Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Encryption Security News

Thawte Will End "Web of Trust" On November 16 127

An anonymous reader writes "Thawte is ending their Web of Trust, including their free Personal Email Certificates, in less than 2 weeks' time. This hasn't been picked up by the media yet. Seems to me a lot of people, including myself, are hurt by this." Thawte is offering a 1-year free VeriSign cert to those holding valid Personal Email Certificates; after that you pay.
This discussion has been archived. No new comments can be posted.

Thawte Will End "Web of Trust" On November 16

Comments Filter:
  • I knew it! (Score:5, Funny)

    by Rantastic ( 583764 ) on Tuesday October 06, 2009 @07:14AM (#29655411) Journal
    I knew I should not have trusted them and their web!
  • by chamilto0516 ( 675640 ) <conrad DOT hamilton AT gmail DOT com> on Tuesday October 06, 2009 @07:16AM (#29655429) Homepage Journal
    This saddens me but I understand it. Adoption of PKI for email in this multi-standard, multi-client fashion was just too difficult for the average email user. Yes, I usually have one or two accounts for secure messaging and I do use Thawte (I am a Notary) but it just doesn't work for most unless there is someone to walk them through. As much as I am aggravated by Lotus Notes, they self contained system (part of my aggravation) was able to pull this off 10 years ago and is still really the only app that I have seen do PKI well. Unfortunately it doesn't do a lot of other things very well.
    • by Joiseybill ( 788712 ) on Tuesday October 06, 2009 @07:41AM (#29655565)

      Notary here too.
      I didn't see any notification yet, so I'm not sure if this is true.

      If it is, then I won't need to worry about those pesky " check ID" and "keep paperwork on file for 5 years" rules.
      I wonder if I can get my notary fees back.. I paid them since I couldn't find any other Notaries in my area.

      If this really is true, I might not be opposed to giving away 30 points to anyone that seems reasonable enough. If we get another few notaries on board, maybe we can register a couple thousand slashdotters in the next few weeks - so at least they all get free VeriSign email certs.

      PS - in addition to Lotus Notes, I've done a fair job with Novell GroupWise and individual Eudora and T-Bird clients as far as certificate management for the masses. At one point, (obviously a while back with Eudora) I had nearly three dozen non-IT folks using this appropriately to sign and verify their inter-office email. That 'trial' lasted about two weeks, and many still ask me to renew their certificates annually.

      • If this really is true, I might not be opposed to giving away 30 points to anyone that seems reasonable enough. If we get another few notaries on board, maybe we can register a couple thousand slashdotters in the next few weeks - so at least they all get free VeriSign email certs.

        I've been meaning to get my identity validated for the web of trust for years, and never quite gotten around to it. I'm interested if you want to drop me an e-mail, and I think I can prove my identity adequately on-line, through my long history on /., USENET, blog posts, etc.

        • by TheLink ( 130905 )
          > > I might not be opposed to giving away 30 points to anyone that seems reasonable enough
          > I'm interested if you want to drop me an e-mail, and I think I can prove my identity adequately on-line, through my long history

          I suspect there's a funny Nigerian spammer spoof for this (with the "all caps" and other fun stuff).

          But I'm too lazy at the moment to try. Anyone willing to give it a go?
      • by storem ( 117912 ) on Tuesday October 06, 2009 @10:01AM (#29657285) Homepage
        I'm a WOT Notary myself since 2002.

        <rant>To be very blunt, Thawte went downhill ever since VeriSign took over. I'm sure things would be different with Mark Shuttleworth still heading the company.</rant>

        I also did not receive any official information from Thawte yet about this. I guess they figured we read today's Internet newspapers anyway.

        Many of us Thawte WOT Notaries became CAcert ECCP Assurers during the last couple of years. While CAcert.org is a community-driven certificate authority that issues free public key certificates to the public, it still lacks inclusion of its root certificate in most popular browsers. I do however strongly think there is a need for this kind of service, as no communication is ever going to be really safe unless we all use encryption. It is way to easy to spot the important emails nowadays.

