Aussie hackers set security free

Non-profit CA to challenge big guns

A group of Sydney-based hackers are poised to revolutionize global information security with CAcert, a non-profit, community project which provides free certificate authority (CA) services used for authentication and encryption.

Certificates are typically associated with 'trusted' companies that specialize in security technology, but CAcert's philosophy is to provide everyone with the right to security and privacy, not just people running e-commerce Web sites.

The project's founder and president Duane Groth told Computerworld determining the level of 'trust' in a CA is a "very tricky thing".

"In fact in years gone by Verisign has removed the word trust from its motto, Web site and marketing materials," Groth said, adding CAs don't provide trust, they provide identity checks.

"The reason they don't provide 'trust' checks is because that would require knowing a person's motives, which can only be realized fully over time."

Groth said most CAs only require faxed in or "Dun and Bradstreet" information, which can be easily faked in "any number of ways", so for the most part CAcert requires face-to-face meetings.

Groth sees CAcert's role as a provider of educational material and an identification system that isn't directly apart of any technology.

Since its inception three years ago, CAcert has been "much more successful than I would have ever imagined", according to Groth, and is used for securing Web sites, and e-mail connections, and does not limit the strength of the certificates.

What began as a side project to authenticate to the wireless community portal, CAcert now has over 70,000 verified users, is securing over 92,000 e-mails, and has issued over 160,000 certificates.

The system is based on OpenSSL, PHP, C, and MySQL, and claims to go further than what is used by some commercial CAs to prove a person's identity.

CAcert's next big hurdle is gaining inclusion into mainstream Web browsers. Three years ago it was announced CAcert would be included in Mozilla (originator of Firefox) and the team thought it had made it, only to have things dashed less then a week later because Mozilla developers felt their existing inclusion policy "wasn't good enough".

After about one to two years the Mozilla project released a new policy, but Groth is hesitant commenting about Mozilla and Firefox.

"As for Microsoft there are a number of formal ways to gain inclusion [into IE] and we are exploring different avenues at this point in time, although people with experience on this are more than welcome to join our policy discussion mailing list to help out and learn more," he said.

Even with the wide-scale adoption of free certificates, Groth believes the Internet is unlikely to become an inherently more secure place.

"Some trojans have shown in the past often technology isn't always the weakest link [so] education has a big part in helping the Internet become a much better place, but this is a very long and very tough task," he said.

"More widespread use of encryption is essential, however, with governments and businesses increasingly monitoring all forms of communications, and we all would be outraged if they did the same thing to letters and packages sent via Australia Post."

Groth said because people can't see how e-mail is tampered with people assume it is secure, but it's no different from sending business correspondence, or "love letters on the back of postcards".

For more information about CAcert, visit the Web site at

Show Comments