Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Thawte Bought by Verisign

Hemos posted more than 15 years ago | from the nice-chunk-of-change dept.

Encryption 123

ChrisKnight was of the many people that wrote with the story on news.com that VeriSign has purchased Thatwe Consulting. Purchase price was reportedly $575 million, although the deal must still be approved.

Sorry! There are no comments related to the filter you selected.

Re:hello monopoly (1)

DJerman (12424) | more than 15 years ago | (#1458177)

I am not a mozilla contributor (but I read about it on the web).

AFAICT, there is no crypto in Mozilla due to the international nature of the dev. effort. There is a separate crypto project, and no doubt Netscape will add a crypto module if the Mozilla product becomes Navigator 5.0. No crypto => no CA. For Netscape > 4.5 there are some Verisign CA certs that expire in 1999, but some are good to 2028, so it depends on your host's cert (which may expire).

Re:Darn! (2)

um... Lucas (13147) | more than 15 years ago | (#1458178)

On overpriced-scames....

You can go ahead and create your own keys and certificates... What you're paying Verisign for is not 100% related to your keys.

First, you're paying to have a certificate that's been signed by an authority that just happens to be preinstalled in 99% of the browsers out there.

You're also paying for the "trust" factor that goes into getting a certificate. Yeah, the lowerst level ones aren't much more than filling out paperwork, but (AFAIK) in order to get one of the more expensive ones, you must go through more steps to establish "who" you are.

If all you want is to establish secure connections, you don't need either of their services. If you want to be able to do so without having a little warning pop up on a users screen, you need to enlist their services.

That all said, if the merger/acquisition goes through, close attention should be paid to their pricing... If they immediately yank the low-cost certificates, or even if it's an eventual thing, a big stink will need to be made IMMEDIATLEY...

Until then, though... More power to them.

Re:Worth the money or not? (0)

Anonymous Coward | more than 15 years ago | (#1458179)

market position, Oh you mean they need to be microsofts bitch.

Noooooooooooo! (0)

Anonymous Coward | more than 15 years ago | (#1458180)

The spam - the spam! I switched to Thawte because Verisign insisted on spamming us. I then changes all the profiles (about half a dozen including personal certs and code signing certs) to say "don't spam me ever", and the cretins still spammed. Now Verisign are going to acquire me as a customer against my will! Fuck that - we need a Slashdot CA.

Re:Buying your competition? (2)

mindstrm (20013) | more than 15 years ago | (#1458181)

Why is this a problem? *ANYONE* can run a CA, it's a matter of how you get your CA recognized by current browser that I wonder about.

Re:I should point out... (2)

mindstrm (20013) | more than 15 years ago | (#1458182)

They are the only two who happen to be handing them out; many other CA's are preloaded in NS and IE.. they just aren't in the business.

What about Equifax? (1)

FatSean (18753) | more than 15 years ago | (#1458183)

Equifax is definately in the Certificate Provider business. Some rather large companies do business with them. Are they that much of a non-player?

The whole secure cert scene is a scam (0)

Anonymous Coward | more than 15 years ago | (#1458184)

Looks like the "old boys club" w.r.t. secure certificates is now rapidly approaching a monopoly situation. Verisign are clearly the number 1 secure certificate vendor with Thawte Consulting a distant 2nd (but offering cheaper certificates). Both these vendors pay a large wad of cash to Netscape and Microsoft each year for the "privilege" of being listed as a trusted certificate authority (but who decides they are trusted ?!!).

To make sure that Verisign loses no more secure certificate business to Thawte, they've bought them up for $575m ! So this means that Verisign can increase its market share and keep its high prices too. Bad news all round - this whole secure certificate thing is an absolute scam (over 250 quid to run a program that generates 15 lines of text ?), as is the TRIPLE cost of the 128-bit certificate vs. the 40-bit certificate (when the generator's probably identical except for a KEYSIZE=128 definition I bet !).

Let's see:

.co.uk domain cost to Nominet members: 5 quid + VAT a year
Verisign secure cert for .co.uk domain: 259 quid + VAT a year
[ Using prices on BT's Trustwise site at http://www.trustwise.com/ [trustwise.com] ]

Anyone care to say "rip-off" ?! Verisign should be thoroughly ashamed of themselves, especially considering the secure certificate application process is virtually entirely automated (they only get involved if there's a problem) so they can't even justify the prices via admin costs. I've always said it's a cash cow and now it's a golden goose, a lottery jackpot-winning ticket, a scam, a monopoly and an outrage as well !

Re:More closed source monopoly (2)

mindstrm (20013) | more than 15 years ago | (#1458185)

You know, I felt good knowing there were 20 some other organization CAs preloaded in NS and IE....
but now that Verisign ownes all but 4 or 5 of them, I wonder... this is sleazy!

Really, though.. run your OWN ca, and direct people to a page that explains how the whole process works (more than Verisign does!) to the common man, and have them simply accept the key into their browser.

Better yet, offer them client keys as well!