        I'm must also admit that less people are interested by the technology - and WOT notaries assert less people each year - mainly due to the complexity of PKI implementations in popular email packages.

        <product_placement>I hope efforts like the Comodo/DigitalPersona Privacy Manager product to make it easier for people to use PKI, revive the identity security awareness with people.</product_placement>

        More info from Thawte's Wikipedia page:

        Thawte Notaries have been submitting minimal information to the Gossamer Spider Web of Trust ("GSWoT"; a grass-roots OpenPGP PKI) for safe-keeping in hopes to increase the longevity of their earned trust points. The collaborative effort aims to bind Thawte Notary names and email addresses to their now-existing entry on Thawte's Web of Trust Notary Map. Thawte Notaries from within and without GSWoT are performing the validations. The initiative will bear no fruit if Thawte Notaries fail to find or create a WoT that will recognize their former status as a Thawte Web of Trust Notary. The Thawte Notary EOL List on GSWoT will die in one year's time - on November 16, 2010.
        • Re: (Score:3, Informative)

          by Lennie ( 16154 )
          Their is also a StartCom/StartSSL WOT, their free SSL-certs root cert recently got on the Microsoft list, although the update was still optional last time I looked.

          https://blog.startcom.org/?p=205
          • by dgatwood ( 11270 )

            I've been using them for my personal site for several months. Once you figure out how to get it set up correctly, it works just fine with Safari and FireFox. And, of course, the number of MSIE users on my personal site is so close to zero that it amounts to a rounding error. :-D

        • by Korin43 ( 881732 )
          What I don't understand is why you would use a certificate instead of PGP keys for email. Isn't it the same web of trust deal (except anyone can sign your key, and you can trust who you want to).
    • Re: (Score:3, Insightful)

      by tobiasly ( 524456 )
      Yes it sucks but I agree, none of us should really be surprised. Ever since Verisign bought Thawte I've been waiting for this to happen. I've been a notary in a fairly large metro area for years and can't remember the last time I was asked to notarize someone.

      Yeah, the concept itself was a bit difficult for a lot of people to grasp but their website also really sucked. It hadn't been updated in years and you had to navigate through that ridiculous hierarchical system instead of being able to just "find nota
  • by igny ( 716218 ) on Tuesday October 06, 2009 @07:21AM (#29655449) Homepage Journal
    Can some other trusted company, like Google, step in?
  • I did not get any email from Thawte about this issue. How do I get my token then?

  • Don't forget where the "web of trust" came from.

    • by Chrisq ( 894406 ) on Tuesday October 06, 2009 @07:42AM (#29655577)

      The problem is that PGP/GPG certificates are too open. If you trust a few certificates, say for software support, then trust the certificates they trust pretty soon you end up trusting almost everyone. Even worse GPG (and maybe PGP) by default will try and download a certificate from a public server when encountering an unknown certificate. This makes it as easy to set up a trust certificate for a "throw away" email account as to create a throw-away account in the first place.

      True if you follow the guidelines in the GPG manual, find a trusted friend, verify the fingerprint of their email by phone, both agree only to sign certificates where you have gone through the same process, you can set up a trusted web - but its not as easy as having someone verify it for you.

      • by Anonymous Coward on Tuesday October 06, 2009 @08:03AM (#29655741)

        You're post is an example of how people don't understand PGP, not that there are any technical limitations. Looking in my enigmail key manager, I have a whole list of keys (automatically downloaded) that are not trusted. The few that I have verified are trusted. If someone signs "almost everyone's" keys and isn't trustworthy you don't trust them. If they are trustworthy, then you just made use of the web of trust.

