One of the major problems society is facing in the age of connectivity is TRUST.
Whom do you trust? Would you trust me with your life? Certainly not. What about your computer and all the Data on it? I doubt it. Would you trust me with your music player? You may be surprised to hear that but to a small part some of you already do 😛 (I’m coding for Amarok).Now a Question to all of you Amarok users: whom of you did read ALL the source code and search for bad or dangerous parts someone put in there? I certainly didn’t (and I’ve already read a lot of Amarok’s source code). So in the end even here all comes down to TRUST.
So why am I writing about this anyway? As you may (or may not) have noticed the little “s” behind behind my “http” is vanished. I did this because some of my readers complained because their browser complained because their browser doesn’t TRUST me and my self signed root certificate. So there we are again.. now back to TRUST.
Back in medieval times man would trust other man by their word. But not every man.. just the ones who where rich like hell (or at least a little rich :-P). Poor peoples word meant nothing. Lets go ab bit forward in time. Say 20. century. you’d think humanity has evolved into a species of understanding and equal rights? You’d be disappointed. There is still a system of classes and still we trust people with money (gentleman) more or less by their word and those who are poor are not trustworthy. So what about today? Equal rights for all? Trust for the poor. I’ll have to disappoint you again. Today (at least certificate and IT wise which is the area my blog is about) we trust those who are buying (for quite some money, and thus are “rich”) a certificate from companys who do not much else then SELLING TRUST for money (And thus degrading certificates to a “certificate of having enough money to be trustworthy”).
So where does that leave us today? Back in medieval times I guess.
Quite right. The fact that, for example, Microsoft ships CA certificates in the root trust chain for CA’s that barely do *any* checking of a certificate and simply sign one if they get enough money, but they *don’t* trust CACert simply because it’s a community doing the job.
But it’s still true that in theory it would be possible for a group of five to ten people to take over CACert… (and being liable for a few thousand dollars if they get caught)
Yea but even if their internal management structure was more stable they would at best get integrated with free and open source browsers. I doubt Microsoft would even consider integrating a certificate into their browser before seeing some million dollars ^^. So why bother getting a certificate from CACert if half of the users in my blog (well with my blog perhaps only 1/4 of the users) will see the same “waring this is a bad page from a bad poor person” warning. I guess when we wait a few years we’ll have to disconnect the Internet because nobody is trustworthy anymore ;-).
StartSSL by StartCom, an Israeli company, gives out SSL Server certificates for free, no strings attached. Their root certificate is trusted by all major browsers today (including IE, excluding KSSL due to its unmaintained status).
I was just as disgusted by the CA mafia as you before I found out about them around 2006-2007 and have been a happy user since then.
Cheers,
Antonio
I trust Amorok for the simple fact that it IS OpenSource. That fact means that Amorok’s Source Code is looked at daily by many thousands of pairs of eyes, so any attempt to insert malicious code will very soon meet with the failure of exposure. For this reason, I think it is far less likely that malware can be inserted into any OpenSource application than the commercial counterpart. Even though I may not give blind trust to any single individual who works on an OpenSource project, I do give such trust to the OpenSource Community as a whole because we, the members of that community collectively insure its integrity.
Maybe there lies the answer to the problems with SSL Certificates as well. A CA which is maintained by the Open Source community and where you need to be a member for some time to get a certificate (So the people get to know you better). Surely spammers and pishers wouldn’t go this way because the would be expelled soon from this group. And community members who are working hard to keep open source software and projects alive would have the benefit of bringing trust and security to their “customers”. Perhaps a big group like KDE or Mozilla would even be a good place to hold a trustworthy CA (surely Mozilla would trust itself 😉 ).