stumble across. Since anyone can create a cert, this could open up unsuspecting users to thinking a connection is ``secure'' when there is no guarantee (even the slight guarantee given by the current CAs) that the other end is who they say they are.
I would say, at best, that if this goes through, SSL should be considered proprietary and dead, and should be shunned by those of us who think computing should be open. It's quite a shame.
Frpom the Verisign press release:
It sounds like they want to own the standards and establish a monopoly of closed source rules.
And it will be a monopoly:
Any chance that the mergers and monopolies comission (or whatever it is called in SA) will block this? Please!? Not another MSFT.
Hi!
I've always thought that Thawte did
a better job than Verisign. They are cheaper
too, I believe..(though it's been a while)..
They do NOTHING for you! They don't even
make your site more secure...
They are snake-oil salesmen, at best.
Watch as Bruce Schneier gives these jerks a firm talking-to: here
-- The Funk, The Whole Funk, And Nothing But The Funk
These two companies are THE companies for digital certificates. If you ever needed to setup a secure web server or get a thrid party certificate these two were the people to see. Personally I prefer thwate because they were reasonably priced but now i have no choice. answer your questions?!
--codemonky
--http://www.stetson.edu/~paland
--"Karma is justice without the satisfaction"
Consider the following:
This is bad news for consumers.
I got a Thawte certificate because their website promised that if laws ever changed in the country their database was in such that they had to divulge its contents, they were prepared to move their database within hours. I also got it because of their support for PGP public key signing.
Now, they're being bought out by Verisign who I have no such trust in, and who isn't, IMHO, a good member of the community. I'm not at all happy about this.
I think I'm going to ask the my Thawte certificate be revoked, and all my data wiped from their databases. I do NOT trust Verisign at all. They seem more like opportunists out to make a buck than people who really understand the paranoid world of security.
Need a Python, C++, Unix, Linux develop
If these were both American companies, I would think that this would run into anti-trust trouble, especially in the current regulatory climate. However, given that this is an international deal, does anybody know how regulation works?