      • by slabbe ( 736852 )
        As far as I know, gpg version 1.x doesn't try to download anything by itself. Maybe it's different for version 2.x, or some secondary software depending upon gpg? Regarding public key signing, http://xkcd.com/364/ [xkcd.com]
      • by buchner.johannes ( 1139593 ) on Tuesday October 06, 2009 @08:21AM (#29655917) Homepage Journal

        You don't have to trust everyone in a Web of Trust that originated from you. It just tells you who trusts that person. What you do with that information is up to you. Also, there are several levels of trust. You don't have to sign anyones key, just the ones you met.

        GPG is right to download the public key from a server, because that tells you nothing about how much you trust that person. If it would set that person automatically to fully trusted, that'd be a different story.

      • If you think thawte and/or verisign actually do anything to verify anything (other than that the persons credit card works) you are a fool.

      • The problem that you describe would be, that stating that a human should do something, and then expecting him to always do it, is a giant fallacy. And a very stupid one to expect, if you ever saw a real human. ^^

        The rule is: If someone can do something wrong or the bad way, someone will. No exceptions.
        And that's why those guidelines just useless dreams with no relation to physical reality.

        Done right, you would have to set up a system where nothing is possible, except for the things you absolutely need, to a

      • You don't end up trusting almost everybody, you end up with a bunch of untrusted bullshit keys in your keyring. The relative small size of the web of trust is the problem, it's difficult to try to rely upon trust, you probably just rely more upon the existence of a key. even then, more people sign stuff with PGP/GPG than actually encrypt stuff, even if they ahve a key for a recipient.

        It's an authority and leadership problem. The thing the email cert dealers miss out on, in my opinion is the sale

    • by Ilgaz ( 86384 )

      Apple mail has built in PKCS7 support, I don't even care to mention pro apps like Outlook/Entoruage/Blacberry.

      Where is PGP except that expensive commercial client which tries to do too much? If people used Thawte cert, they went for "easy and built in way", can you blame them? If PGP free version with that kind of compatibility, mail plugin was still alive and kicking, you could blame people for not sticking with PGP. All we see is some open source stuff not promising any kind of stability and support over

      • by argent ( 18001 )

        Where is PGP except that expensive commercial client which tries to do too much?

        I shouldn't have to google things like this for you. [sente.ch]

        • by Ilgaz ( 86384 )

          You shouldn't google for that at all. I know GNUPG and its support for OS X Mail. Can you claim it is easily installed, used like commercial PGP? Can you trust Apple to stick with a God damn stable plugin API and don't break it in each OS update? Can you imagine Freeware/open source authors/packagers have some juicy Apple developer accounts to see what is coming?

          Growlmail plugin, a basic plugin which has nothing to do with security/privacy like PGP had to move to mach_inject method instead of mail plugin. W

      • Honestly, the best email client I have ever used respecting PKI was Thunderbird with Enigmail on Linux.

        I've tried to duplicate this success on my laptop with Vista, but enigmail sucks balls and just flat out doesn't work right.

        We really need a good, OSS cross platform email client that supports GPG.

  • by Anonymous Coward
    Thawte had been hurt so many times and it's going to take a long time before Thawte can learn to trust again.
    • Re: (Score:3, Funny)

      by GaryOlson ( 737642 )
      This is a technical discussion; find a non-technical support group therapy session to work thru your personal issues.
  • by Uzik2 ( 679490 ) on Tuesday October 06, 2009 @07:29AM (#29655489)

    What were you thinking?
    If you really want to do something worthwhile campaign the browser makers to change their browsers. The whole "encryption = authentication" idea is stupid and wrong. The scary warnings when someone wants to encrypt the traffic between you and their website using their own certificate is commercialism at it's worst.

    • by CaptnMArk ( 9003 )

      You are confused. Perhaps you mean authentication != certification?

      Certification is something that CA's should do (that's what you trust them to do). Some don't. That's why the broken idea of EV certificates came about.

