What the Heartbleed bug revealed to me

Today, I made a really negative experience with the StartSSL certificate authority. This is the first time that this has happened to me. The problem is that it affects StartSSL’s reputation because it reveals that they value money much higher than security. Security however should be a CA’s primary concern. So, what happened?

It all started when I checked which of the certificates that were issued to me by StartSSL were potentially compromised by the OpenSSL Heartbleed bug. Fortunately, there were only a few of them and those that were possibly affected were all private ones (i.e. no FSFE certificates were affected). Since Hanno Böck stated in an article [1] that he was able to revoke a StartSSL Class 2 certificate for free and a friend of mine confirmed this [2], I immediately went ahead and sent revocation requests for the affected certificates. The first thing I realised was that the StartSSL website was under heavy load and this was not surprising given the severity of the Heartbleed bug and the number of certificates that StartSSL has probably issued. Nonetheless, I managed to send the revocation requests and received confirmation e-mails about them. Of course I stated the CVE number of the heartbleed bug as the reason for the revocation. Not much later, I was informed that one of the revocation requests had succeeded and I was able to create a new certificate. So far, so good. The trouble started, when I – after not having heard back from StartSSL about the other revocation requests for more than a day – contacted StartSSL to ask why those requests had not succeeded. I was advised to check the e-mail address behind the account I had formerly used for paying my fees to StartSSL. I followed the advise, and there they were: Three requests for USD 24.90 each with the note “revocation fee”. Quite a surprise for me after what I had read and heard. So I asked back, why I had to pay and others didn’t have to. Eddy Nigg’s answer came promptly:

First revocation is not charged in the Class 2 level – successive
revocations carry the fee as usual.

It’s obviously an unfortunate situation, but the revocation fee is
clearly part of the business model otherwise we couldn’t provide the
certificates as freely as we did and would have to charge for every
certificate a fee as all other issuers do.

This was rather shocking for me. This statement clearly reveals, that StartSSL only cares about money, not security. A responsible CA would try to revoke as many compromised certificates as possible. It definitely doesn’t help a CA’s reputation if they do not support their customers in a situation were the customer did not make a mistake and was affected by something I’d call “higher power”. The problem I see is the following: There are most probably many people like me who also care about security in their private life, but also want everything to be convenient. Unfortunately, CAcert has not managed to become part of the major browsers so far [3] and thus StartSSL is pretty much the only way to get cheap certificates for things like a private blog if you are not particularly rich – which is both true for me and also FSFE, for whose certificates I am responsible too. So my gut feeling is that many people who also saw StartSSL as their logical choice will think like me and rather not pay an mount of money that is higher than the fee you have to pay to become Class 2 validated just to revoke a certificate. They will rather stop using the compromised certificate and simply create a new one with a different CN field (which is doesn’t cost them extra). The logical result is that there will be loads of possibly compromised certificates out there that are not on StartSSL’s certificate revocation list. Would *you* trust a CA that doesn’t care about such an issue? Well, I don’t.

So what should I make out of all this? First of all, it seems that all the people who distrust commercial CAs have a good point. Second, CAcert becomes more important than ever. I have been a CAcert assurer for years, but made the mistake to go the convenient way for my private blog and such. Knowing quite a few things about CAcert, I can assure you that they *do* care about security. They care for it quite a bit. I will definitely have to increase my participation in this organisation – the problem is that my involvement in FSFE, my job and my family do not leave me with a particularly big amount of spare time. Maybe those of you who read this will also jump on the train for a Free (as in Freedom and free beer) and secure CA. But even with CAcert in the major browsers, the whole CA system should actually be questioned. For the whole certificate chain, they will always be a single point of failure, no matter if they are called CAcert, StartSSL, VeriSign or you name it. Maybe it’s time for something new to replace or complement what we have now. For example, I have been pointed to TACK [4] by Hanno, which really sounds interesting.

