Thawte Will End "Web of Trust" On November 16 127
An anonymous reader writes "Thawte is ending their Web of Trust, including their free Personal Email Certificates, in less than 2 weeks' time. This hasn't been picked up by the media yet. Seems to me a lot of people, including myself, are hurt by this." Thawte is offering a 1-year free VeriSign cert to those holding valid Personal Email Certificates; after that you pay.
Re:Sad by understandable (Score:5, Interesting)
Notary here too.
I didn't see any notification yet, so I'm not sure if this is true.
If it is, then I won't need to worry about those pesky " check ID" and "keep paperwork on file for 5 years" rules.
I wonder if I can get my notary fees back.. I paid them since I couldn't find any other Notaries in my area.
If this really is true, I might not be opposed to giving away 30 points to anyone that seems reasonable enough. If we get another few notaries on board, maybe we can register a couple thousand slashdotters in the next few weeks - so at least they all get free VeriSign email certs.
PS - in addition to Lotus Notes, I've done a fair job with Novell GroupWise and individual Eudora and T-Bird clients as far as certificate management for the masses. At one point, (obviously a while back with Eudora) I had nearly three dozen non-IT folks using this appropriately to sign and verify their inter-office email. That 'trial' lasted about two weeks, and many still ask me to renew their certificates annually.
Re:Should have stuck with PGP/GPG (Score:4, Interesting)
The problem is that PGP/GPG certificates are too open. If you trust a few certificates, say for software support, then trust the certificates they trust pretty soon you end up trusting almost everyone. Even worse GPG (and maybe PGP) by default will try and download a certificate from a public server when encountering an unknown certificate. This makes it as easy to set up a trust certificate for a "throw away" email account as to create a throw-away account in the first place.
True if you follow the guidelines in the GPG manual, find a trusted friend, verify the fingerprint of their email by phone, both agree only to sign certificates where you have gone through the same process, you can set up a trusted web - but its not as easy as having someone verify it for you.
Re:You didn't expect this? Really want to help? (Score:4, Interesting)
The whole "encryption = authentication" idea is stupid and wrong.
Well in many cases, encryption is used to transmit authentication tokens of some kinds (passwords, credit card numbers...). And certificates are needed to make sure nobody plays man in the middle...
The scary warnings when someone wants to encrypt the traffic between you and their website using their own certificate is commercialism at it's worst.
Indeed. Warnings are needlessly scary, because non-certified SSL is still more secure than no SSL at all (non-certified SSL at least protects against passive listeners).
So, in all logic the warnings should even be more scary for the plain unencrypted http case.
Indeed, nowadays, the smart men-in-the-middle just redirect the hijacked connection to a http page, and doesn't bother with https, because most users won't notice the missing s in the address bar anyways...
WoT (Score:5, Interesting)
Unfortunately, unless the govt. mandates personal electronic signatures, it ain't going to happen. And no-one will want to use it under govt. mandate anyway. This stuff is geek only territory.
Re:Providing free certificates (Score:3, Interesting)
Will the freeware java developers effected? (Score:3, Interesting)
I have seen many Java signed opensource/freeware coming with that Thawte free mail certificate. I hope they won't be effected with it and if brain dead Sun offers some kind of special treatment to those, it won't be any matter.
Of course, it is Sun we talk about and even Oracle couldn't still change anything.
90% of reason Thawte brand was known among professional users was "Thawte free certificate" which was supported perfectly by mail clients. Thawte has no clue what kind of harm they did to brand value/recognition to save couple of CPU cycles and couple of gigabytes.
People thinking GNU PG or free PGP will be implemented by those: No, they will simply move to another way of pkcs signing their mails or buy commercial PGP.
Re:You didn't expect this? Really want to help? (Score:3, Interesting)
Missing s? I don't about yours, but Firefox show a green bar before the URL with the name of the entity,
Mine shows a very short blue bar.
all browsers show a "lock" symbol
Yes, a small lock icon in the lower right corner.
most people I know expect them in banks other important websites.
So geeks (and their friends...) know about these. But most others don't, and wouldn't notice without anybody drawing attention to it.
Compare this now with the very noisy warnings that you get when trying to access a site with a bad certificate. Any man-in-the-middle worth his salt is going to opt for the missing lock icon rather than the very obnoxious "add exception" page of Firefox.
Facebook Friends (Score:5, Interesting)
Since people are quite adamant about adding each other as 'friends' on social networking sites like Facebook etc., why can't something like the Web-of-Trust be riding along somehow? Or at minimum a GPG key exchange requiring no further steps? There's gotta be a way! Firefox/Thunderbird Plugin that has access to all keys of your 'friends' and uses them automatically? Something like that.
Re:WoT (Score:2, Interesting)
Unfortunately, unless the govt. mandates personal electronic signatures, it ain't going to happen. And no-one will want to use it under govt. mandate anyway. This stuff is geek only territory.
I respectfully disagree. Google could easily add PK security to gmail, initially as a new feature that works only with other google accounts, and this would increase pressure for other email providers to adopt the standard.
I'm starting with the man in the middle (Score:3, Interesting)
Putting up scary warnings when all that is required is an encrypted connection is silly.
Without some sort of authentication, you don't know that a man in the middle isn't proxying and decrypting your encrypted connection. These man in the middle attacks are happening [mozilla.org]. Self-signed certs are good for verifying that the proxy hasn't been added between connections, but that doesn't help if you've got a proxy and have always had it.
Re:Will the freeware java developers effected? (Score:1, Interesting)
What does that say about their business model if 90% of their professional users didn't pay them anything? And I bet Thawte know exactly what they're doing with regards to their brand value/recognition. Tell me where else are people likely to go for certs if not to Thawte? VeriSign? Geotrust?
As a VRSN stockholder, I'm loving it.