• United States



by Dave Gradijan

Australian Hackers Set Security Free

Oct 20, 20063 mins
CSO and CISOData and Information Security

A group of Sydney-based hackers may revolutionize global information security with CAcert, a nonprofit community project that provides free certificate authority (CA) services used for authentication and encryption.

Certificates are typically associated with “trusted” companies that specialize in security technology, but CAcert’s philosophy is to provide everyone with the right to security and privacy, not just people running e-commerce websites.

The project’s founder and president, Duane Groth, said determining the level of trust in a CA is a “very tricky thing.”

“In fact, in years gone by, Verisign has removed the word trust from its motto, website and marketing materials,” Groth said, adding CAs don’t provide trust—they provide identity checks.

“The reason they don’t provide ‘trust’ checks is because that would require knowing a person’s motives, which can only be realized fully over time.”

Groth said most CAs require only faxed-in or “Dun and Bradstreet” information, which can be easily faked in “any number of ways,” so for the most part, CAcert requires face-to-face meetings.

Groth sees CAcert’s role as a provider of educational material and an identification system that isn’t directly a part of any technology.

Since its inception three years ago, CAcert has been “much more successful than I would have ever imagined,” according to Groth, and is used for securing websites and e-mail connections, and does not limit the strength of the certificates.

What began as a side project to authenticate to the wireless community portal, CAcert now has more than 70,000 verified users, is securing more than 92,000 e-mails and has issued more than 160,000 certificates.

The system is based on OpenSSL, PHP, C and MySQL, and claims to go further than what is used by some commercial CAs to prove a person’s identity.

CAcert’s next big hurdle is gaining inclusion into mainstream Web browsers. Three years ago it was announced CAcert would be included in Mozilla (originator of Firefox) and the team thought it had made it, only to have things dashed less then a week later because Mozilla developers felt their existing inclusion policy “wasn’t good enough.”

After about one to two years, the Mozilla project released a new policy, but Groth is hesitant commenting about Mozilla and Firefox.

“As for Microsoft, there are a number of formal ways to gain inclusion [into IE] and we are exploring different avenues at this point in time, although people with experience on this are more than welcome to join our policy discussion mailing list to help out and learn more,” he said.

Even with the wide-scale adoption of free certificates, Groth believes the Internet is unlikely to become an inherently more secure place.

“Some trojans have shown in the past [that] often technology isn’t always the weakest link, [so] education has a big part in helping the Internet become a much better place, but this is a very long and very tough task,” he said.

“More widespread use of encryption is essential, however, with governments and businesses increasingly monitoring all forms of communications, and we all would be outraged if they did the same thing to letters and packages sent via Australia Post.”

Groth said because people can’t see how e-mail is tampered with, people assume it is secure, but it’s no different from sending business correspondence, or “love letters on the back of postcards.”

For more information about CAcert, visit

By Rodney Gedda, Computerworld Australia

Keep checking in at our Security Feed for updated news coverage.