The Geek Factor


I don’t need any stinkin’ CA issued certificates for my web sites, for this I do -  openssl 123 …

So goes the usual rant by geeks, hackers and open source enthusiasts against the certification authorities and their accomplices Internet Explorer, Firefox and Co.. Why is that and did anything change?

One of the primary concerns usually raised in discussions, blog posts and bug comments surrounding digital certificates was always the monetary requirements:

It’s the pricing policies of the greedy CAs who are sucking up our hard earned dollars for worthless digital certificates anybody can create by themselves… if one isn’t too stupid to use a few openssl commands. And anyway, anyone with $250,000 and a good lawyer can be certified to issue perfectly trusted certificates. It has very little to do with technical competence and more to do with fact they are trying to milk the industry for substantially more money… [1]

That was correct in early 2005 when I started the StartCom Free SSL Certificate Project. Having realized that alternatives aren’t going anywhere in any useful time frame and being annoyed myself for having to pay a rather significant sum for security, I decided that it might be worth trying to change the rules. We had perfect cryptography which unfortunately only some could afford - but certainly not the masses. In order to make the Internet a better (and securer) place, certificates had to be easily obtainable.

Four years ago - StartCom’s main focus was still the StartCom Linux distribution and hosting business of MediaHost™ - we setup a new web site and created a very simple wizard for obtaining a digital certificate and announced to the world that we intend to end this multi-million dollar business of implied security. There was certainly some naivety and a lot of innocence with our proclaimed goal - until our servers were overran by almost two million page views during the initial days after our announcement which hit the Internet news sites. We went like….WOW!

Here it was, the Israeli Linux vendor StartCom is going to issue SSL certificates for free. The news was allover the place, heated discussions erupted at interactive forums, supportive and critical (*) comments, jubilation and frustration, a mixed bag of views and reporting. Even though I admit that I wanted to stir the pot a little bit, the reaction and extend of reporting was completely unexpected (initially I thought our servers were DOS attacked :-) ).

* Some comments even suggested that StartCom is operated by the Mossad, the Israeli intelligence agency.

Realized what we’ve done, the period following the initial success was marked by a strategic shift of priorities at the company, and a huge workload and learning process. With the help of a known PKI specialist we started to set up the StartCom Certification Authority - this time for real. Policies were defined, hardware purchased, servers installed and secured, CA certificates issued, applications developed, CRLs and OCSP responders implemented, physical security enforced, legal framework established and, and, and….at last we ordered an audit in order to confirm our policies and practices. A far cry from openssl 123 …

At that point we also had to invent a new business model for certification authorities because we proclaimed that digital certificates can cost much less or may be even free of charge! But somebody has to pay the bills nevertheless. Hence we established the principal that fees should be applied against the effort we spend in manual processing by our personnel. Like this StartCom was enabled to keep issuing domain validated SSL certificates which are processed mostly automatically without charge, while applying reasonable fees for higher validated certificates.

During the following years the StartCom CA was accepted by various software vendors as a trusted authority for the issuance of digital certificates including Apple and Mozilla. It would take the introduction of more products and many more efforts until we would reach acceptance by all major browser vendors - something which is probably going to happen now during the next few month.

By providing fully trusted SSL certificates for the first time ever, I always had to wonder why it is such a horrible act for geeks and open source advocates to get a certified piece of bits and bytes from a third party provider as seen in comments from here. It clearly can’t be because of the alleged financial ripoff, because no financial barrier exists today as it still was the case in early 2005.

Various efforts were made in order to explain into great length why self-signed certificates aren’t worth the digital paper they are written on. Are the most security minded and most knowledgeable folks using computers their own obstacle when it comes to digital certification? Is the freedom to use your homegrown instead that of a third party provider more important than Internet security? Isn’t a drivers license issued by yourself about as worthless? Or is it because StartCom is nevertheless a commercial company and therefore evil? Or is this a geek factor not well understood? Do you know?

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Other Posts
Securing a Revolution
The Race Is On - You Won

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

I think the problem is two-fold:

First, understanding the PKI architecture isn’t straightforward. It took me quite a while to wrap my head around the idea even with a graduate degree in Computer Science with an emphasis on Cryptography and Network Security. Coupled with complacency, lack of understanding leads to incomplete implementations (i.e. openssl 123).

Second, man in the middle attacks are much more rare than the experts contend. While “correct” security requires a PKI or out-of-band key exchange (the latter being infeasible for public deployments), often the business drives a decision to enable encryption to limit liability and raise the level of security without additional complication. This has worked in general because for low-security applications (like setting up an SVN server for myself and friends) can afford the risk of a man-in-the-middle attack. This is because a man-in-the-middle attack requires enough sophistication and access to other secured resources. These deterrents are often sufficient for low-value assets.

I use StartSSL because I appreciate correct implementations, that is, security applied with all of the benefits learned after 50 years of expert analysis. Manually validating (or just exempting) untrusted certificates really is bad practice. For that reason, I refuse to add permanent exemptions for untrusted certificates in my browser. I will either repeatedly accept the expemption or I will see to it that the server deployed with a StartSSL cert.

I’m really excited about the potential for broad browser support! Way to go, StartCom!

Yeah! What I wrote here isn’t something new, but something I knew for a long time. The trigger to write this article was after an encounter with a Mozilla employee - who should know better as I assumed. This really amazed me…

[…] The Geek Factor Four years ago - StartCom’s main focus was still the StartCom Linux distribution and hosting business of MediaHost™ - we setup a new web site and created a very simple wizard for obtaining a digital certificate and announced to the world that we intend to end this multi-million dollar business of implied security. There was certainly some naivety and a lot of innocence with our proclaimed goal - until our servers were overran by almost two million page views during the initial days after our announcement which hit the Internet news sites. We went like….WOW! […]