Home Download Learn more Tech Help

Tiger Envelopes: Signed Certificates

Tiger Privacy

Tiger Privacy doesn't require any private information from you to access our website or use our software. We use well known organizations such as SourceForge to handle the distribution of our software, and use reputable resellers to process all sales transactions. Nonetheless, we suggest that you connect to Tiger Privacy's site using a secure connection to minimize the information available to others who might be monitoring your web surfing. Your browser will ask you to accept our web site's certificate the first time you access Tiger's secure web site. You will get a warning from your browser until you explicitly authorize your browser to accept it. For most sites this conscious decision is overkill, but for security sites it is a good idea.

We decided to self-sign our web site's certificate. We could easily have spent $50-$200 and gotten an "authority" to issue a certificate that your browser would blindly accept without any warnings. By self-signing our certificate, you decide, not some invisible "authority", if you want to accept it.

For the same reason, the connection from your mail client to your local Tiger Envelopes mail proxy does not have a signed certificate. When the proxy is running on your own system, this doesn't matter. If you connect to mail servers using SSL or TLS, the Tiger Envelopes mail proxies still connect to those mail servers the same secure way. Traffic across the public nets is as protected as it was.

Why certificate "authorities" are bad security

The standard approach to site security is to blindly accept any site that has a certificate signed by an "authority". But who signed it? Your browser's developers decided who is in "authority" over you. You're supposed to blindly trust someone without thinking about it. That's bad security. It only makes sense for sites where security doesn't matter.

Browsers usually have long hidden lists of certification authorities. This results in trust relationships that users probably wouldn't accept if they were explicit. For example, the authorities are almost always from different countries. How many people outside the U.S. want to blindly trust a U.S. authority? How many people in the U.S. would happily accept an outside authority?

Even if you trust your authorities absolutely, including the ones someone else chose for you, are you sure that those authorities are not important enough for someone to plant a mole?

This security model also depends on centralized key servers, every one a big tempting target for crooks. Crackers like key servers the way bank robbers like banks. Because these servers can keep a record every time your software checks a cert, it's easy to track who you contact and when.

OpenPGP's Web of Trust is much safer, but not as safe as peer to peer verification. OpenPGP does not use a central authority. Instead the authenticity of a key is determined by which individuals have signed the key. By signing, the signer says that they believe that the person using the key is who they say they are. Since signers are themselves rated based on who trusts the signer's own key, there is a web of trust. But although this web doesn't have central authorities, it still depends on centralized servers.

Peer to peer verification doesn't have the risks of central authorities or centralized servers.

Certs are cheap exactly because they're bad security. Why should you trust someone just because they spent $50 on a near useless cert? Certificate authorities approve bad ones all the time. One of the largest web certificate authorities issues certificates in just 10 minutes.

It's much better security to use peer to peer verification, and insist on full source code so anyone can verify it's not malware. "Security" software without source code isn't secure. Sprinkling cheap certs like magic fairy dust doesn't change that.