About.me : how far we’ve come

about.me offers everyone a Web2.0 home page.  Besides an interesting trend in narcissism, two things strike me:

  1. Is this the ultimate page for the stalker? (or identity thief)  If  ‘yes’, then you presumably find value in the security through obscurity of having a selection of un-linked social networks.  That, in itself is an interesting discussion to have.
  2. The page links to many  leading content providers, without the need to give to about.me a single password (at last!).  Of course, the click-through for each of the sites entails giving permission to about.me to do almost anything with your account … but at least you can review and revoke that later (oauth is bullet-proof, right?! 🙂 ) .  Many of them, in turn, are happy to use Google or Facebook as authenticators (I noticed today that you can make a whole Yahoo! account just from a Google cross-authentication). It would be interesting to map what depends on what, these days.

All in all, this seems like progress of some sort.  It’s all starting to work, isn’t it?

Is about.me a good source of authoritative information about the named individual?  Hmm. I’m not sure about that: but if  ‘identity’ means anything at all, surely it means something about your ongoing and persistent relationships and interactions.

RSA gets a Chief Security Officer

Just an interesting snippet from The Register (emphasis mine):

RSA has appointed its first chief security officer, three months after a data theft on its network contributed to the hack of the world’s biggest defense contractor, and possibly other important customers.


I’ve been telling people for ages that having a CISO is normal good practice these days.  Evidently nobody told the security industry.

Andrew can’t encrypt, either

A seminal paper once explained why Johnny can’t encrypt.  I thought I could, but the combined forces of mail clients and certification authorities seem to be working together to confound me.

Although PGP is the grand-daddy of email security, its core security model – of a web-of-trust, each user authenticating their friends’ public keys – was problematic at least from a scalability perspective.  I had a PGP key, once, a long time ago, but barely used it – and barely had anyone to talk to.  S/MIME offered a more corporate-feeling alternative: an email signing and encryption scheme built into most mail clients and based around X.509 certificates backed by major vendors.

S/MIME was something I could use.  I used to have a Thawte ‘Freemail’ certificate: these were issued for free, on the strength of being able to receive email at a specified address. If you wanted your ‘real name’ in the certificate, Thawte had its own ‘web of trust’ through which your identity could be verified.  This kind-of worked, and I used the certificates with Thunderbird quite happily.  I found that quite a number of people were sending me signed emails, and Thunderbird was able to verify the signatures; and from time to time I even found a correspondent who wanted to exchange encrypted messages.  All of my outgoing mail was signed, for a year or two.

Well, almost all of my outgoing mail was signed.  Occasionally I would use a client – such as Gmail – which didn’t facilitate that.  In that time, not one email recipient complained of receiving an unsigned email: if signatures were the norm, you’d have thought that someone would have spotted the anomaly and questioned whether the message truly came from me.

But that arrangement came to an end: Thawte stopped issuing Freemail certificates; and Thunderbird 3.0 was so difficult to use that I abandoned it in favour of the mail client everyone loves (?): Outlook.  The Outlook handling of certificates is a little obscure, but in Office 2007, it was quite functional.  When I upgraded to Office 2010, not only did I start receiving increasingly cryptic error messages, several recipients told me that my signed messages appeared blank to them.

So I stopped signing.  I retained the certificate (and corresponding keys) I had, lest anyone send me an encrypted message.  This, they continue to do occasionally, but now I get further cryptic error messages and no sign of a decrypted email.

Where do the certificates come from?  Well, Comodo continue to offer a free email client certificate.  I have one, so I must have managed to persuade their software to issue one, once upon a time.  But today I am totally failing to manage that: the certificate is issued, but I get a browser error when I try to download and install it.  This is before I attempt the awkward feat of trying to transfer it from browser to mail client (if that step is still needed).  Even trying to retrieve an old certificate runs me up against requests for long-forgotten passwords.

This is a long tale of woe, and I have omitted many of the gory details.  The upshot is that I, who understand the workings of email really quite well, and the principles of cryptography and X.509 certificates, and the broad design of my web browser and email client in this area, am neither able to sign nor encrypt (nor decrypt) email today. I’m using mainstream software and the apparent best efforts of major vendors, but the outcome is quite unusable to me.

I’ve invested quite a few hours in trying to make this work.  I have a hunch that with a few more hours’ effort I might get somewhere – but my confidence in that is ebbing away.  Andrew can’t encrypt.  🙁