Tag Archives: GoDaddy

WordPress addresses SOPA/PIPA

Having wished for WordPress to move away from GoDaddy as a registrar and SSL certificate supplier, I am very happy to see they now express a public opinion. WordPress do not like [PDF].

We are not a small group. More than 60 million people use WordPress — it’s said to power about 15% of the web. We can make an impact, and you can be an agent of change. Go to Stop American Censorship for more information and a bunch of ways you can take action quickly, easily, and painlessly. The Senate votes in two weeks, and we need to help at least 41 more senators see reason before then. Please. Make your voice heard.

Posted January 10, 2012 by Jane Wells.

This makes me proud(er) to use WordPress.

Will you help WordPress move away from GoDaddy?

So the drop-GoDaddy-campaign seems to have gone pretty well. Some larger sites, and many smaller sites or personal users went to another registrar. One service I noticed however that started giving me errors after distrusting GoDaddy as SSL CA was Gravatar.

Gravatar is an email-to-avatar service from Automattic – the same company that’s the main driver behind WordPress. Automattic is known for supporting free software, open web standards and the company founder Matt Mullenweg is a trustworthy supporter of both objectives. As it showed however, their domains and SSL certificates were all registered through GoDaddy. So I did a whois check and sent an e-mail to the domain administrator:

Hello, I’m curious whether Automattic has a stance on SOPA – the Stop Online Piracy Act- which is in a heated debate all over the world right now.

Why I’m asking is that I noticed (after removing GoDaddy from my trusted CA database) that the SSL certificate for wordpress.org/.com as well as domain names are registered at GoDaddy – who helped write the suggested piece of legislation. automattic.com also seems to be registered with them.

Several websites have already moved their domain names away from GoDaddy, as part of a worldwide boycott since yesterday:
http://arstechnica.com/tech-policy/news/2011/12/godaddy-faces-december-29-boycott-over-sopa-support.ars

So what can one hope for in this case? An answer with “why yes of course, we will spend several work hours changing registrar and certificate authority just to make you happy”? Or a more modest “it is in our interest that blah blah, but you know they did change their mind about SOPA” or something along those lines? Well, the response was one of the more modest ones:

Hi,

Thanks for your suggestion. We’ve registered your suggestion and will keep it in mind.

Sorry for the inconvenience.

Best,
Karim – Happiness Engineer
Automattic | WordPress.com

“Sorry for the inconvenience”? I sincerely enjoyed that expression! In any case, I was hoping that this post might generate some interest with my readers to send off an e-mail to support@wordpress.com or domains@automattic.com requesting they leave GoDaddy’s services. Wikipedia and many others have already done it or are in the process of doing it.

Bojkotten av GoDaddy pga #SOPA – sluta lita på certifikaten!

Update 2011-12-23 21:53 CET: GoDaddy återtog sitt stöd för SOPA. Det betyder förvisso att massuppror kan leda till förändring – men jag hade inte litat på företaget bara för att de är rädda att tappa kunder.

Såhär skriver de om återtagandet: “Fighting online piracy is of the utmost importance, which is why Go Daddy has been working to help craft revisions to this legislation” => De anser fortfarande att kopiering är viktigt att bekämpa, vilket gör att de är farliga för internets karaktär och utveckling. De avslutar med: “Go Daddy has always fought to preserve the intellectual property rights of third parties, and will continue to do so in the future,”

—-

Många rapporterar om GoDaddys stöd för SOPA som får kunderna att lämna dem. SOPA är det amerikanska lagförslaget som är det största hotet mot internet sedan västvärlden började efterapa Kinas censureringsmetoder. För en kort musikvideo om SOPA som du kan spela i bakgrunden medan du läser detta inlägg har Dan Bull producerat följande:

Häromdagarna skrev jag om SSL-certifikat och hur jag inte litar på främlingar bara för att någon annan litar på dem. Här kan vi nu – förutom en massa regeringar och okända företag – slänga in GoDaddy i högen av opålitliga certifikatutfärdare. Så här kommer en guide till hur man tar bort åtminstone ens webläsares automatiska förtroende i detta företag!

