A group of Sydney-based hackers may revolutionize global information security with CAcert, a nonprofit community project\u00a0that provides free certificate authority (CA) services used for authentication and encryption.Certificates are typically associated with "trusted" companies that specialize in security technology, but CAcert\u2019s philosophy is to provide everyone with the right to security and privacy, not just people running e-commerce websites.The project\u2019s founder and president, Duane Groth, said determining the level of trust in a CA is a "very tricky thing.""In fact, in years gone by, Verisign has removed the word trust from its motto, website and marketing materials," Groth said, adding CAs don\u2019t provide trust\u2014they provide identity checks."The reason they don\u2019t provide \u2018trust\u2019 checks is because that would require knowing a person\u2019s motives, which can only be realized fully over time."Groth said most CAs require only faxed-in or "Dun and Bradstreet" information, which can be easily faked in "any number of ways," so for the most part, CAcert requires face-to-face meetings.Groth sees CAcert\u2019s role as a provider of educational material and an identification system that isn\u2019t directly a part of any technology.Since its inception three years ago, CAcert has been "much more successful than I would have ever imagined," according to Groth, and is used for securing websites and e-mail connections, and does not limit the strength of the certificates.What began as a side project to authenticate to the NodeDB.com wireless community portal, CAcert now has\u00a0more than\u00a070,000 verified users, is securing\u00a0more than\u00a092,000 e-mails and has issued\u00a0more than\u00a0160,000 certificates.The system is based on OpenSSL, PHP, C and MySQL, and claims to go further than what is used by some commercial CAs to prove a person\u2019s identity.CAcert\u2019s next big hurdle is gaining inclusion into mainstream Web browsers. Three years ago it was announced CAcert would be included in Mozilla (originator of Firefox) and the team thought it had made it, only to have things dashed less then a week later because Mozilla developers felt their existing inclusion policy "wasn\u2019t good enough."After about one to two years, the Mozilla project released a new policy, but Groth is hesitant commenting about Mozilla and Firefox."As for Microsoft, there are a number of formal ways to gain inclusion [into IE] and we are exploring different avenues at this point in time, although people with experience on this are more than welcome to join our policy discussion mailing list to help out and learn more," he said.Even with the wide-scale adoption of free certificates, Groth believes the Internet is unlikely to become an inherently more secure place."Some trojans have shown in the past [that] often technology isn\u2019t always the weakest link, [so] education has a big part in helping the Internet become a much better place, but this is a very long and very tough task," he said."More widespread use of encryption is essential, however, with governments and businesses increasingly monitoring all forms of communications, and we all would be outraged if they did the same thing to letters and packages sent via Australia Post."Groth said because people can\u2019t see how e-mail is tampered with, people assume it is secure, but it\u2019s no different from sending business correspondence, or "love letters on the back of postcards."For more information about CAcert, visit www.cacert.org.By Rodney Gedda, Computerworld AustraliaKeep checking in at our Security Feed for updated news coverage.