A recently launched anonymization service suffered a setback last week when Gandi.net, a France-based registrar that bills itself as a "no bullshit company," revoked its secure sockets layer certificate without warning. Last week's move against GoogleSharing caused its 30,000 users to instantly lose service, according to Moxie …
'Not even those that bill themselves as "no bullshit."'
Or those that "do no evil."
So much for their "ethical", then..
...all that progressive B.S. is just that: B.S. JUST DO YOUR JOB. What probably happened:
1) Google gives nasty phonecall
2) Overreaction due to threatened lawyerswoop
4) Egg on face
Gandi.net at least has correct SSL cert pricing.
The title is required, and must contain letters and/or digits.
As a client of gandi I'm thinking of moving away asap. I though something was fishy when they said 'no bullshit': as in "we really feel we need to tell you we are not bullshitting you. We feel very guilty about it..."
didn't know about this service
will give it a try and if it works without too much trouble promote it amongst friends.
and where is the evil google icon ?
Interested to know how you get on with it. Just installed it myself but keen to hear from more experienced users.
Ot does indeed work
It works very nicely indeed and has since it's first release (apart from this outage, of course) - I now view this as an essential addon for Firefox alongside ABP, NoScript and BetterPrivacy :-)
Not surprised to see another Reg article condemning good security practices
I applaud Gandi.net for doing its part to maintain security for all internet users.
It is bullshit that registrars don't verify WHOIS data. We'd all have less spam and less malware if registrars made half-an-effort to find out who they are dealing with.
I'm not surprised to see another Reg article condemning good security practices. It seems half the columnists are in favor of security, and the other half want to erode it.
Googlesharing seems like a reasonable idea, but they must ensure they keep their WHOIS info reasonably up to date.
As for their use of the Google name as part of their own name being protected by the "fair use" doctrine of copyright -- it won't be.
The fair use doctrine allows limited quotations without attribution or without permission.
It doesn't allow trademark infringement.
They should have checked with a lawyer before naming their product.
Standing up for ones rights
You are probably just one of the business people who do everything about "my right", "your duty".
I do agree with you, that googlesharing have not done everything 100% correctly, and that the name may be ill chosen. nevertheless, in the context of what they are doing, the fair use clause is permissible in various jurisdictions (which includes Germany, Austria, Italy).
Since it is unclear, it would have to be judged by a WTO committee.
The next issue is quite simply the fact, that there was no warning etc. it is good business practice, to communicate with the other party before taking any action. In not doing so, they have condemned themselves from "No bullshit" company to an obvious "busllshit" ISP.
If needed a certificate and had to worry, that it will be revoked without warning, because I made a mistake or an error in judgment, than it is clearly a company I do not want to be dealing with.
We are all human beings and all prone to making mistakes.
Paris, because she's also a wannabe perfect....
No bullshit? BULLSHIT!
For the record, my whois information is "real" on both of the domains I own, but lately I've found myself wishing it weren't. I can understand why a lot of folks falsify their whois info -- they do it in order to protect their privacy, to thwart stalkers and to keep from being spammed to death.
Your post sounds like a version of that tired-assed standard-issue bromide about how people with nothing to hide shouldn't be afraid of giving up their privacy.
Re: No bullshit? BULLSHIT!
Some TLDs (notably .eu, also .fr and .uk for individuals) do not make registrant details and contact information public on WHOIS. For the rest, many registrars (including the one at hand) offer the option of a so-called private registration, frequently free of charge.
Check with your registrar. You might be able to switch to "private" registration / change email published address. Better late than never.
Never heard of this
But I shall investigate it presently. I am also considering installing Tor or something to further protect myself. Only certain functions (e.g. back access) will be done outside the privacy network and probably from a virtual machine.
so Googleshare is a bit like
keep on using scroogle through their tawte certificate. If you need a free certificate try cacert.org though. :)
It's a web-of-trust sort of thing for ssl certs.
Free SSL cert
Or StartCom : http://cert.startcom.org/
Why it would take 4 days to get a new cert. (from someone else) I have no idea.
Read this as an annonimizing service run by Google.
and thought hahahahahahahahahaha.
But having read the article it sounds a whole lot more useful.
I guess he wanted what he thought was a half decent registrar. lesson learned.
Check out Scroogle
A few precisions -- Misleading article
This is a rather particularly ill-informed article. I have been a customer of Gandi for a number of years now and through my dealings with them I consider myself familiar enough with Gandi's ethos to know that this article totally misrepresents them. Hence I will make a few precisions.
It takes only one read at Gandi's relevant terms of service (http://en.gandi.net/contracts/en/ssl/pdf/) to see how this "service" was in direct violation of §3 (Your obligations), which leads summary, no-notice revocation of your certificate as per §9.3 (Revocation).