I en svensk GNU/Linux-miljö (t.ex. sv_SE-locale för Gnome Shell i Ubuntu) med Firefox gör man i alla fall såhär – och givetvis varierar det mellan webläsare etc. etc. I Windows (och OS X?) har man dessutom “Inställningar”-grejen under Verktyg:

  • Leta dig fram till Firefox-inställningarna.
  • Under Avancerat följt av fliken Kryptering, välj att Visa certifikat.
  • Fliken Utfärdare kommer att ge dig en lång lista. Här finns två stycken separata rader med GoDaddy, varav en hittas på G med företagets namn. Den andra heter The Go Daddy Group, Inc.
  • Markera respektive av dessa (håll t.ex. in Ctrl och markera flera). Tryck därefter på Ta bort eller misstro för de certifikat du vill sluta lita på!
  • Som Henry Rouhivuori kommenterar nedan så försvinner inte utfärdarna från listan om man öppnar inställningspanelen på nytt. Markerar ni dem däremot och väljer “Redigera tillit” ser ni – efter att ha misstrott utfärdaren – att denne inte längre har rätt att utfärda certifikat för webbplatser.

Sidor som använder GoDaddys SSL-certifikat idag och borde byta bort av principiella skäl: Flashbacks forum, Gravatar, WordPress + bloggar (…fyll gärna på genom att tipsa bland kommentarerna nedan)

Och nu när du ändå håller på att göra något för webbsäkerhet och öppet internet, passa på att spana in CAcert.org-projektet! Det är en “web of trust”-modell för SSL-certifikat byggd på fri mjukvara och demokrati, till skillnad från GoDaddy som bara tar betalt och så ska man lita på att det sköts korrekt. Är du en webmaster kan du stödja genom att skaffa konto – är du bara en vanlig dödlig räcker det med att installera deras root-certifikat!

Har du en känsla för säkerhet och kryptering kan du vilja veta att CAcerts fingeravtryck på certifikatet är:

Fingerprint SHA1: AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
Fingerprint MD5: F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42

Do you trust all your internets to strangers?

Question: Japanese government, Staat der Nederlanden and Starfield Technologies Inc. – what do they all have in common? Answer: You trust all of them to verify identities and security on company websites and internet services.

Are you Japanese or Dutch? Have you ever heard of Starfield Technologies? I guess not. Still you’re probably using a web browser which has these “certificate authorities” as trusted “roots”. In short this means they can – with no security errors whatsoever – impersonate your bank, eavesdrop on your logins and make your computer believe everything is just fine. But only if they were to man-in-the-middle your communication physically or somehow manage to poison your DNS lookups of course.

So the scenario isn’t really your average Joe security issue, but the heart of the issue is a very important one. It’s a question of trust – a deep conviction of truth and rightness – and “trust” – the simple term used for computing security (though without the quotes).

All computer interaction is based on trust. You trust the computer is doing what it tells you it’s doing (which Free software lets you verify). However you also trust the other person’s computer to do what you’re asking it to do – and nothing more! Given the global scale of networking and computing, this is a hard task to verify manually – thus trust is given to cryptographic algorithms mathematically ensuring your data is handled by the correct entities without unwanted manipulation.

No ordinary person can ever understand, verify or control all parameters required for 100% secure computing. This is probably the reason why browsers (Firefox, Chromium etc.) include packs of “globally trusted” certificate issuers, such as Verisign, GoDaddy etc. Private companies that are virtually the foundation of today’s DNS-based internet, controlling or supplying top domain names. This is however where one should start worrying about who controls what. Remember what Verisign did to Wikileaks.org? Did you know that they want to make it easier to happen again?

So when one can’t trust the big boys, how can one really have trust in small, unknown organisations or companies? What are their respective thoughts on free speech, free internet and policies on eavesdropping? Wouldn’t you actually prefer a system of peer-to-peer review? The “web of trust” model as it’s called when a user trusts its friends, verifies identities and thus algorithmically increases trustworthiness of each respective peer.

I’m not sure what to make of this post more than express my belief that the web’s SSL structure using pre-loaded certificate authorities in software designed to handle your private communication is flawed. For my part, I’m trying to push people into using semi-WoT CAs like CAcert.org and encourage the development of new DNS models. But my guess is I’m not influental enough on my own. Will you join the p2p revolution too?