      • by Aladrin ( 926209 )

        No, he meant exactly what he said. As far as he went, he's correct. Putting up scary warnings when all that is required is an encrypted connection is silly.

        But the process actually goes a step further, and you need to know what you are connected to who you think you are, which is the purpose of the scary warnings. It's very seldom that you need to just encrypt the connection without worrying about man-in-the-middle attacks.

        • Putting up scary warnings when all that is required is an encrypted connection is silly.

          Without some sort of authentication, you don't know that a man in the middle isn't proxying and decrypting your encrypted connection. These man in the middle attacks are happening [mozilla.org]. Self-signed certs are good for verifying that the proxy hasn't been added between connections, but that doesn't help if you've got a proxy and have always had it.

          • by TheLink ( 130905 )
            What if someone gets a CA in "Elbonia" to sign some certs? The browsers don't protect you against that sort of MITM attacks. Go look at how many CAs are preinstalled in your browser. Trust all of them?

            If browsers _also_ did the SSH thing where they warn you if the cert has changed from the expected I'd be happy, and the OP would be happy - on his first visit to the site, he might choose to take the risk and say "accept this", and the browser will warn him if it changes in the future.

            After all, he could choo
          • Authentication is great. But given that the alternative -- no encryption and no authentication -- allows passive sniffing, MitM, and a whole slew of other attacks, but does *not* include a warning makes it seem awfully silly to warn extensively about a connection that is *only* vulnerable to MitM attacks.

            I agree that authenticated connections should be treated differently than unauthenticated connections. But I don't see why an increase in security to unauthenticated encryption is treated worse than totally

      • by nedlohs ( 1335013 ) on Tuesday October 06, 2009 @07:54AM (#29655655)

        No he means what he says, encryption.

        If I'm buying stuff then yes some authentication/certification that I'm actually giving my credit card details to the company I think I am is a good thing.

        If I am entering my password for a shitty forum web site, then having the session encrypted is nice to have. I don't really care about man-in-the-middle attacks since the alternative is no encryption at all.

        Sometimes partial coverage is good enough. But web browsers make it appear that an encrypted connection without authentication is worse than an unencrypted connection without authentication by throwing up scary warnings about evil hackers.

        • Re: (Score:1, Informative)

          by Anonymous Coward

          For repeat customers, accepting a self signed certificate the first time would work fine. The certificate ensures that I'm connected to the site I think I am.

          But for all the sites I haven't shopped before, a certificate doesn't improve anything. The certificate confirms that I'm connected to a site I don't know (since I haven't been there before), and I'm expecting to be connected to a site I don't know. But can I trust the site I'm connected to? That's the problem. I don't know. And the certificate won't h

          • The certificate confirms that I'm connected to a site I don't know (since I haven't been there before), and I'm expecting to be connected to a site I don't know.

            It not only confirms to you that you are connect to a site that you don't know, but to this particular site that you don't know. Which means that if something untowards happen, you now know that site a little bit better :-)

            But can I trust the site I'm connected to?

            This is a common misunderstanding about the purpose of certificates. Certificates don't help you trust the entities that you are doing business with. They only help you trust that you are talking to who you think your are talking.

            A certification agencies job is not to assess the financia

            • by mpe ( 36238 )
              A certification agencies job is not to assess the financial solidity of a bank, or the honesty of an online shop. Their only job is to make sure that only that bank, or that shop can get a certificate saying that it is indeed that particular bank or that particular shop.

              Unless the certifying authority is located physically near to the entity it is ment to be certifying there isn't really much they can do. e.g. entity in India is of little practical use if you want to know about a business anywhere other t
      • by Uzik2 ( 679490 )
        Certification is what they provide, but that seems like a useless semantic. My problem is that this system tries to convince you to place your trust in an authority that doesn't deserve it but leads you to believe they do. Their mandate as companies is to make money, not be trustworthy.
    • by ArsenneLupin ( 766289 ) on Tuesday October 06, 2009 @07:44AM (#29655581)

      The whole "encryption = authentication" idea is stupid and wrong.