Re:You can submit your comments to the DOJ (1)

Y2K is bogus (7647) | more than 15 years ago | (#1458186)


That's the page where it says to send complaints to.

Only 200 pounds? (3)

/ (33804) | more than 15 years ago | (#1458187)

Heck, I don't weigh that much less than that. Neither do a bunch of my friends. Maybe we should get together and beat up on Verisign and steal its lunch-money.

These companies really have to learn that it's not that impressive if they weigh only slightly more than the average American male. Even if America is a chronically obese nation.

Maybe Microsoft would like to help them out by hooking them up with some of that combination bovine-growth hormone [purefood.org] and human-g rowth hormone [google.com] regimen that's keeping Gates's hair so glossy and thighs so sexy. They'll help make Verisign a man [wvu.edu] . How do I know this? Try searching Google for "make you a man" [google.com] . Microsoft comes up as #2. Does Judge Jackson know about this?....

Verisign certs are worthless in about 10 days (1)

thogard (43403) | more than 15 years ago | (#1458188)

At the end of the year, the Verisign certs will be about as useful as a self-signed one. The bad PR that could cause would give them no choice but to buy out Thatwe because if they get a bad write up in something like the Wall Street J about the problem, they effectly will have no market share, a huge debt and no way out. When that happens their stock goes into the penny stock class and the doors close.

The one thing that really bugs me (2)

mindstrm (20013) | more than 15 years ago | (#1458189)

I understand PKI. I understand x.509 certificates.

What I don't understand is why, in the first place, X.509 certificates were required to use SSL. It should not be necessary. Why are modern browsers set up so that you cannot use SSL unless you have appropriate x.509 certificates? I mean, I have no problem with the browser telling me it's unsigned, or untrusted, but I should still be able to use session encryption.

Maybe we should ask Judge Jackson (2)

/ (33804) | more than 15 years ago | (#1458190)

"Most harmful of all is the message that Verisign's buy-outs have conveyed to every company with the potential to innovate in the securities industry. Through its conduct toward Netscape, Thawte, Compaq, Microsoft, and others, Verisign has demonstrated that it will use its prodigious market power and immense finances to harm any firm that insists on pursuing initiatives that could intensify competition against one of Verisign's digital-certificates products. Verisign's past success in hurting such transactions and stifling innovation deters investment in technologies and orders that exhibit the potential to undermine Verisign. The ultimate result is that some innovations that would truly benefit customers never occur for the sole reason that they do not jive with Verisign's vision."

With appologies to Brunchi ng Shuttlecocks [brunching.com] .

Re:And this would mean...what? (1)

roadoi (68017) | more than 15 years ago | (#1458191)

Obviously you are not a nerd as such. 95% of *NIX users i know, admins, graphic artists etc have installed apache+mod_ssl and required a cert. With verisigns rediculously high prices, and the vast majority of these people not wanting to pay this much, they shopped around and found thawte. This is all in the normal system install/configuration phase. No brain power required, just common sense.

Entrust is a Provider of Enterprise PKI Systems (2)

dave_aiello (9791) | more than 15 years ago | (#1458192)

Entrust's primary business is creating entire Private Key Infrastructure systems (PKIs) for Fortune 500 businesses. These are the systems that allow companies to issue and revoke their own certificates. Entrust has a big business in large corporations with thousands of employees.

In certain circles in industry (like financial services), Verisign was primarily looked at as a service bureau who was willing to deal with small businesses. I realize that from the perspective of the consumer and small ISP they look like the only game in town. But, this was never the case at the high end.

I think this is a good acquisition for Verisign. It solidifies their position in the small and mid-sized business marketplace. This also creates an opportunity for a competitor, although it may not be a small company that tries to enter this market.


Dave Aiello

Re:How does international anti-trust work? (2)

mindstrm (20013) | more than 15 years ago | (#1458193)

There is a simple out for this though.. browsers like MS and NS simply have to recognize OTHER CA's as authoritative. This is the only thing giving them power.

(gee, is that somewhat similar to the current DNS structure that gave Verisign so much power? ie: it only works because our products all use it by default.)

Action plan (0)

Anonymous Coward | more than 15 years ago | (#1458195)

This merger would be really bad. How about:

1) Trying to block the deal: solid lobbying of the US and South African government, petitions, etc., pressure of public opinion on the organization which is supposed to approve the deal (if any), alerting and starting up coordinated action with organizations, lawyers, specialized in anti-monopoly immediately.

Let us do something - NOW... 2) Starting to get down seriously on the business of setting up an alternative, cheap "Open Source" signing authority. Furtune 500 companies don't mind to pay outrageous price for anything that their smaller competitors can't afford. But the overhelming majority of companies across the world is small business. Thawte's success was based on this customer base.

Now I C (0)

Anonymous Coward | more than 15 years ago | (#1458196)

The spelling error in the article... gotcha...

too bad: they offered much cheaper certificates (0)

Anonymous Coward | more than 15 years ago | (#1458200)

Verisign charges 4X as much for equivalent digital certificates. Better "synergy" is corporate speak for a monopoloy.

