The news about a possibly very nasty bug in the popular OpenSSL library got my attention almost weeks ago which hit out of the blue like a bombshell. Dubbed Heartbleed, this bug can potentially leak private keys installed at servers which make use of the affected libraries I learned, and shortly after that the first revocation requests due to the bug report started to come in at StartSSL.
It also didn’t took a long time until the first calls for removal of the StartCom root from browser came across Twitter feeds and at the Mozilla bug reporting system with the claim that most StartSSL issued certificates will stay vulnerable. Upfront, I can easily refute this claim by confirming almost 2000 revocations since the disclosure of Heartbleed, still counting. I’d say, let the certificate revocation lists (CRL) do the talking and I’m certain that StartCom will have over time proportionally a similar amount of revocations to show as most competitors.
It wasn’t entirely obvious to me, when we made the decision some six years ago to implement a certification authority that does things differently, that we’d end up against a country sponsored cyber-war. And even though I incidentally called this very blog “Join the Revolution“, I didn’t had in mind to have anything to do with securing a real revolution of any country or protecting dissidents from any regime. Not that kind of revolution anyway.
In fact, StartCom never issued certificates for particular high-profile sites such a Google, FaceBook and Twitter which seem to be the most popular targets these days, so what do we have to do with it? Actually not much, but here is the catch: It’s fairly easy to issue digital certificates for those high-profile sites, the art is not to issue them. But that’s exactly what some want the certificate authorities to do - against their own will obviously.
Long after the major software vendors which produce browsers and mail clients already supported the StartCom root certificate by default, users of the Opera browser couldn’t enjoy the benefits of free and cheap SSL certificates easily. And I myself had to postpone an article I intended to write about Opera for more than two years after I mentioned that I’ll write soon some more about this browser, since I believe that they are doing many things quite right.
For reasons not entirely known to me, but it appeared to be somehow connected to a possible new standard for regular SSL certificates which at some point was in the making at the CA/Browser forum, but eventually was never adopted or implemented, support for the StartCom root certificates was lacking with Opera beyond the expected time-frame. And the fans of the Opera browser became increasingly impatient with the time as complaints were increasingly heard.
When buying a newspaper, for what exactly are you paying? For the paper or the content within the paper?
Well, if it would be for the paper, you could probably read last years newspaper much cheaper. Or perhaps you could save yourself the hassle and simply read the toilet paper in the morning instead, it wouldn’t make such a difference, right?
But of course you pay for the content within the paper in order to read about the latest breaking news. The cost of the paper is really insignificant, in the best case the paper is eventually collected and bought back by the paper industry for a few dollars per ton, then recycled. The real value of interest is indeed the content only.
So why does the majority of public certification authorities behave as if they are in the digital paper industry? And why are you willing to pay for the digital paper of SSL certificates substantial sums, when in fact you are only interested in its content? Why not pay only for its real value contained within the certificate?
To be continued…
Securing internal networks of enterprises is a very important task - for that matter any Intranet is. Today, the threats are manifold and are coming from various directions, being it through the corporate firewalls, VPN gateways, WiFi access points, compromised computers and laptops or employees and third party contractors, to mention only the most obvious. As Mr. Tom Albertson from Microsoft recently noted to me, security of any network shouldn’t be predicated on keeping the bad guys out - they are already there.
Many corporations rely on digital certificates issued by the public certification authorities to secure the point-to-point connections of their network. Unfortunately most public authorities are willing to sell “snake-oil” to those enterprise establishments instead of real security, mainly because the corporate managements request and ask for it. How come, the dear reader might ask, and what is this snake-oil made of?
Join The Revolution!
Join the revolution of our online experience, a revolution in authenticity which leads to security, a revolution in sharing of resources and values, a revolution of our rights and privacy, a revolution where enjoyable, secure computing works for us!
Get to know me, my visions and progress, enjoy the reading, question my thoughts and views, post your comments.... But most important:
Join The Revolution!
See you around!
- @gen It's a beautiful little sport-bike and with some mods really a lot of fun. Love it!
- @gnanet Yes, this is not bad - at @startssl the policy advises not to reuse keys at all.
- @gen It's the 250 for now
- My smallest one tries to be a real Ninja - on daddy's byke http://t.co/NRJbfaGs
- I must say I love this month's SSL Survey of @Netcraft and StartCom just doubled its market share from last year.