      Well in many cases, encryption is used to transmit authentication tokens of some kinds (passwords, credit card numbers...). And certificates are needed to make sure nobody plays man in the middle...

      The scary warnings when someone wants to encrypt the traffic between you and their website using their own certificate is commercialism at it's worst.

      Indeed. Warnings are needlessly scary, because non-certified SSL is still more secure than no SSL at all (non-certified SSL at least protects against passive listeners).

      So, in all logic the warnings should even be more scary for the plain unencrypted http case.

      Indeed, nowadays, the smart men-in-the-middle just redirect the hijacked connection to a http page, and doesn't bother with https, because most users won't notice the missing s in the address bar anyways...

      • Missing s? I don't about yours, but Firefox show a green bar before the URL with the name of the entity, and all browsers show a "lock" symbol, and most people I know expect them in banks other important websites.

        • Re: (Score:3, Interesting)

          Missing s? I don't about yours, but Firefox show a green bar before the URL with the name of the entity,

          Mine shows a very short blue bar.

          all browsers show a "lock" symbol

          Yes, a small lock icon in the lower right corner.

          most people I know expect them in banks other important websites.

          So geeks (and their friends...) know about these. But most others don't, and wouldn't notice without anybody drawing attention to it.

          Compare this now with the very noisy warnings that you get when trying to access a site with a bad certificate. Any man-in-the-middle worth his salt is going to opt for the missing lock icon rather than the very obnoxious "add exception" page of Firefox.

          • by ArsenneLupin ( 766289 ) on Tuesday October 06, 2009 @08:58AM (#29656387)
            O, and some sites (such as facebook or hotmail) only use https for the form submission, but not for the template. Theoretically this is secure (because it's the submission of login data that you want to protect, not the mask that is displayed on screen), but in practice it means that neither of the usual tell-tale signs (green/blue bar, https, lock icon) will be present.

            The only way to see whether the form is secure or not is then to view source and check whether the form action has https or not. I don't really believe that grandma is going to bother...

      • by mpe ( 36238 )
        Warnings are needlessly scary, because non-certified SSL is still more secure than no SSL at all (non-certified SSL at least protects against passive listeners).
        So, in all logic the warnings should even be more scary for the plain unencrypted http case.


        There are also situations where warnings are not generated when they should be. e.g. a signed certificate changing.
      • by Uzik2 ( 679490 )

        I agree. I'm not down on encryption, there should be more encryption, just negative about the way it's been handled by the browsers. Trust is, to me, more than just a certification by some company that is only concerned about making money and cares not a bit for me.

    • by zwei2stein ( 782480 ) on Tuesday October 06, 2009 @07:48AM (#29655609) Homepage

      Encryption without authentication is stupid and wrong too.

      The scary warnings are there to make sure that you are not luled to false safety because man in middle attacks can work just fine with encryption as long as you trust their certificate.

      Talking securely to someone is implied by fact that you really know who you are talking to.

      • by Sloppy ( 14984 )

        Encryption without authentication is stupid and wrong too.

        No more wrong than plaintext without authentication.

        Hey dude, we get it: we want authentication. Sometimes we even need it. But that's a totally separate issue from encryption.

        Encryption with a MitM has an active spy. Plaintext has an infinite number of passive spies. One of these two situations is better than the other.

      • Talking securely to someone is implied by fact that you really know who you are talking to.

        Huh? A->B does not mean B->A. Knowing who you talk to doesn't imply it is secure. The two can be separated out quite clearly - obvious real-world examples being "talking in a crowded room to a friend" (authentication without security) and "whispering to someone you've just met" (not the greatest example, but it should be fairly secure even if you don't have a clue who the hell they are).

        • "talking in a crowded room to a friend" (authentication without security) and "whispering to someone you've just met" (not the greatest example, but it should be fairly secure even if you don't have a clue who the hell they are).