Good move, Thawte, bad move, Verisign. (4)

twit (60210) | more than 15 years ago | (#1458201)

First of all, good move, Thawte. They've successfully maximized shareholder value. In other words, they've sold out at the right time. Verisign, having grabbed a lot of the big names, will probably go on to increase its market share; Thawte, having failed to, may be at the peak of its value - especially when, not if, the net stock bubble collapses.

Bad move, Verisign. First of all, the net stock bubble is called a bubble for a reason. However, when acquiring other companies, you should buy for value or make acquisitions strategically. Does Thawte own anything, other than marketshare, that Verisign doesn't already have? In most mergers and buyouts, the purchaser usually ends up losing equity when the euphoria wears off. I doubt that this will be an exception to the rule.

I can deplore Microsoft's mania in acquisitions, but more often than not they acquire intelligently - taking out possible competitors, buying into new technologies. They don't acquire just for the hell of it. Paradoxically, they have too much money to do that.

Bad move, for the global net. Thawte is a South African company, and so the purchase takes an international venture with global reach and sucks it into the gaping maw of Silicon Valley. Not that there's anything intrinsically wrong with the valley. It's just that something sticks in my craw with one location dominating an entire industry.

Bad move, for everyone. A 200-lb gorilla in any industry is bad for business. A 200-lb gorilla in the security industry is worse. The security industry is based on trust (or at least mistrust) :-), and a 200-lb gorilla, with enough marketshare, can drive the market into inferiority and incompetence quite easily. Look at the consumer operating system market if you don't believe me :-).


Versign stock up 15% on monopoly acquisition news (0)

Anonymous Coward | more than 15 years ago | (#1458202)

Time to buy stock of yet another computer monopoly: MSFT, CSCO, now VRSN.

VRSN stock price performance (0)

Anonymous Coward | more than 15 years ago | (#1458203)

Cornering the Market?! (1)

mlesesky (81453) | more than 15 years ago | (#1458204)

Verisign makes a move that would leave it in a very strong position in the market. Now down to GTE, Belsign and Verisign - with Verisign having established itself as the Wall Street darling. It will continue to move higher as word spreads.

This monopoly is due to US export controls (0)

Anonymous Coward | more than 15 years ago | (#1458205)

Thank your legislators and congressmen for creating this wonderful monopoly!

Holy fuck - Versign + Thwate == 99% of market! (0)

Anonymous Coward | more than 15 years ago | (#1458206)

You could see from the above post that Verisign was clearly losing revenue from Thwate! Hello, US DOJ - please intervene for consumers!

Microsoft owns a large chunk of Verisign (0)

Anonymous Coward | more than 15 years ago | (#1458207)

As a shareholder of Microsoft, I can attest to the fact that Microsoft (about 2 years ago) purchased Verisign stock. It's sad ..

Re:Noooooooooooo! (1)

mlesesky (81453) | more than 15 years ago | (#1458208)

Slashdot CA sounds like a feasible solution. Or at least a true open source .org CA who could provide these services - please don't read this as the .gov.

How do browser certificates work? (1)

johnburton (21870) | more than 15 years ago | (#1458209)

Do they work like PGP signing where if you trust can be sort of delegated down a "tree" of signed certificates? Or does wach and every certificate need to be provided by a ceritified authority?

Re:Good move, Thawte, bad move, Verisign. (2)

Col. Panic (90528) | more than 15 years ago | (#1458210)

It's just that something sticks in my craw with one location dominating an entire industry.

Like the possibility of the entire industry's headquarters being eliminated in one really big earthquake like the one California may have in its future?

next chance for additional certificates: Mozilla! (1)

smk (41995) | more than 15 years ago | (#1458211)

First of all I'm scared. A company ruling mor then 90% of the ceritifacte market is a nightmare. I'm glad I chosed PGP instead of S/MIME.

But the question is: How to introduce new (root) certificate instances? Well, only a new browser version will make it possible for the "dummy" user without hassle.

So next stop is Mozilla/Netscape 5.0.

I suggest on this "stop" to add/introduce an open certificate instance(but don't read that as "insecure") like the german cert/dfn. This root instance should be driven by scientific or nonprofit institutes with can't be beaten or bought.

Yes, that's probably going to be a problem. (1)

Static (1229) | more than 15 years ago | (#1458212)

It was also my immediate thought when I read the news article.


You can submit your comments to the DOJ (4)

Y2K is bogus (7647) | more than 15 years ago | (#1458213)

Please moderate this up!

You can submit your comments on this matter to:


I have sent my comments and sent this email to my friends, do the same!

You can't always talk to the local office. (1)

winterstorm (13189) | more than 15 years ago | (#1458214)

Thawte also has "offices" in countries all over the world. However when you run into a snag (the local office can't verify your documents, or is taking weeks to verify them) they direct you to deal with their head office.

