Company pledges

faq.org

 | [[How do I get a domain name?]]            |
 | [[How do I get a "real" SSL certificate?]] |
 | [[Why use self-signed certificates?]]      |
+| [[Why not use the services of $company instead? They took the Seppuku pledge]] |
 #+END_CENTER
 
 * Why not supply a disk image download?
 Security of web sites on the internet is still a somewhat unsolved problem, and what we have now is a less than ideal but /good enough to fool most of the people most of the time/ kind of arrangement. Long term a better solution might be to have a number of certificate authorities in a number of different jurisdictions vote on whether a given certificate actually belongs to a given domain name. Experimental systems like this exist, but they're not widely used. Since the current certificate system has an enormous amount of inertia behind it change could be slow in arriving.
 
 For now a self-signed certificate will probably in most cases protect your communications from "bulk" passive surveillance. Once you've got past the scary browser warning and accepted the certificate under most conditions (except when starting up the Tor browser) you should not repeatedly see that warning. If you do then someone may be trying to meddle with your connection to the server. You can also take a note of the fingerprint of the certificate and verify that if you are especially concerned. If the fingerprint remains the same then you're probably ok.
+* Why not use the services of $company instead? They took the Seppuku pledge
+[[http://seppuku.cryptostorm.org][That pledge]] is utterly worthless. Years ago people trusted Google in the same sort of way, because they promised not be be evil and because a lot of the engineers working for them seemed like honest types who were "/on our side/". Post-[[https://en.wikipedia.org/wiki/Nymwars][nymwars]] and post-[[https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29][PRISM]] we know exactly how much Google cared about the privacy and security of its users. But Google is only one particular example. In general don't trust pledges made by companies, even if the people running them seem really sincere.

website/faq.html

 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
 <title></title>
-<!-- 2014-10-28 Tue 22:10 -->
+<!-- 2014-11-09 Sun 18:29 -->
 <meta  http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta  name="generator" content="Org-mode" />
 <meta  name="author" content="Bob Mottram" />
 <tr>
 <td class="left"><a href="#unnumbered-5">Why use self-signed certificates?</a></td>
 </tr>
+
+<tr>
+<td class="left"><a href="#unnumbered-6">Why not use the services of $company instead? They took the Seppuku pledge</a></td>
+</tr>
 </tbody>
 </table>
 </div>
 </p>
 </div>
 </div>
+<div id="outline-container-unnumbered-6" class="outline-2">
+<h2 id="unnumbered-6">Why not use the services of $company instead? They took the Seppuku pledge</h2>
+<div class="outline-text-2" id="text-unnumbered-6">
+<p>
+<a href="http://seppuku.cryptostorm.org/">That pledge</a> is utterly worthless. Years ago people trusted Google in the same sort of way, because they promised not be be evil and because a lot of the engineers working for them seemed like honest types who were "<i>on our side</i>". Post-<a href="https://en.wikipedia.org/wiki/Nymwars">nymwars</a> and post-<a href="https://en.wikipedia.org/wiki/PRISM_(surveillance_program)">PRISM</a> we know exactly how much Google cared about the privacy and security of its users. But Google is only one particular example. In general don't trust pledges made by companies, even if the people running them seem really sincere.
+</p>
+</div>
+</div>
 </div>
 <div id="postamble" class="status">