          It's not about the security of your communication partner, but about security of the communication medium.

          Try "passing notes in a classroom":

          • "notes written on small sheets of paper": somebody of the people on the way to your target could read the note as well.
          • "notes sealed in plane jane white envelopes": more secure, but somebody en route could open the envelope, read the note, and stuffed it into a new envelope.
          • "notes sealed in fancy, hard to find envelopes": most secure, as the interceptor will no
          • Depending on which angle you're looking at the communication from, I agree with what you're saying. The thing is that most of those examples are the wrong way around for HTTPS (which is what we'd strayed towards as an example). In those analogies HTTPS is more like *makes random example* the person you're passing the note to sending you a padlocked box first and they've signed it in permanent marker. You know you've got something secure to send your response and you know it is from them because it has their

            • This is actually an excellent example, especially since it is the recipient (web site) which signs the padlocked boxes. This makes it much closer to the real https (where web sites are certified, and generally not clients) than mine with the "fancy envelopes". Also, it addresses the case where the interloper does not care whether his attack has been detected after the fact.

              Thanks.

      • But it is stupid that we have scary warnings for encrypted, not authenticated traffic, but unencrypted, not authenticated websites have no warnings.
        It makes HTTP look more secure than HTTPS. Encrypted, not authenticated/verified HTTPS is as secure as HTTP.

        • So there should be a warning whenever anybody does anything unencrypted?

          There's an argument to be made that everything on the web should be encrypted.... but it's a tough sell considering the installed base of files on the web.

          So, if some stuff is encrypted, and some stuff isn't, how do you decide what unencrypted sites to warn on? Just when submitting information? We already have a warning for that.... although I guess that could be sterner... hrm.

        • by Uzik2 ( 679490 )

          >Encrypted, not authenticated/verified HTTPS is as secure as HTTP.

          I can't agree. Encryption is always a bonus as far as I can see. It provides you with some degree of protection from packet sniffing. It might not provide much else for a sophisticated attacker, but at least you have that much.

  • by Anonymous Coward

    of personal digital certificates on the Linux desktop, over IPv6.

  • WoT (Score:5, Interesting)

    by smoker2 ( 750216 ) on Tuesday October 06, 2009 @07:50AM (#29655631) Homepage Journal
    I was a member of the WoT back in '99. It took several weeks (nearly a month) to find accessible notaries, and their method of meeting was suspect to say the least. For one I had to travel 30 miles to another town and meet in a supermarket car park. After I got my cert. no-one I sent signed messages to knew how to handle it - encryption was pointless. I let it lapse after about a year, and haven't bothered since.

    Unfortunately, unless the govt. mandates personal electronic signatures, it ain't going to happen. And no-one will want to use it under govt. mandate anyway. This stuff is geek only territory.
    • Re: (Score:2, Interesting)

      by macterra ( 75505 )

      Unfortunately, unless the govt. mandates personal electronic signatures, it ain't going to happen. And no-one will want to use it under govt. mandate anyway. This stuff is geek only territory.

      I respectfully disagree. Google could easily add PK security to gmail, initially as a new feature that works only with other google accounts, and this would increase pressure for other email providers to adopt the standard.

      • Re: (Score:3, Insightful)

        by Domini ( 103836 )

        I disagree. Google cannot do this unless they change the way gmail works. I will not let them touch my private key lest I end up not trusting my own private key. You can say they can then kinda leave it on your PC and access it with client side JS, but then you sit again with the problem that it becomes hard to manage and understand by the masses.

        • by LihTox ( 754597 )

          OK, so you don't give Google *THE* private key you use, but what if you allow GMail to generate a different private key for you with which it signs/encrypts emails? That would be more secure than nothing at all, though of course it depends on Google's security. If Google were geeky enough, it could allow you to prove your identity to it with your private key (or other method), and then tell your email recipients that they at least are satisfied that you are who you say you are.