I've dealt with Thawte for a long time. Most of the time you get great service from the local office (in my case the Toronto branch) but I've had to deal with their head office on three occasions in the last three years.

Call the Justice Department (1)

fumble (128295) | more than 15 years ago | (#1458216)

EVERYONE call this number and complain about the ridiculous monopoly that has ensued!

The Justice Department, Anti-Trust Division
(San Francisco, California)

Not so fast! (1)

barzok (26681) | more than 15 years ago | (#1458217)

Remember, this deal is subject to approval still. Hopefully, someone in gov't will notice this one company will be 98% of the market and will put the brakes on the deal.

Re:You can submit your comments to the DOJ (1)

absnom (128298) | more than 15 years ago | (#1458220)

Perhaps the more appropriate place might be the South African government's Dept. of Trade and Industry (http://wwwdti.pwv.gov.za/dtiwww/ [pwv.gov.za] ). The Minister is Mr A. Erwin. His snail-mail address is:

Private Bag X274
South Africa

He also has an email addess listed on the web site, but spamming him might be counter-productive. Does anybody from South Africa have a better person/place to email/write to? They should really be alerted to how bad this merger is for all of us.

Re:Anyone thought of Enrust.net? (0)

Anonymous Coward | more than 15 years ago | (#1458221)

This now means that the Entrust.net intermediate cert is OWNED and could be YANKED by Versign. And Verisign could be the only major player.
Oh calm down. What are they going to do, remove it from everyone's browser? The Thawte root CA is hardcoded into your (and my) browser. It's not going to disappear from existing browsers just because Verisign bought Thawte. What they could do is move all their customers to a Verisign cert and once that's done ask MS and Netscape to no longer put the Thawte root CA in newer versions of the browsers. Older browser versions would then still trust the Thawte root (and by extension Entrust.net's root), but the new ones would not. It seems to me that - given the obviousness of the situation - it's pretty likely that Entrust.net is going to have its own root CA in the major browsers by the time that that happens.

I think Entrust.net is and will continue to be a viable alternative to Verisign. A good one, in fact.

Why? (0)

cybaea (79975) | more than 15 years ago | (#1458229)

Why on Earth did they do it? just to create a monopoly?

Last Post! (0)

Last Post! (121290) | more than 15 years ago | (#1458230)

This is great. It's nice to know that running some key generators is worth $575 million. That makes me feel swell, since I made less than a thousandth of that this year.

Of course, I was only doing silly computational physics. Nothing as meritorious as running a key generator.

The final word; anything following is redundant.

P.S> leaf it at zero (0)

Anonymous Coward | more than 15 years ago | (#1458231)

save the points for the good comments :-)

Re:1st (sorry) (0)

Anonymous Coward | more than 15 years ago | (#1458232)

sorry, i would erase that if i could.

Goodie Goodie Gumdrops (1)

Necroleptic (117803) | more than 15 years ago | (#1458233)

Although internet security is a high priority on everyone's list, but this deal does not seem to extend that, as it says in the article is just a purchase transaction, not like some M$ assimilation practices.

Twat bought by Vagisign (1)

FatSean (18753) | more than 15 years ago | (#1458234)

There's something fishy about this deal...

Buying your competition? (0)

Anonymous Coward | more than 15 years ago | (#1458235)

Hopefully this will not be allowed, like the
Adaptec - Symbios deal. This is a serious
anti-trust & anti-consumer merger.


(maybe my 1st f1rs7 p0st??)

Re:Last Post! (1)

HP LoveJet (8592) | more than 15 years ago | (#1458236)

Oh, come now. It's not just running some key generators; it's also paying for the care and feeding of lawyers to draw up CSPs and contracts that say things like:

In the event that anything goes wrong, or you use your certificate for some nefarious purpose, you indemnify us of any wrongdoing. We disclaim everything.


... (1)

mistalinux (78981) | more than 15 years ago | (#1458237)

I've come to the conclusion long ago that everything companies do can be attributed to what the decision makers believe will make them more money. Think about that.

wonderful (1)

CodeMonky (10675) | more than 15 years ago | (#1458238)

Well this kinda sucks seeing as how i have to renew our certificates (from thawte) shortly. (1/2000)

1st (0)

Anonymous Coward | more than 15 years ago | (#1458239)


$575 million?? (0)

Raymond Luxury Yacht (112037) | more than 15 years ago | (#1458241)

That's one spicey meat-a-ball!

To Thawte or not to Thatwe, that is the question....

This is terrible! (3)

winterstorm (13189) | more than 15 years ago | (#1458242)

Thawte services are very different in flavour than Verisigns. Thawte has a "web of trust" system for personal certificates based on the PGP web of trust ideal. Thawte offers wildcard certificates. Thawte certificates are priced reasonably.

Thawte provided signing support for SSLeay keys very early on. Verisign is slow to change.

On the other hand if things get complicated (if your verification documents for a certificate are not "normal") then dealing with Thawte can be a pain. Thawte has its head office in Africa. Have you ever tried to send a long fax to Africa? If you get a clean line you might get one or two pages through at a time.