In addition to that, if he used Gandi's hosting services the company would have been compelled to act as not doing so would put them at risk of falling foul of French law 2004-575, and if this person was routing user connections through it, he would also have been in breach of law 78-17 (privacy laws, ironically).
That's for the facts, which Mr. Goodin has duly ignored in keeping with time-honoured journalistic tradition. What now follows are just some personal reflections on parts of the article:
In relation to the paragraph that reads, in part: "The episode demonstrates the hazards of relying on internet companies that enforce terms of service reserving the right to play judge, jury and executioner with their customers' websites[....]"
I wish to mention a couple of points:
a) exactly how else companies that "enforce terms of service" (as opposed to what? bulletproof hosting?) are supposed to act, other than following those terms which have been mutually agreed? The fact that "Gandi.net [sic] took the action with no warning" is precisely because that's what section 9.3 of their terms of service says they will do.
b) According to this very article, the issue is revocation of an SSL certificate, not pulling down a website, so what do "their customers' websites" have to do with this? Not that in this case there would have been any difference since Gandi's hosting terms of service carry very similar clauses to those discussed above.
Another passage reads: "Already, eBay-owned PayPal has retaliated against the independent researcher for showing how the criminals could impersonate the online payments processor. Now, Gandi.net has followed a similar course."
Elsewhere in the article, we learn that apparently "Marlinspike has regularly been a thorn in the side of companies who make big bucks issuing the certificates" (has he, or he just claims he has?) and that "his research calls into question the effectiveness of SSL certificates and the companies that issue and use them." So in light of his own research, what exactly was he using an SSL certificate for, then? Can you then really fault companies for selling a product that even a highly informed customer is willing to buy? Can you do so even when dealing with a company that gives you plenty of information on how the product they are selling you is dealt with (http://www.gandi.net/static/docs/en/gandi-certification-practice-statement.pdf), and particularly if they are known to act responsibly by actively enforcing their terms of service (http://www.theregister.co.uk/2010/04/05/googlesharing_cert_revoked/)?
As regards this person's claim that his "service doesn't engage in fraud", well... how is that reconciled with his providing it under a false identity (not even anonymously!), and just how accountable is he to both his customers (and providers) for that claim to have any credibility? His subsequent comment about "fair use" makes me think that he is not exactly aware of where he stands in legal terms, let alone where he stands in legal terms as regards French law.
On a marginal note, it would also be interesting to know why he chose to use Gandi's services in the first place? I don't suppose that their low-cost SSL offers (free for the first year) would have had anything to do with his decision?
And lastly, it is understandable that he might have wished to protect his privacy from the internet at large, something which he could have done by either using a TLD which has such stipulations, such as .eu or .fr, or ironically, taking advantage of Gandi's own offer, default for individuals, not to publish your contact data on WHOIS (http://www.gandi.net/domain/whois). But obviously, as party to a contract, the other party has a right (and in this particular instance, the obligation) to know who they're dealing with.
As I have said above, I'm a happy customer who takes pride in doing business with companies with strong ethics so it's a bit sad that when you do take notice of one of those, it's all about some kid throwing his toys out of the pram.
In come the lawyers!
"Gandi.net took the action with no warning and didn't provide an explanation for more than a day. And even then, it failed to say exactly what "fraudulent activities" GoogleSharing had carried out."
Expect them to be sued for alleging that someone was doing something fradulent. Will they have evidence to back it up?
A few comments on GoogleSharing
[ Just for clarification, I am the same AC who posted @ 17:38 GMT ]
I have looked at this "GoogleSharing" plugin just to see what the noise was all about. These are some random observations:
* This is an amateur-ish piece of code which can be knocked up in just a few hours work.
* It does not significantly enhance your online privacy. It is in fact detrimental to it by adding yet another middleman. It also has bugs which can leave you wide exposed in a more immediate environment, such as your own company or ISP (https://addons.mozilla.org/en-US/firefox/reviews/display/60333#review-203096)
* This is the work of a single person who, while he might have managed to make it to the pages of ElReg with a couple of SSL attacks as an "independent researcher" (is that an euphemism for "enthusiast"? not that there's anything wrong with that), he does not appear to have a particularly good grasp of the issues surrounding online privacy, or indeed privacy at large. In other words, he is not an expert (nor event competent) in the subject area.
* His proposition can be summed up as "trust me, because I'm asking you to". That does not exactly fill me with confidence.