          The key thing is that it get

    • by Domini ( 103836 )

      Same here. Was quite a process... had to drive around a lot and meet weird people. After that it was denied by the same government that had an official policy to accept it. And my bank preferred even a plain e-mail over it.

      No one had a clue what to do with it.

      The only thing I used it for was for secure e-mail... pah... could just as well stooped to PGP then.

      Me.

    • Well, in Germany, electronic signatures issued by your bank are valid signatures for contracts and the like. So you can actually sign an e-mail, send it to a government office, and they have to accept it as if it were a physical letter with signature.

      Of course, if you really try that, they will fail, and if you're lucky ask you what that was, instead of ignoring it as an "error". But you *can* sue to enforce it being accepted. But you would have to actually sue. Because they would ignore or not believe that

  • by Admiralbumblebee ( 996792 ) on Tuesday October 06, 2009 @07:56AM (#29655673) Homepage
    I never thawte this would happen.
  • by Ilgaz ( 86384 ) on Tuesday October 06, 2009 @08:02AM (#29655739) Homepage

    I have seen many Java signed opensource/freeware coming with that Thawte free mail certificate. I hope they won't be effected with it and if brain dead Sun offers some kind of special treatment to those, it won't be any matter.

    Of course, it is Sun we talk about and even Oracle couldn't still change anything.

    90% of reason Thawte brand was known among professional users was "Thawte free certificate" which was supported perfectly by mail clients. Thawte has no clue what kind of harm they did to brand value/recognition to save couple of CPU cycles and couple of gigabytes.

    People thinking GNU PG or free PGP will be implemented by those: No, they will simply move to another way of pkcs signing their mails or buy commercial PGP.

    • <italian mafia accent>Umm... about your subject:
      Need a bag of English? We've got some on sale. With nice words like "be" and "affected". We even have a special today, where we include a whole capital letter "J" for free!
      Only $5! Beautiful fonts! Nice kerning! Buy now, before it's too late!
      </italian mafia accent>

  • ...they would first have to start one. Since Thawte is part of Verisign and Verisign is not worthy of trust...

  • Any reason not to use Comodo's equivalent?
  • by Gollum ( 35049 ) on Tuesday October 06, 2009 @08:34AM (#29656073)

    One thing that a lot of people are ignoring is that Thawte FreeMail certs are used by a lot of small developers to publish Java apps, and this would kill off that ability quite quickly.

    That said, I have not seen a word of this on the Thawte web site, which makes me wonder if the submitter is trying to perform a DoS on Thawte for some reason, and are tricking the slashdotters into being that DoS. The page linked takes an enormous amount of time to decide that there is nothing to return, meanwhile slashdotters are beating on the server over and over. Sorry for the OP, though. The rest of their site still seems to be just fine.

    • by Mal-2 ( 675116 )

      This is directly from the website [thawte.com]:

      1. Why have you stopped offering thawte Personal Email Certificates?

      Over the past several years, security compliance requirements have become more restrictive, while the technology infrastructure necessary to meet these requirements has expanded greatly. Despite our strong desire to continue providing the Thawte Personal E-mail Certificate and Web of Trust services, the ever-expanding standards and technology requirements will outpace our ability to maintain these services

  • That's the second source that's telling me the Free e-mail certs/WOT program is coming to an end..

    However, looking at http://www.thawte.com/ [thawte.com] doesn't reveal anything as such..

    But I can't say I'm *that* surprised..

    --Ivan

  • Facebook Friends (Score:5, Interesting)

    by muckracer ( 1204794 ) on Tuesday October 06, 2009 @08:47AM (#29656253)

    Since people are quite adamant about adding each other as 'friends' on social networking sites like Facebook etc., why can't something like the Web-of-Trust be riding along somehow? Or at minimum a GPG key exchange requiring no further steps? There's gotta be a way! Firefox/Thunderbird Plugin that has access to all keys of your 'friends' and uses them automatically? Something like that.

