And also Symantec, and now Entrust. All of these CAs have incredibly sloppy vetting procedures and/or control over their resellers. In many cases they didn't even check CAA records to see if they'd be authorized to issue new certs, even though it has been a requirement for years. They had one job, and failed abysmally at it, relying on their too big to fail status. You can feel the frustration of people like Adam Langley at Google over his inability to bring the banhammer to bear fast enough on those clowns.
Am I the only one that understands 10% of what's going on? Obviously they won't add his CA, and there seems to be some other links to joke requests, but what am I missing?
They are poking fun at the seemingly random (and non-trustworthy) companies which are allowed to issue root CAs and how hard it is to remove them if they reach the "too big to fail" status.
I do this to defang the url to prevent unintentional clicks or automatic previewing when working and reporting on security events. Sometimes the habit bleeds over.
Yes as far as the title on the Mozilla page goes but: Ahmed is pronounced Achmed (if your first langues is e.g. English).
Among my Arab friends with that name the spelling that omits the 'c' is more common. Another common form is Ahmad which is still pronounced the same.
The version with 'c' is one that contains a pronunciation hint for people whose native language is not Arabic (but probably English). As is the one with the 'e' vs the 'a' as last vowel.
No, it's not. It's a soft 'H' sound in Arabic, the same as in Muhammad. It's closer to the English 'H'. The Scottish 'ch' is a different letter entirely in Arabic and doesn't appear in this name.
I suppose the point is that it's not the voiceless glottal fricative?
To my ears [ħ] sounds closer to [x] and [χ] than to [h] (even though the place of articulation is closer to [h]), but I'm sure it's different for people who (natively) speak a language with all three.
Yeah, I imagine it's an interesting question which of these sounds is more perceptually similar to the target sound. It may well depend to some extent on the native language(s) of the person who is listening.
I'm getting warnings on an old Macbook Air that the Firefox CA certs are going to expire... except the OS is too old to update to a newer version. Oh noes!
Do I really care? That would imply I trusted CAs in the first place... all of them.
From the thread it seems like they’re poking fun at browser vendors adding untrustworthy CAs to their trust store and not removing them even for egregious violations.
Their point is that Honest Achmed is at least as honest as some of the other CAs they’ve allowed in. This issue was closed a few times because Honest Achmed hadn’t completed an external audit. It was reopened each time by users who pointed out that audits were redundant if Achmed quickly issued a tonne of certificates and became too big to remove.
In other words, this issue is an implicit critique of browsers certificate policies.
It was written around the time one of the CAs got dropped for signing certificates they shouldn't. (I wanna say it was DigiNotar, but that was a long time ago)
I actually think that the used car salesman qualifier needed to be added to add the element of dishonesty to the character. I feel the middle-eastern name does plays into the trope of non-westerners's reliance on informal networks of kinship and reputation, but not necessarily dishonesty.
It's not like people condemning the choice of the name are unable to find the humor. We do find it. We are briefly entertained. Then we pause and ponder. Is it a good idea to use a negative stereotype in a joke? Don't we run the risk of confirming the stereotype even more?
We then find out that our answer to that question is "no". And we bring up the issue with other people.
There is no "inability to find humor" at play here.
It's called stochastic terrorism, and a society built on top of terror and racism would probably tell you it's "actually a sign of cognitive flexibility and social intelligence."
I had the same gut reaction as you. I was going to defend the joke as not being racist. Until I thought about it for a few minutes, and came to the conclusion that it's obviously racist. Whenever you have a gut reaction like that, you NEED to look deeper.
For those looking for more context - If memory serves it was in response to https://en.wikipedia.org/wiki/Comodo_Cybersecurity#Certifica... and the various controversies around it.
Honest Achmed has been one of my favorites for as long as its been around.
And also Symantec, and now Entrust. All of these CAs have incredibly sloppy vetting procedures and/or control over their resellers. In many cases they didn't even check CAA records to see if they'd be authorized to issue new certs, even though it has been a requirement for years. They had one job, and failed abysmally at it, relying on their too big to fail status. You can feel the frustration of people like Adam Langley at Google over his inability to bring the banhammer to bear fast enough on those clowns.
This was closed as a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=233458 , which was the predecessor to LetsEncrypt
Previously:
Bug 647959 – Add Honest Achmed's root certificate - https://news.ycombinator.com/item?id=2463762 - April 2011 (114 comments)
Bug 647959 – Add Honest Achmed's root certificate (2011) - https://news.ycombinator.com/item?id=10839315 - January 2016 (68 comments)
Add Honest Achmed's root certificate (2011) - https://news.ycombinator.com/item?id=35490740 - April 2023 (25 comments)
Am I the only one that understands 10% of what's going on? Obviously they won't add his CA, and there seems to be some other links to joke requests, but what am I missing?
They are poking fun at the seemingly random (and non-trustworthy) companies which are allowed to issue root CAs and how hard it is to remove them if they reach the "too big to fail" status.
[flagged]
The best part is the website hxxps://www.honestachmed.dyndns.org/ is still up.
pardon the side question, what is this trend of rewriting http in hxxp ? a reflex from platforms that don't allow sharing urls ?