Ah, and of course the rumors that StartSSL is part of Mozilla’s products solely because they paid for it sound much more reasonable to me than a week ago.

For now, I will stop using StartSSL certificates and will recommend the same to FSFE. I will also remove StartSSL from the trust store in my browser. It seems that others agree with me [5-6]. And of course, I will stop recommending StartSSL immediately.

[1] http://www.golem.de/news/openssl-wichtige-fragen-und-antworten-zu-heartbleed-1404-105740.html
[2] StartSSL usually charges USD 24.90 for certificate revocations, which is understandable because it normally only becomes necessary when the certificate owner makes a mistake and StartSSL certificates are really cheap.
[3] Even the opposite: Debian dropped them from their ca-certificates package, a choice which I am still not sure what to think about.
[4] http://tack.io/
[5] https://www.mirbsd.org/permalinks/wlog-10_e20140409-tg.htm#e20140409-tg_wlog-10
[6] https://bugzilla.mozilla.org/show_bug.cgi?id=994033

“Tracking for Freedom”: Longest trip so far

Today, I went for my longest trip so far this season, which was about 75 km. Once more, I was with a group of people from TriTeam Chaos. The track itself was already well-known to me, so there’s nothing interesting to report, except maybe for the fact that my bike computer is now working again and it even shows my cadence.
Once more, I’m asking you to think about supporting my little fundraising project. I’d also be very happy if asked anybody you know who might support this. Some companies also have so-called matching gifts programs which double the employees’ donations to charities :-)

The usual numbers:

Total distance 75.2 km
Average speed 26.0 km/h
Maximum speed 51.8 km/h
Total climb 307 m
Average heart rate 152 bpm
Maximum heart rate 202 bpm
Average cadence 61 rpm
Time active 02:53:19
Time resting 00:16:57
Energy consumed 1604 kcal

Note: The climb was measured using a non-calibrated barometric altimeter; the amount of energy consumed was calculated from the measured heart rate and physiological parameters.

The GPX file recorded during this trip can be found here.

Read more about the “Tracking for Freedom” project here. All blog posts about the project are tagged Tracking for Freedom.

FOSDEM 2010

It’s been a week now since I took my plane from Brussels back to Austria, but since I’ve been on holiday for the rest of last week, my short report on FOSDEM 2010 comes later than it should.
It was my first time at Europe’s biggest Free Software event and I really enjoyed it. Not being a developer myself, I spent most of my FOSDEM time at the FSFE booth. We sold lots of T-Shirts (I also bought some of the new ones myself) and other stuff. We also had a great new tool: an analogue printer (i.e. ball pen). We actually had two versions, which are not yet available from FSFE’s online shop, but should be not too far in the future. Although I didn’t listen to any talks, I learned a lot: I have for example never seen such a professional booth and met so many interesting people in one place. We had interesting discussions on various topics and I also received feedback on different matters, for example regarding the Fellowship.
Of course, I also did a little bit of sightseeing in Brussels. I think it’s an interesting city, although at the moment there are quite a few building sites which confused my GPS navigation a bit :-)
I will definitely come back to Brussels for FOSDEM next year, not only because it’s a great event, but even more because I can again stay with my relatives who I consider some of the greatest people in the world. Maybe my stay will even be longer and include a trip to Paris, as train connection seem to be fast and not too expensive if booked some time it advance.

