[AktiviX-discuss] Why is the security certificate bad?
andy baxter
andy at earthsong.free-online.co.uk
Mon Dec 3 05:49:05 UTC 2007
I have sent the following explanation to the people I was inviting to
join the list. If you get the time, could you check it through and let
me know whether it looks like reasonable advice (I am not 100% sure
about some of the details, like the kind of attacks that certificates
are meant to prevent.)
thanks,
andy.
------------------- forwarded message ---------------------
I'm just sending this because I've had an email from someone saying they
had a problem subscribing to the list. The problem is that when you
access the website you subscribe through, the browser warns you that the
site's security certificate doesn't check out.
I have now been in touch with the people who run the mail server and
website we are using, and the explanation for this is that they can't
afford to buy a certificate from one of the commercial certifying
authorities, who charge over £100/year for their certificates. These
bodies give out certificates which are meant to securely identify the
site you are looking at as the one it says that it is. This is meant, as
I understand it, to protect you against someone who has hijacked part of
the connection between you and the website concerned. This is an
unlikely form of attack, as to spoof a site in this way you would need
to have control over some part of the internet's infrastructure, such as
the ISP - most website spoofs work by subtly altering the website's name
- e.g. barc1ays.co.uk instead of barclays.co.uk (spot the difference).
It's also worth pointing out that it's perfectly possible for a 'bad'
site which distributes malware for example to have 'good' certificate -
the certificate only guarantees that the website you are viewing is the
one it says it is, not whether the content is safe. However, it is
technically possible to fake a site in this way, and certificates give
some degree of protection against this.
Instead of paying for a certificate from one of the large commercial
bodies who normally provide them, aktivix.org, who are providing the
email list, have opted for one from a new, currently relatively small,
certifying authority called cacert.org (see www.cacert.org, and
http://en.wikipedia.org/wiki/CAcert.org ). This body issues free
certificates automatically to websites on the basis that if someone can
receive mail directed to postmaster at activix.org (for example), then they
are the legitimate owner of that domain name (which is a fair
assumption). Unfortunately, cacert is still not recognised as a
certifying authority by many distributors of web browsers, so
certificates issued by them don't check out in many browsers.
If this was putting you off subscribing, but you still want to subscribe
to the evolving minds list, you have a few options:
- ignore the security warning temporarily so you can view the relevant
page ( https://lists.aktivix.org/mailman/listinfo/evolvingminds ) and
subscribe yourself.
- ask me to subscribe you by sending me an email.
- subscribe yourself by email - you can do this by sending mail to
EvolvingMinds-request at lists.aktivix.org with the word 'help' in the
subject, and waiting for the mail server to send you back instructions
on how to subscribe.
- decide that you are personally willing to trust cacert.org to certify
sites, and install their root certificate on your browser. This will
prevent such warnings in the future from any site certified by them,
which tend to be smaller sites that can't afford the fees charged by the
commercial certificate authorities. You can do this by going to:
http://www.cacert.org/index.php?id=3 and clicking on the link which says
'root certificate (PEM Format)'
I hope this explanation is reasonably intelligible and gives you some
reassurance that there isn't a problem with the email list, or the
server it is running on. For what it's worth, I know some of the people
involved in aktivix.org, who are a loosely affiliated group of people
who provide technical support to various (mainly environmental) campaign
groups, and I think they are good people and am personally quite willing
to trust the website and also take their advice on installing the
cacert.org certificate.
Looking forward to seeing you on the list,
andy baxter.
More information about the AktiviX-discuss
mailing list