I should point out... (1)

squarooticus (5092) | more than 15 years ago | (#1458243)

...that Verisign now has a monopoly on commerical browser certificates. Thawte and Verisign are the only two companies to issue commercial browser certificates for both NS and IE.
Kyle R. Rose, MIT LCS

Re:who these people (0)

Anonymous Coward | more than 15 years ago | (#1458244)


Good grief, who's left? (3)

Count Fragula (67767) | more than 15 years ago | (#1458245)

Looking at the list of the 27 root certifications in IE 5, i see that 21 of them are either held by Thawte or Verisign. Now, I've been a Verisign customer for a long time, and I like the fact that I can count on their root certificate being in 99% of browsers out there, but there was always a peace of mind that came with knowing I had Thawte to go to if i was ever dissatisfied. Well, no more.


Verisign Monopoly and price gouging (2)

protektor (63514) | more than 15 years ago | (#1458246)

Anyone notice that you can't just buy a server certificate anymore from Verisign. They want to sell you a whole package deal of services and other things for 128 bit certificates.


I also don't like the fact there is now no competition to Verisign and that they have huge requirements and slow to respond to problems and can't track documents within their own company that you send them. If you can't do everything the Verisign way then God help you since they will drag everything out forever and loose documentation you send them.
I also see they are buying Signio E-Commerce payment service for busines to business e-commerce transactions. Where will they stop, they are starting to sound like they want to be like Microsoft only they want to control all secure and E-Commerce stuff on the internet.
Verisign also charges more or at least use to charge more for basic secure certificates. Looks like the days og just buying a certificate for your server are over. Now you have to buy a whole package of services and you probably won't be able to get wildcat certificates any more either. Which is a real problem since I shouldn't have to pay $950*x just for a few servers in my own domain for easier adminstration purposes to do internal stuff via a secure web page.

This just plain sucks!

First Post (1)

Anonymous Coward | more than 15 years ago | (#1458247)


time for an open-source competitor (5)

epictetus (5123) | more than 15 years ago | (#1458248)

Verisign is sure to jack up their prices if and when the deal goes through. There should be a market for cheap certificates sold to small sites that want to be secure without paying a Verisign tax.

There's already open-source software out there for generating certificates. The other barriers to entry are:

1. Name recognition. If you're in charge of security at a medium to big size company, your chief goal is to protect your own ass. To that end, you'll spend the extra money to buy Verisign, because nobody ever got fired for using Verisign.

2. Being in the browser. This is a big one; your CA cert has to be pre-loaded into your user's browsers. This involves paying many thousands of dollars to MS and Netscape.

The other things you need to be a CA are:

1. Legal staff and Certification Practice Statement.

2. Clerks for researching and verifying identity.

3. A killer operations and security infrastructure to protect the CA's key and prevent unauthorized signing.

CAs can and should be a commodity. The thing to watch out for is Verisign introducing proprietary technology into their certificates, or making exclusive deals with the browser manufacturers.


Anonymous Coward | more than 15 years ago | (#1458249)


Monopoly!! Monopoly!! (0)

Anonymous Coward | more than 15 years ago | (#1458250)

This is yet another monopoly. I don't understand why Verisign would want to do this. On the other hand maybe it'll help other less established competitors, because so many people might be drawn away by the fact that verisign has so much full control of all this stuff.

HEE (0)

Anonymous Coward | more than 15 years ago | (#1458251)


Entrust offers 128 global too... kinda (1)

griffjon (14945) | more than 15 years ago | (#1458252)

Entrust has global export approval for their website certificates, great customer support (speaking from experience), no Y2K expiration issues, unlike Verisign.

There's only one catch.

Their certs are signed off on by (drumroll) Thawte! Which is now a subsidiary of Entrust's rival, Verisign. Hm.

Re:You can submit your comments to the DOJ (1)

Sharkeys-Day (25335) | more than 15 years ago | (#1458253)

I would like to verify that this is the correct place to complain to before spamming anyone.

Can you post information more information about this address, such as where it came from and how best to identify the issue we are protesting?

Anyone thought of Enrust.net? (2)

Neter (56934) | more than 15 years ago | (#1458254)

Entrust.net is another certificate provider on the net. They are trying to go head to head with Verisign in the web server market. (They own the enterprise in Canada, and are one of two in the US Gov't PKI architecture)

They did not want to pay the gazillions that it cost to have their CA cert embedded in the browsers, so they got THAWTE to cross cert with them.

This now means that the Entrust.net intermediate cert is OWNED and could be YANKED by Versign. And Verisign could be the only major player.

If this does not happen, then at least we will still have more than ONE choice for server certs.

Just my $0.04 Euro.