FSCONS 2009

I know I’m really late with my blog this time, but I finally managed to write about this year’s Free Society Conference and Nordic Summit. I went to Göteborg (I needed some training to pronounce it as the locals do) together with my girlfriend to attend the conference and to do some sight-seeing, which I both enjoyed very much. We arrived on Friday and immediately started to visit some really interesting places, like the Natural History Museum and the christmas market at the Liseberg amusement park. In the evening we went to the IT university, where the conference took place.
I immediately felt comfortable there, because everyone there seemed be very pleased to meet us (and everybody else who arrived). It was really nice to finally meet at least some of the people whom I’ve been working with for quite some time now. As there have already been some reports on FSFE’s activities at FSCONS and how many intersting discussions we had there, so I will keep this short. I think this conference was the best-organised conference I have attended so far and everyone was really trying to his best to make it a perfect event – and in my humble opinion the FSCONS organizers and volunteers succeeded in their efforts. FSFE was presented really well and we got a lot of (positive as well as negative) feedback on different topics (like the Fellowship and others), which I think is very important so we can improve our work and continue to spread the work about Free Software and all the other things we are working on.
My main reason to attend the conference was of course my OpenPGP card workshop which I plan to have again in the future. I think it was well visited (I never expected to have ten visitors or even more at 0900 in the morning) and I had some interesting conversations about the workshop and GnuPG and data security in general after it. Of course we also did some key signing there to strengthen the web of trust. Another noteworthy thing is that Adriaan started a very promising artistic career at FSCONS that will hopefully lead to recognition of FSFE and its employees outside of the Free Software world (although in the very first peace of art, Adriaan missed out one person ;-).
All in all I really enjoyed my time in Göteborg and will definitely attend FSCONS again if money and time allow it.

Software Freedom Party in Vienna

I know I’m a bit late, but I still want to tell you about the Software Freedom party the Vienna Fellowship group organised for this year’s SFD. Although there weren’t to many visitors, the free (as in freedom) popcorn recipe turned out to be real highlight. The recipe and a few pictures from the Metalab, where the party took place can be found on the SFD wiki page.

Survived! (and enjoyed it)

I know I’m a bit late, since Matthias already wrote about our successful, adventurous weekend, but still I want to to tell you all how much I enjoyed our time together in Vienna. After I almost arrived late a Vienna International Airport’s arriving hall (which was because I was told there were 78 free lots on my floor in the car park, although there were none), everything else (except for the weather on Saturday) went very well.
The meeting of the Vienna Fellowship group was well-attended, although in summer we usually have less participants. I’m quite sure that this was solely because of Matthias’ good Karma. After some hours of interesting discussions, we had late-night dinner (which we have at almost all Vienna Fellowship meetings) and left the Metalab some time after midnight.
Nevertheless, we got up rather early on Saturday to discuss our plans and ideas about the Fellowship and then start our mental preparations for the Temple of Schnitzel. Below you can find a picture of what we found there.
The few heros who had survived Schnitzelwirt then did some sight-seeing in Vienna and bought some traditional Viennese items to pay compensation to Matthias’ “better half”. We also visited Vienna’s most popular Würstelstand and in the evening went to a very nice Karaoke bar. Despite the fact that Peter’s girlfriend Jenny had an indisputable home field advantage there, almost all of us showed more or less singing talent (and skill to make fun of ourselves).
Sunday then was our relaxation day and Matthias left for Berlin again, where I hope to visit him in the near future.

A Schnitzel named Jack

A Schnitzel named Jack

Oh happy day!

Today is a really great day for me, because not only am I running 64-bit GNU/Linux on my Notebook, which I last had back in 2006 (on one of the first AMD 64 X2 processors), but I was also accepted as a member of the European core team of FSFE.
When Matthias asked me if I wanted to be his deputy, I was really happy about the confidence he put in me. When today he told me that all team comments on his proposal had been positive, it made me even more happy. So from now on, I can call myself Deputy Fellowship Coordinator of FSFE.
This means that I will support Matthias in his activities and I hope that together we will make the Fellowship even better than it is already. We have great ideas for the future and I think that our work help increasing the popularity of this great programme. I’m really thankful for the support the Fellows are giving FSFE and I know we are on the right way to more freedom.
Matthias and I will meet on the next meeting of the Vienna Fellowship Group on July 17 (@metalab), where we will discuss our ideas and plans.

My 64 bit notebook "wingback"