I do this to defang the url to prevent unintentional clicks or automatic previewing when working and reporting on security events. Sometimes the habit bleeds over.
ha, makes total sense :)
I might get into this habit too (and it's somehow funny how ~ergonomics can backfire)
Yeah, and http only :) It would be hilarious if it had invalid cert.
Achmed, not Ahmed ...
Yes as far as the title on the Mozilla page goes but: Ahmed is pronounced Achmed (if your first langues is e.g. English).
Among my Arab friends with that name the spelling that omits the 'c' is more common. Another common form is Ahmad which is still pronounced the same.
The version with 'c' is one that contains a pronunciation hint for people whose native language is not Arabic (but probably English). As is the one with the 'e' vs the 'a' as last vowel.
I.e. Ahmad == Ahmed == Achmed.
> The version with 'c' is one that contains a pronunciation hint for people whose native language is not Arabic (but probably English).
What hint would that be? There's no 'c' sound in the Arabic version.
Hint as in “Bach”
But that's not how it's pronounced in Arabic, see my other comment.
I carry a knife specifically to stab people who pronounce my name that way (the Achmed way).
... yes, this is a joke.
... the knife is very dull and purely for ritualistic purposes!
( https://en.wikipedia.org/wiki/Kirpan )
Another variety: https://en.wikipedia.org/wiki/Jambiya
“ch” like in Scottish English “loch” is closer to the “h” in “Ahmad” than the normal English “h"
No, it's not. It's a soft 'H' sound in Arabic, the same as in Muhammad. It's closer to the English 'H'. The Scottish 'ch' is a different letter entirely in Arabic and doesn't appear in this name.
This sound, to be precise: https://en.wikipedia.org/wiki/Voiceless_pharyngeal_fricative
It is indeed closer in terms of its place of articulation to English 'h' than either variant of the German 'ch' sound.
I suppose the point is that it's not the voiceless glottal fricative?
To my ears [ħ] sounds closer to [x] and [χ] than to [h] (even though the place of articulation is closer to [h]), but I'm sure it's different for people who (natively) speak a language with all three.
Yeah, I imagine it's an interesting question which of these sounds is more perceptually similar to the target sound. It may well depend to some extent on the native language(s) of the person who is listening.
why trust the others and not Achmed?
AFAIK, major browser vendors trust any Certification Authority that follows the Baseline Requirements of the CA/Browser Forum.
https://cabforum.org/working-groups/server/baseline-requirem...
> why trust the others and not Achmed?
Because, "trust us". Seriously, Google, Microsoft, Cloudfare, etc. at the same level as Achmed. The only thing Achmed lacks is marketing.
See comment 13.
He's too honest
I'm getting warnings on an old Macbook Air that the Firefox CA certs are going to expire... except the OS is too old to update to a newer version. Oh noes!
Do I really care? That would imply I trusted CAs in the first place... all of them.
> Do I really care?
Firefox will not connect to web sites when certificates are expired.
I get the sense it's not serious, but is there any more context?
From the thread it seems like they’re poking fun at browser vendors adding untrustworthy CAs to their trust store and not removing them even for egregious violations.
Their point is that Honest Achmed is at least as honest as some of the other CAs they’ve allowed in. This issue was closed a few times because Honest Achmed hadn’t completed an external audit. It was reopened each time by users who pointed out that audits were redundant if Achmed quickly issued a tonne of certificates and became too big to remove.
In other words, this issue is an implicit critique of browsers certificate policies.
It was written around the time one of the CAs got dropped for signing certificates they shouldn't. (I wanna say it was DigiNotar, but that was a long time ago)
Edit: it was Comodo https://en.m.wikipedia.org/wiki/Comodo_Cybersecurity who allowed an affiliate to grant 9 bogus certs. (Which is probably the "cousin" part of the joke)
Meta question: where do people find these kinds of funny stuff??
Front page of Hacker News
Usually sharing between friends, communities, etc.
I’d say this one is a classic.
(2011)
[flagged]
I actually think that the used car salesman qualifier needed to be added to add the element of dishonesty to the character. I feel the middle-eastern name does plays into the trope of non-westerners's reliance on informal networks of kinship and reputation, but not necessarily dishonesty.
[flagged]
It would have been funnier if they implied the dodgy CA was racist.
If the joke itself is racist then a typical reaction would be to consider it less funny.
The ability to find humor in taboo topics is actually a sign of cognitive flexibility and social intelligence.
It's not like people condemning the choice of the name are unable to find the humor. We do find it. We are briefly entertained. Then we pause and ponder. Is it a good idea to use a negative stereotype in a joke? Don't we run the risk of confirming the stereotype even more?
We then find out that our answer to that question is "no". And we bring up the issue with other people.
There is no "inability to find humor" at play here.
Finding humour in racism may indicate any or all of:
1) cognitive flexibility 2) social intelligence 3) racism ;-)
Dodgy Dick would have been funnier.
It's called stochastic terrorism, and a society built on top of terror and racism would probably tell you it's "actually a sign of cognitive flexibility and social intelligence."
I had the same gut reaction as you. I was going to defend the joke as not being racist. Until I thought about it for a few minutes, and came to the conclusion that it's obviously racist. Whenever you have a gut reaction like that, you NEED to look deeper.
The restrooms at my town's dive bar are full of scatological, sexual and racist graffiti. It must be a hot spot for local geniuses. /s