Thawte Web of Trust to kiss goodbye soon

In my email today was a sad announcement - Thawte, a well-renowned company providing security solutions to the Internet (mostly SSL certificates for web sites) is canning the free "Web of Trust" service on Nov 16th.

Web of Trust was a way to give people some electronic privacy in form of e-mail cryptography via freely-issued certificate.
That's the kind of stuff you'd configure in Tools-Options-Security menu (Outlook Express or Outlook).
I say "some" because the company might still keep your private key in some storage, and whoever has proper laws on their side, may get to that part of your e-privacy.
Any way, it's better to trust ONE government that trust EVERY intermediary provider, hacker, sniffer, rogue admin or the like.
That's called "reduction of attack surface".

"Why would we need Thawte, there are free tools for generating certificates" you'd ask.
Because a certificate has to be trusted, by default, each OS comes with an ample set of "root" certificates, those to whom every computer on the net has absolute (but not everlasting) trust.
Personal WoT certificates are signed by Thawte's CA (which are trusted via pre-installed root certs coming with most OSes) so your wot-secured e-mail would not cause a verification problem.

Anything singed by an untrusted root CA (certificate authority) is NOT trusted by most computers out there and will cause a problem that I briefly explained here.

What is Web-Of-Trust and how it helped keep constitutional right for personal privacy?

WoT is based on Notaries. A WoT Notary is a voluntary (unpaid) person with certain level of trust (not less than 100 points) who can certify that he has seen enrolling persons and verified their national ID (passport, driver license etc) and have recognized that they provided enough proof as of their name. The only piece of info that goes into WoT certificate is person's name and e-mail address, so that addressees (and e-mail client software) could positively identify the authenticity of e-mail correspondence.
"WoT Trust spreads thru the grapevine" one could say.

Basically speaking, you can get free "noname" certificate right now, but you can have your name on it only when you get some points from WoT notaries (by visiting them in person and showing your IDs).
As soon as you get your cert, you could SIGN your e-mail. Any change of your e-mail in transit (except for headers) would be detected by the addressee. In fact, that is like having your written signature on it.

As soon as your addressee has own digital ID, and because he has your public key from your signature on first e-mail, she could ENCRYPT their replies back to you, so that the content of e-mail could not be seen.
That's how privacy works. Both parties must have IDs and there must be a transfer of public key (for ex. via first signed e-mail or offline).

There are alternatives, of course, and I welcome you to discuss them in comments.

I am Sergey Zak and I'm a Thawte Web of Trust notary.

CheckPoint SecureClient

I have spotted one pleasant peculiarity (feature) of CheckPoint VPN SecureClient on Mac OS X - it warns user of imminent session expiration.

In my 4 years of usage, the PC version warns you only when you have lost connectivity, and annoys user with "Reconnect" requests for new RSA code.
But that, magically, never happens on a Mac. In fact, Mac users are politely warned BEFORE issues occur.

How gentle and nice of you, CheckPoint!

BTW if I was to compare CheckPoint VPN to Cisco VPN, I must say that Cisco has one annoying feature turned on by default, and it takes a lot extra effort to fix that - all traffic goes to VPN tunnel.
This means that if remote secure network does not support a service you want to have (SMTP, POP, Skype, whatever), you're toast until you disconnect.

Quite important for telecommuters.

All in all (taken into consideration the admin tools) CheckPoint software is much more usable and has better GUI.
I only wished their installers properly removed (upgraded) their previous versions...

Insecure certification? Say no.

If you, like me, have worked for some corporation, or even smaller company with an Intranet, then you'd recognize this kind of screenshots:

It's a long standing security issue and the one I just read an article about here

For people without due understanding of certificates and why they are used, this is a non-issue - they just click "Continue" or something to that effect - and go on.
But the devil is in the details, as we know.

I think it's about time we stopped allowing that.

Besides presenting a usability issue, namely a "nag" dialog, it also de-voids one of two purposes of certificates - it does not verify the server's authenticity, allowing for so called "man-in-the-middle" attack.

The second, remaining, purpose is encryption against eavesdropping, but this one will also be crippled if you're talking to "the wrong" server after clicking "Continue" on invalid certificate.
Simply because the eavesdropper will be the non-authenticated (fake, malicious) server with similarly incorrect certificate, to which you'd blindly accept connection.

Such practice had been "convenient to user", who needed a way to access things, and "merciful to developer" who did not want to spend money on SSL certificates from established Certificate Authorities.
Well, there's been epoch with no condoms, and people suffered greatly while not realizing there's an exit.
As more and more electronic fraud and hacking dilutes quality of online life, there's more and more need to establish better standard practices.
Now web looks like only richer folks can buy needed protection. The rest of us have to "blindly click extra".

Time to revisit what stops us from helping every website?

I would suggest to "close the cap" by disabling access from all browsers to invalid certificates.

The only exception left would be VALID self-signed certificates, but they should be separately indicated in browsers by a special icon (not the padlock as with CA-signed certificates). Such exception leaves out one vector of attack - DNS.