    • Because that would be the complete opposite of how the web of trust is meant to work?

      I mean the sole concept of putting "Facebook" and "Trust" in one sentence...! What were you thinking? ;)

    • by lennier ( 44736 )

      "Since people are quite adamant about adding each other as 'friends' on social networking sites like Facebook etc., why can't something like the Web-of-Trust be riding along somehow?"

      That's pretty much the entire concept behind the Cory Doctorow book "Little Brother". The Xnet is a secure free Facebook. It did require physical key-signing parties, and he pointed out how the whole network could still be rooted by infiltrators, but that's the idea.

  • Submitter might want to recheck their calendar. They must have gotten some weird looks when they were trick-or-treating this weekend.
  • That Verisign acquired Thawte 10 years ago in a deal that made Mark Shuttleworth a brazillionaire capable of sustaining a swell OSS project. Are they then just shuffling people from a free product to a for-pay model, or is there a significant advantage to the Verisign product? It seems they are replacing a whole community of users and trust with email certs that offer none of that extended web of trust.
    • As I understand it the paid certificates don't need a "web of trust" because verisign will verify your identity directly. The web of trust was just a way for them to save on administrative costs.

  • You know, the one where November 16 is two weeks after October 6th.

  • The last official email I've recieved from Thwate was a year ago when my certs expired. As to whether this is actually happening, I simply have to say it's a bogus message put out by someone who's got an axe to grind with Thwate. As to Verisign purchasing thwate 10 years ago, I wasn't aware of that as there was and is no information about such a purchase on their website, which is a critical piece of information that must be provided (of course I've not looked at their SEC filings to okay/deny).

  • It seems the post has been removed at the moment... Was it a fake one?

    I now get:
    Article is unavailable or has been removed, please try a new search.
            The article was not found, or is no longer available. Please try a new search..

  • by vanyel ( 28049 ) * on Tuesday October 06, 2009 @11:41AM (#29658647) Journal

    $20/yr is not an onerous fee, big deal. I'm surprised it's gone free this long. If you really can't stand to pay for the service you're using, go to cacert.org.

  • "Thawte is offering a 1-year free VeriSign cert to those holding valid Personal Email Certificates; after that you pay."

    Does this strategy sound familiar? It should... it's the same business strategy practiced by drug pushers: get 'em dependent and addicted, and then start demanding money. Make 'em an offer they can't refuse.

    So is Thawte run by former drug pushers?

    (Yes, I know the same question could be asked of Comcast and thousands of other companies. I'm singling Thawte out because of that word "trust" being involved here.)

  • Maybe now that Thawte is making email certification less useful (and more expensive), clients like Thunderbird and Mail.app will start to prefer GPG/PGP. That's all I can hope for anyway, since GPGMail for Mail.app is now broken under Snow Leopard for the foreseeable future.

  • by the JoshMeister ( 742476 ) on Tuesday October 06, 2009 @02:44PM (#29661729) Homepage Journal

    Although I'm familiar with Thawte, I hadn't heard of its "Web of Trust" prior to this article. However, there's a popular browser add-on with the same name, so I thought I should point that out to avoid any confusion, especially since both products are related to Internet security in some way.

    Web of Trust [mywot.com] is also the name of a Firefox and Internet Explorer plug-in from a company called WOT Services Ltd. (until recently known as Against Intuition Inc.). It helps protect users from harmful Web sites and puts safety rating badges in search results on Google, Bing, Yahoo!, and other search engines, similar to McAfee SiteAdvisor [siteadvisor.com] and Symantec's Norton Safe Web [norton.com] (although in my experience, WOT is much more effective). This completely unrelated Web of Trust is not being killed off.

    I hope that clears up any potential confusion.

The "cutting edge" is getting rather dull. -- Andy Purshottam

Working...