Thawte promotes security, insecurity

I recently headed over to Thawte to purchase a digital certificate for code-signing. According to Thawte, it:

Promotes the Internet as a secure and viable platform for content distribution

I agree with the value of signed code. However I had problems making the purchase, which involves a web form and some ActiveX stuff. Here’s what Thawte tech support advised me to do:

  • Switch off the personal firewall.
  • Add the url to the trusted sites store.
  • Set all the activex controls and plug-ins to prompt or enable.
  • Set the privacy security level to low.

It is not quite as bad as it looks at first. You only need to do the ActiveX changes for trusted sites. Further, I’m not convinced all the steps are needed in all circumstances.

Still, asking someone to connect to the Internet with a disabled firewall is, on the face of it, irresponsible. In mitigation, if you are trying to purchase a digital cert you are probably clueful enough not to disable a personal firewall unless there is some other protection in place; most users have at least a NAT router between their PC and the Internet.

There is a generic problem here. Support departments confronted with users who “just want it to work” may resort to scattergun disabling of security software, never mind the risks. Of course it is better to figure out exactly what is not working and find the minimal relaxation of security needed to solve it, but this is harder to do.

Nevertheless I’m disappointed that Thawte can’t find a more secure technique for delivering its certificates; and that these technical issues are not spelt out more clearly on its site (perhaps it is embarrassed?).


Technorati tags: , ,