FIRST!!1!1!!!! (0)

Rev. DOG. (122477) | more than 15 years ago | (#1458255)


Damn! Thawte had clue (0)

Anonymous Coward | more than 15 years ago | (#1458256)

Having worked with both, I find this news very disturbing. It was a pleasure working with Thawte, they really understood what they were doing. Verisign, on the other hand, are a bunch of idiots. (I mean, who in his right mind would make root certs expire at the stroke of Y2K?)

Yeah but competition is coming, big time (1)

badzilla (50355) | more than 15 years ago | (#1458257)

There are good reasons why Thawte or Verisign can charge more money for a certificate than you can charge. Firstly and most importantly their root certificates are shipped in both major browsers' trusted root stores. Secondly these companies can justifiably claim to be secure to the max.

I believe having their root certificate in the browser is _the_ number one factor and this is due to change very soon - Windows 2000 and NT4 SP6 both introduce a large number of new trusted players into IE, for example Baltimore, Belgacom, Cable and Wireless, Deutsche telekom, Swisskey, etc.

So maybe Thawte are grabbing the cash and getting out at what they think might be the top of the market... I've always considered Thawte to be a pretty smart company.

And there really is a need for a Slashdot CA, people do not want to pay $200 to get a code-signing certificate just for some .jar file they are distributing for free anyway.

the DOJ has its next assignment (0)

Anonymous Coward | more than 15 years ago | (#1458258)

This news really upset me. I can't stand VeriSign, and will use anybody else in the world. I consider them worse than Micro~1.

Re:Anyone thought of Enrust.net? (1)

Neter (56934) | more than 15 years ago | (#1458259)

Older browser versions would then still trust the Thawte root (and by extension Entrust.net's root), but the new ones would not.

This is true. I think the point that you are missing is that you have to dowload the intermediate cert to your server to enable the chain of trust to be completed.

Verisign could remove this intermediate cert (as it is now theirs.) and thus one could not complete the installation of an Entrust.net issued cert into their servers.

I agree entirely that older browswers will still trust the Thawte root. Verisign cannot take this away. But at the rate that things are changed in the browser market, newer versions are being released almost every couple of months. It will only take two months for people to stop trusting the Thawte root.

Re:Noooooooooooo! (1)

mckyj57 (116386) | more than 15 years ago | (#1458260)

I agree. I also accelerated the switchover of
my clients because of Verisign's spam.

The following companies also have root-signing
certificates in Navigator 4.7:

ABAecom (Am. Bankers Assn)
ANX Network
Access America (DST)
American Express
Canada Post Corp.
DST (provider to quite a few others)
Entrust (DST)
GTE CyberTrust
MCI Mall
National Retail Federation (DST)
Novell (DST)
TC TrustCenter
United States Postal Service
Uptime Group

Anyone know whether any of these sell certs?

30%? Mozilla'd give his left nut for 30%. (1)

Zico (14255) | more than 15 years ago | (#1458262)

Internet Explorer now has over 80% of the browser market, and its lead is increasing each week.

About Thawte, it's pretty coincidental for me to be seeing this article now, since I just signed up for a Thawte certificate late last night. There was one part of the sign-up process that was very unclear -- choosing a CSP. Thawte's web site did nothing for helping a new user decide the pros and cons of the different choices. I just went ahead and picked the Microsoft Base Cryptography because it was the default and because I know I can change it later, but could anyone recommend some links to comparisons between the different choices?

Thankful cheers,

Offtopic, sue me, no wait mod me down (1)

toast0 (63707) | more than 15 years ago | (#1458264)

If you're going to have a big earthquake, i'd have to say california would be the best place to have it....

not too long after the earthquakes in turkey, and taiwan, there was one in southern california larger than the one in turkey, but less than the one in taiwan (forgive me for being vague i don't remember the numbers) and if i recall correctly there were fewer than 10 reported injuries...

then again it was in the boonies area of southern california, but thats where they seem to happen most lately anyhow

Re:Alternative certificate (1)

toast0 (63707) | more than 15 years ago | (#1458266)

since when do prices go down due to increased demand?

prices go up do to increased demand

and demand increases due to dropped prices


Anonymous Coward | more than 15 years ago | (#1458268)

For those about to rock - we salute you!

Darn! (1)

stimuli (37803) | more than 15 years ago | (#1458275)

For those who haven't used it, Thawte is an alternative service to Verisign, whose rates are on average about one half of Verisign's. I think all of these Certificate services are overpriced scams, but at least Thawte was less so.

And this would mean...what? (0)

Anonymous Coward | more than 15 years ago | (#1458276)

Never heard of these folks. I'm too lazy to go find out who they are or why I should care. 'twould be nice to have a little sentence on the article explaining who these guys are, what they do, a link to their site, perhaps? Better yet, tell us why we should be interested in this acquisition. News for Nerds...not Cryptic References for Nerds, right?

More closed source monopoly (2)

cybaea (79975) | more than 15 years ago | (#1458277)

Frpom the Verisign press release [verisign.com] :

As a combined entity, VeriSign and Thawte will be able to implement a consistent set of global standards for the issuance and management of digital certificates for websites and software developers

It sounds like they want to own the standards and establish a monopoly of closed source rules.