* His "service"'s infrastructure shows that this is way beyond his level of competence, as already mentioned. For example, he claims not to log any user information (http://www.googlesharing.net/faq.html)--well, he's either lying or very likely in breach of the law (at least he was while he was running his proxy on French servers). While I'm not passing judgement on the merit of those laws or lack thereof, they do exist so if you're going to wilfully break them, you need to have a plan of action in case of any contingencies which are likely to arise. By the looks of it he did not even read his own SSL provider's terms of service. Is that the kind of service you would be willing to use?
* Apart from the implementation issues highlighted above, I believe the concept itself is flawed. For the average user, it would be safer to just use Google as normal, some of the reasons being: a) one is part of a much bigger herd by orders of magnitude, thus reducing an individual's chances of being specifically targeted; b) if Google itself or entities within, decided to play rogue (as is sometimes alleged to happen) there are many more eyeballs watching their every movement, so they are more likely to be discovered; c) Google is at the end of the day an accountable entity which does stand to lose by breaching privacy in ways which are not legal or socially acceptable (e.g., grabbing your credit card data). Of course, Google's approach to privacy is often questionable and constantly debated, but if the alternative is to just give access to my data to some self-styled "anarchist" schmock... d) this guy's proposal suffers from the same basic weaknesses as Tor, in particular the eavesdropping problem. By hacking into his proxy (which on a marginal note, as an individual he simply would not have the resources to secure properly) I all of a sudden have access to a significant part of the internet activities of, by his own claim, 30000 users. Not to mention the ability to manipulate those users' search results, perhaps sprinkling a few trojans here and there...
So there you go. If you still feel you need to deny Google knowledge of your IP address and can't do that via one of the many existing alternatives, you could always try www.scroogle.com (as many have pointed out). Although Scroogle in itself is not much better, at least it does not require a browser plug-in, plus we can put a real name with some real privacy debate credentials behind it.
I am not addressing the case where for whatever reason one becomes "interesting" to Google, some or other jurisdiction's authorities, or anyone with significant resources, as the guy behind this so-called service is not, to my knowledge, claiming to focus on or provide a solution that would help in that case.
For the record, I don't think this guy has the intention to act maliciously towards its users, although I do consider some of his acts irresponsible and I get the impression that he does things more out of a desire to boost his internet persona than out of genuine concern for the public's privacy.
In any event, a privacy service this isn't. Given the implications, he needs to be a lot more professional if he really intends to benefit anyone.
So Gandi takes the money first, and THEN checks?
If the whois data was a problem, the certificate shouldn't have been issued. You can't revoke a certificate that ou won't issue in the first place.
If Gandi.net doesn't do it's due-diligence BEFORE it issues an SSL cert, then it has no business issuing SSL certs and revoking them after the fact.
Sometimes I wonder
Just how many of the readers here are *actually* involved in IT..? Note: attempting to fix your mom's PC does not make you an IT professional.
Let's go over the post above very briefly:
"So Gandi takes the money first"
The first year of a "Gandi Standard SSL" is free of charge, so no, they didn't actually take any money.
"If the whois data was a problem"
The WHOIS data *was not* a problem: it might have *had* a problem though, but that wasn't *the* problem. The problem was that this kid who's asking you to trust him with your privacy did not give truthful identifying information to the party he was entering a contract with, as he is required both by agreement and by law. Just what he was trying to achieve by doing that I really don't know. Capisce the difference between posting bogus data on WHOIS and signing a contract under a false identity?
It's not Gandi.net, it's Gandi (or Gandi SAS if you prefer).
"doesn't do it's"
You mean "its".
Lose the dash: "due diligence".
In the case at hand, it presumably means following the stipulations in 2000/31/EC (as transposed in national law), which is what has happened.
"BEFORE it issues an SSL cert, then it has no business issuing SSL certs"
Yes it does, insofar as the issued certificate only provides assurance that you are connecting to the domain name(s) it validates. The vast majority of PKI certificates on the web do not identify the legal entity that controls a domain, unless it's an EV certificate. In fact, under European law there are even provisions for the use of pseudonyms in digital certificates (1999/93/EC refers).
I hope the above makes somewhat clearer to the enthusiasts out there what a digital certificate does or does not represent in this context. In any event, some people should concern themselves with bringing their literacy skills to an acceptable level before trying to play IT or inflicting their uninformed opinions on the rest of us.
- Tricked by satire? Get all your news from Facebook? You're in luck, dummy
- Feature TV transport tech, part 1: From server to sofa at the touch of a button
- Google straps on Jetpac: An app to find hipsters, women in foreign cities
- Updated Microsoft Azure goes TITSUP (Total Inability To Support Usual Performance)
- The Return of BSOD: Does ANYONE trust Microsoft patches?