And for future development, there is a need to secure DNS, too.
I think there can be one solution to both problems.

An option to get certificate when registering your domain name!
(Directly from the registrar.)

Think of this - we trust DNS, should not this trust be augmented by certification?

Unfortunately, this would mean serious increase in business for registrars and decrease for CAs.
Well, good does not come without changing.
Besides, I think they are in the right position to lobby this as a new web standard.

For registrars, that would be an additional competition vector.

Cloud computing

I was thinking of those 'new' paradigms and buzzwords.
I believe the strife to create such ecosystem is easily explained:

If it's called 'cloud computing' then how do you call someone who 'sits on a cloud'?

Their usual mantra is "have your information anywhere" which actually means "we hope to have all your info and lend you access to it" + "you must also pay the internet fee whenever you want to use your data".
No suprise, as usual, the best business is when you sell people something they already have.

Either way, IP communication companies have brighter future.

Web is making new mistakes

Lo and behold! The web is making new mistakes.
But before I explain what, let's first look at previous common mistakes and misconceptions, made by way too many designers, software architects or coders during those "Internet boom era" days (some might say "dark days")...

1. "That darned encoding stuff"
That was way uncool in the 90s, when you got and e-mail with incorrect encoding set, or arbitrarily changed by one of SMTP relays, or not set at all.
According to RFC2047, if an encoding of a body or subject is not indicated, it should be treated as ASCII.

"Thanks" to development of web clients (browsers, instant messengers and e-mail clients) which allowed to override this RFC by setting "Default" encoding (changing it from RFC ASCII to accomodate lame content), many other developers and web masters could still not care to indicate international encoding in their content, nor process it properly in case of relays and web platforms. They relied purely on user setting his "Default" encoding to his native language (for me, that was Русский).

All this havoc continued until the bloom of Unicode in XXI century, and nowadays most e-mail bodies are properly encoded and re-coded, while I cannot quite say the same for e-mail subject lines (especially from some forum/BBS platforms).
AOL seems to have fixed their ICQ offline messages encoding only with the latest update of protocols, which broke some clients. That was one reason why RFC822 was not that widely accepted.


2. Browser wars (image courtesy of Saint Michael's blog)
Vertiginous success of Microsoft Explorer as the dominant browsing technology, coupled with Microsoft's competitive practice of ignoring or bastardizing standards, led de-facto to a massive deviation from official W3C standards and behaviours.
Many webmasters never tested their stuff on another browser.
Most companies shrugged of the need to allow a bigger budget for true "web compatibility" testing of their intranets.
The competitive ecosystem was not healthy when Microsoft almost monopolized the market. Microsoft's "Embrace and Extend" strategy had it's negative impact on true multivendor/multiclient compatibility in the Web.
Not only Microsoft's to blame, of course.
Netscape, which probably had 85% browser market share before Windows 95 came out, had made a decision which caused it lose the leadership: to re-write the browser from scratch. Thanks to that, we now have Mozilla Firefox!
Firefox, Google and Apple are leading the world to a standards-based future.

Now, what's wrong with some modern and popular web sites?

With the rise of user location services based on incoming IP address, it became possible to have a fair guess about which country user is in.
The wrong part about it's usage is that some major sites simply imply your native language from your location!
THIS IS VERY WRONG!
And even the fact that it works for majority should not preclude your clear judgement.
Just like ASCII worked for most users in the early 90s simply because most users were in U.S., we should not lay a new time bomb with incorrect usage of the metadata.

First of all, not all people living in a particular country, can read in local language. Some are travellers, some are expats, some from ethnical minorities.
Secondly, with the current state of corporate globalization, there are web proxy servers which are placed in one country per region. The regions are APAC (Asia and Pacific), EMEA (Europe Middle East Africa), LAT (Latin America), NAM (North America). Those comprise communities of different languages, whereas having a single geolocation point on the map, speaking from IP address perspective.
Just imagine some global company install a major web proxy in China - should most employees then be greeted by all major sites in Chinese?

In order to let websites know about user's language preferences, there is RFC2616 (Accept-Language header) and Language preferences in browsers, where user can set up the order of preference for the languages he wants in web content.
Good usage examples of are here or here.

I strongly believe we all should comply to standards, instead of using geo-location as an indication of user's preferred language.

NB: There is a silver lining in such incorrect websites' behaviour - I cannot read popup advertisements of those banner networks which rely on location of my company proxy.

6 things I will still miss in iPhone 3GS

1/ syncing over wifi (or bluetooth)
2/ video call
3/ haptics
4/ themes
5/ USB storage mode
6/ flash support

I will miss those, but (!) I will enjoy the rest!

Ah, and MMS support is quite lousy in 3.0... Just an attachment (no background color, no text formatting, no multi-page animations, no sound attachments). A half-hearted attempt, driven by mass-bickering more than belief...

UI metaphor collision... or not?

Person A >> Hmm.. I wonder why computer 'desktops' are covered with 'wallpapers', not with 'tablecloths'?

Person B >> You see, monitors are vertical, so tablecloths would not hold.

Source here