And it will be a monopoly:

They are also the only two digital certificate providers with commercial availability of 128-bit website certificates

Any chance that the mergers and monopolies comission (or whatever it is called in SA) will block this? Please!? Not another MSFT.

This is _not_ good. (1)

rise (101383) | more than 15 years ago | (#1458278)

The certificate business was already incestuous enough. This deal is basically going to leave the whole shebang in the hands of VeriSign and MS, and that can't be good for the rest of us. A system based on trust cannot rely on a small group of organizations known to play fast and loose with the public interest.

hello monopoly (1)

snorks (103191) | more than 15 years ago | (#1458279)

This sucks. Verisign sucks. What's the status on trusted CA's in Mozilla? It would be cool to make OpenCA the default and require all of that extra clickthru for Verisigns crappy certs.

Re:Goodie Goodie Gumdrops (0)

Anonymous Coward | more than 15 years ago | (#1458280)

No. This is bad. Thawte is really the only viable alternative to verisign, because only thawte and verisign have root certificates installed in web browsers. If the deal is allowed to go through verisign will be able to charge much more for their certificates. This is very microsoft style. Verisign certificates are already much higher in price than thawte certificates - particularly for object (code) signing. I hope it gets squashed.

This is bad for us.. (4)

Billy Donahue (29642) | more than 15 years ago | (#1458281)

I've always thought that Thawte did
a better job than Verisign. They are cheaper
too, I believe..(though it's been a while)..

They do NOTHING for you! They don't even
make your site more secure...
They are snake-oil salesmen, at best.

Watch as Bruce Schneier gives these jerks a firm talking-to: here [counterpane.com]

Re:And this would mean...what? (2)

CodeMonky (10675) | more than 15 years ago | (#1458282)

These two companies are THE companies for digital certificates. If you ever needed to setup a secure web server or get a thrid party certificate these two were the people to see. Personally I prefer thwate because they were reasonably priced but now i have no choice. answer your questions?!


Re:Good move, Thawte, bad move, Verisign. (1)

dsplat (73054) | more than 15 years ago | (#1458283)

Perhaps. But there is also the possibility that this is the push that will be needed to get other players to jump into the market. There will certainly be markt niches that Verisign won't be filling. Other players can work on those. This round goes to Verisign, but the game isn't over.

By the way, I don't have any personal axe to grind against Verisign. I like to see a competitive marketplace with some choices. When the only choice is whether to feed the big gorilla, or stroll over to the park and watch the ducks because there aren't any other primates left ....

couple of problems... (1)

mr_spatula (126119) | more than 15 years ago | (#1458284)

Aside from just being a monopoly here.... I was always reassured by the fact that Thawte Consulting was a SEPERATE ENTITY from Verisign. Going through them actually seemed to give some semblance of higher security. Then again, who knows what the future holds...

Re:time for an open-source competitor (1)

freddie (2935) | more than 15 years ago | (#1458285)

Somebody should organize something like this. With Netscape 5 coming up, I think that'd be a good chance to bring up a new CA. By the way, you might also get away with paying money to the much more agreeable redhat and debian instead for them to include your certicates. --fred

Bad news (5)

EisPick (29965) | more than 15 years ago | (#1458286)

Consider the following:

  • As this chart [thawte.com] on the Thawte site makes clear, these two companies combined own almost 100% of the market.
  • The barriers to entry in this market are huge: A new certificate authority would not be recognized by the current installed base of browsers.
  • Having two competing firms in this market clearly benefitted consumers. A server certificate from VeriSign costs $349; Thawte's costs $125.

This is bad news for consumers.

I have a Thawte cert and this disturbs me greatly (3)

Omnifarious (11933) | more than 15 years ago | (#1458287)

I got a Thawte certificate because their website promised that if laws ever changed in the country their database was in such that they had to divulge its contents, they were prepared to move their database within hours. I also got it because of their support for PGP public key signing.

Now, they're being bought out by Verisign who I have no such trust in, and who isn't, IMHO, a good member of the community. I'm not at all happy about this.

I think I'm going to ask the my Thawte certificate be revoked, and all my data wiped from their databases. I do NOT trust Verisign at all. They seem more like opportunists out to make a buck than people who really understand the paranoid world of security.

Alternative certificate (1)

Anonymous Coward | more than 15 years ago | (#1458288)

GTE (www.cybertrust.com) has a root certificate which is valid until 2018 in NS 4.5+ and MSIE 4+. It's a tad expensive, but let's hope their prices will go down due to increased demand.

Re:This is terrible! (1)

austad (22163) | more than 15 years ago | (#1458289)

Have you ever tried to send a long fax to Africa? If you get a clean line you might get one or two pages through at a time.

Thawte has offices in the US, dealing with them is easy.

