We thought we'd take a moment to explain why we use a site certificate from CAcert.org in the first place. Open Source is frequently a way of getting the same software functionality, except usually better, and for free. As an Open Source option for site certificates, CAcert.org provides them for the perfect price: free.

What CA's Claim

The avowed purpose of a CA (Certificate Authority, an organization that signs certificates for websites and email encryption) is to verify that the applicant for the certificate really is who they claim to be, and really does control the site. To this end website operators pay a fee, typically around $300/yr., to some outfit like VeriSign, Thawte, GeoTrust, etc. These companies want you, the web user, to believe that they have conducted some kind of thorough background check on the site and its operators, in exchange for their fees.

The Harsh Reality

Nothing could be further from the truth. The truth is that the standards vary widely. In some cases a credit card payment and a phone call are the only requirements. Even demanding a certificate of incorporation proves very little, except that you had a few bucks to file it with the state. Even worse, many internet hosting companies now bundle a certificate with their website hosting packages. Thus, the CA really only knows about the hosting company, who buys a pile of certificates from them in their own name, and then resells them to their web hosting customers. So what does the CA know, or verify, about the actual customer who is running the particular website? Frequently, the answer is nothing.

So why does this pointless system continue? Simple: because it's big bucks. The browser manufacturers maintain a list of CA's which they install with their browser. Scary warning language is emitted if a site's certificate is signed by a CA not on the browser's approved list. So how does a CA get put on that list? They pay a fee, from $50,000 to as much as $250,000, to go through the compliance procedures to get "certified" for inclusion by the browser manufacturers. Essentially, they cough up a bribe. This has nothing to do with technical competence; the certification procedure uses accounting standards and anyone with the required money and a good lawyer can get certified.

The CA in turn makes up their club admission fee and then some by selling certificates, to practically every company and individual that operates a website using https pages. There are many such CA companies; Firefox lists 60+ at present, though that does include a number of government-sponsored ones. But at $300 a crack times the number of SSL-enabled websites in the world, that's an amazingly large industry. It amounts to a "security tax" levied on every ecommerce transaction on the internet. (Whether Microsoft and other browser makers get "kickbacks" from CA's is a matter for speculation; it certainly wouldn't surprise us if they did.)

The Bottom Line

In short, it's all about extortion. It's about charging a fee for a quasi-license to do business via a website, ostensibly in the name of protecting the public, paid to somebody who serves neither the public nor the website operator, but has merely paid a fee to buy their way into the protection racket game. So, we won't buy a certificate. It's really not about the money, it's about principle. The question is: shall big buck unscrupulous corporate monopolies (Verisign$) be allowed to control and dominate the security of the internet? Or shall we embrace a viable and open alternative? We choose the alternative.

The Open Source Solution

The CA that we use, CAcert.org, does not charge a fee. However, they do require that you prove control of the site by responding to an email sent to an administrative address (such as 'webmaster') at the domain. Also, they do not issue "*.com" (wildcard) certificates. From the perspective of a site visitor, their certificates are at least as useful as a resold "official" certificate, because these policies help stop people from putting up "look-alike" sites used with phishing attacks. Despite this, to date CAcert has been unsuccessful in getting their root signing certificate installed by default into any major browsers. (You can read more about their four-year quest to be included by the Mozilla Foundation here.) As you can imagine, without charging any fees, CAcert doesn't have the money to buy their way onto the approved list. However their root cert does come standard with some flavors of Linux such as Debian.

Yet the word is spreading. Free is a great price. Anyone can install a CA certificate into their browser at any time with a few clicks. Yes, our site certificate does garner us some questions sometimes. But we think it's important to take a stand against the web extortionists. It's our suspicion that the "trust service industry" has probably inflicted more additional costs on web site operators and their customers over the years than have all the fraudulent websites and phishing expeditions from which they are supposedly protecting us. If enough people refuse to go along, the truth will percolate to the browsing public and the racket will eventually collapse. Much the same thing happened with domain registrations, as soon as the monopoly was broken up to allow a plethora of competing registrars. Today, registering domains is quite inexpensive (as it should be).

"‘Tis a consummation devoutly to be wished." --Shakespeare, Hamlet

(BTW you too can get a free site certificate from CACert.org if you ever need one!)