[AktiviX-discuss] Why is the security certificate bad?

andy baxter andy at earthsong.free-online.co.uk
Mon Dec 3 05:49:05 UTC 2007 

I have sent the following explanation to the people I was inviting to 
join the list. If you get the time, could you check it through and let 
me know whether it looks like reasonable advice (I am not 100% sure 
about some of the details, like the kind of attacks that certificates 
are meant to prevent.)

thanks,

andy.

------------------- forwarded message ---------------------

I'm just sending this because I've had an email from someone saying they 
had a problem subscribing to the list. The problem is that when you 
access the website you subscribe through, the browser warns you that the 
site's security certificate doesn't check out.

I have now been in touch with the people who run the mail server and 
website we are using, and the explanation for this is that they can't 
afford to buy a certificate from one of the commercial certifying 
authorities, who charge over £100/year for their certificates. These 
bodies give out certificates which are meant to securely identify the 
site you are looking at as the one it says that it is. This is meant, as 
I understand it, to protect you against someone who has hijacked part of 
the connection between you and the website concerned. This is an 
unlikely form of attack, as to spoof a site in this way you would need 
to have control over some part of the internet's infrastructure, such as 
the ISP - most website spoofs work by subtly altering the website's name 
- e.g. barc1ays.co.uk instead of barclays.co.uk (spot the difference). 
It's also worth pointing out that it's perfectly possible for a 'bad' 
site which distributes malware for example to have 'good' certificate - 
the certificate only guarantees that the website you are viewing is the 
one it says it is, not whether the content is safe. However, it is 
technically possible to fake a site in this way, and certificates give 
some degree of protection against this.

Instead of paying for a certificate from one of the large commercial 
bodies who normally provide them, aktivix.org, who are providing the 
email list, have opted for one from a new, currently relatively small, 
certifying authority called cacert.org (see www.cacert.org, and 
http://en.wikipedia.org/wiki/CAcert.org ). This body issues free 
certificates automatically to websites on the basis that if someone can 
receive mail directed to postmaster at activix.org (for example), then they 
are the legitimate owner of that domain name (which is a fair 
assumption). Unfortunately, cacert is still not recognised as a 
certifying authority by many distributors of web browsers, so 
certificates issued by them don't check out in many browsers.

If this was putting you off subscribing, but you still want to subscribe 
to the evolving minds list, you have a few options:

- ignore the security warning temporarily so you can view the relevant 
page ( https://lists.aktivix.org/mailman/listinfo/evolvingminds ) and 
subscribe yourself.
- ask me to subscribe you by sending me an email.
- subscribe yourself by email - you can do this by sending mail to 
EvolvingMinds-request at lists.aktivix.org with the word 'help' in the 
subject, and waiting for the mail server to send you back instructions 
on how to subscribe.
- decide that you are personally willing to trust cacert.org to certify 
sites, and install their root certificate on your browser. This will 
prevent such warnings in the future from any site certified by them, 
which tend to be smaller sites that can't afford the fees charged by the 
commercial certificate authorities. You can do this by going to:
http://www.cacert.org/index.php?id=3 and clicking on the link which says 
'root certificate (PEM Format)'

I hope this explanation is reasonably intelligible and gives you some 
reassurance that there isn't a problem with the email list, or the 
server it is running on. For what it's worth, I know some of the people 
involved in aktivix.org, who are a loosely affiliated group of people 
who provide technical support to various (mainly environmental) campaign 
groups, and I think they are good people and am personally quite willing 
to trust the website and also take their advice on installing the 
cacert.org certificate.

Looking forward to seeing you on the list,

andy baxter.

More information about the AktiviX-discuss mailing list