Re:Verisign Monopoly and price gouging (2)

um... Lucas (13147) | more than 15 years ago | (#1458290)

Verisign also charges more or at least use to charge more for basic secure certificates. Looks like the days og just buying a certificate for your server are over. Now you have to buy a whole package of services and you probably won't be able to get wildcat certificates any more either. Which is a real problem since I shouldn't have to pay $950*x just for a few servers in my own domain for easier adminstration purposes to do internal stuff via a secure web page.

If what you want to do is admin your server over a secure webpage, you don't need their services at all. Just generate your own certificate and *presto* ... your own secure server connection.


If the price on their certificates goes up, that'll be bad... but really you only need to purchase a certificate if you're setting up an ecommerce site. If that's what your doing, then $500-$1000 is a drop in the bucket. If that's not what you're doing, you can probably just sign your own.

Re:Good move, Thawte, bad move, Verisign. (1)

treat (84622) | more than 15 years ago | (#1458291)

But this is a market that's very difficult to enter. You have to get the vast majority of browsers to include your root certificate. That's why this is so bad. It means that people will *have* to deal with Verisign's ridiculous pricing if they want to set up an https server that's used by the public. Just at the point where Thawte was entrenched enough to be a completely viable alternative.

Re:This is terrible! (2)

philzaw (121923) | more than 15 years ago | (#1458292)

Agreed :(

Please read Thawte's President essay [thawte.com] .

Especially comments on VeriSign:

A loss of $21 million, on revenues of $9 million, of which $3 million in revenues came from a book transaction with a parent company. Damn. Wow. Sheesh.
Will we list Thawte? Unlikely. I don't think investors would understand and be prepared to pay a premium for a small company that is profitable but not over hyped. And I like my autonomy too much! Besides, we plan to diversify and push the "Thawte" brand independently of certificates, so it will be nice to have a wholly owned cash generator over time. But that's a different story, and actions speak louder than words!

It might relate only to IPO, but...

Re:too bad: they offered much cheaper certificates (1)

storem (117912) | more than 15 years ago | (#1458293)

I fact you could have your own personal vertifcates for free! I believe there is the need for a non-profit CA on the Internet. Something like the PGP key database at MIT, but using X.509 certificates.

Did it exist: yes, THAWTE! Does it still exist: with Verisign acting as the key God? I wouldn't be suprosed if I'd get a bill next week.

Re:hello monopoly (OpenCA) (0)

Anonymous Coward | more than 15 years ago | (#1458294)

There's no way to do an open CA due to the liability concerns. Unless you're will to cover the several ten of millions of dollars in corporate insurance that would be required for an open ca with root certificates installed in the common web browsers. Not to mention the fact that MS would never allow anything open into any of their systems. So, you'd only be able to support CrapZilla (if it ever becomes usable). Good Luck getting people to buy a certificate that's only trusted by 30% of the web browsers that visit their web site.

Worth the money or not? (1)

Anonymous Coward | more than 15 years ago | (#1458295)

There's a little more to it than that. You have to keep those key generators awful damn secure. For any more than a base-level certificate you have to check that the recipient really is who he says. Plus you need the market position so everyone knows your public key.

Of course as Bruce Schneier points out [counterpane.com] , PKI ain't such a secure and necessary deal as it's made out to be, so to a certain extent Verisign is just smoke and mirrors.

How does international anti-trust work? (2)

MattMann (102516) | more than 15 years ago | (#1458296)

If these were both American companies, I would think that this would run into anti-trust trouble, especially in the current regulatory climate. However, given that this is an international deal, does anybody know how regulation works?

Thawte has a human face (1)

linuchristo (17002) | more than 15 years ago | (#1458297)

a year ago, I browsed verisign and thawte's web sites to educate myself on certs. Verisign's web site was full of legal disclaimers, uninformative in the grand old bureaucratic style, and without humor or humanity. Thawte's web site was informative --a geek can learn things from it-- and had a human voice.
what gubmint agency do I write to protest this merger?

oh... "thawte" (1)

bunnyman (121652) | more than 15 years ago | (#1458298)

Thawte Bought by Verisign

Imagine my surprise when I read that Verisign bought Thought. I could understand if they had patented it, but bought Thought?

I'm still wrong though.

Re:This is _not_ good. (1)

Gurlia (110988) | more than 15 years ago | (#1458299)

Forgive my ignorance, but why must trusted certificates be handled exclusively by a bunch of companies??!?!? I think the way IE and NS comes with "trusted" certs is a little off... Doesn't it only represent certificates that NS and MS "trusts"? If the web of trust is entrusted (pun intended) upon a few companies, they're basically telling you who to trust -- or more bluntly, who they want you to trust.

Isn't the whole idea of the web of trust mechanism to allow anyone to verify certificates they receive from somebody? Now if this verification goes through a bunch of companies (which eventually merge into a monopoly), isn't there the possibility that there could be some foul play?

Competition is healthy. As long as certificate providers have competition, they cannot afford to play foul. But as soon as competition is gone, all bets are off. Mergers of companies like these that are the sole provider of certificates to IE and NS are not good.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?