Skip to content(if available)orjump to list(if available)

Honest Ahmed (2011)

Honest Ahmed (2011)

50 comments

·January 18, 2025
Visit

resonanttoe

For those looking for more context - If memory serves it was in response to https://en.wikipedia.org/wiki/Comodo_Cybersecurity#Certifica... and the various controversies around it.

Honest Achmed has been one of my favorites for as long as its been around.

fmajid

And also Symantec, and now Entrust. All of these CAs have incredibly sloppy vetting procedures and/or control over their resellers. In many cases they didn't even check CAA records to see if they'd be authorized to issue new certs, even though it has been a requirement for years. They had one job, and failed abysmally at it, relying on their too big to fail status. You can feel the frustration of people like Adam Langley at Google over his inability to bring the banhammer to bear fast enough on those clowns.

axus

This was closed as a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=233458 , which was the predecessor to LetsEncrypt

imadj

Previously:

Bug 647959 – Add Honest Achmed's root certificate - https://news.ycombinator.com/item?id=2463762 - April 2011 (114 comments)

Bug 647959 – Add Honest Achmed's root certificate (2011) - https://news.ycombinator.com/item?id=10839315 - January 2016 (68 comments)

Add Honest Achmed's root certificate (2011) - https://news.ycombinator.com/item?id=35490740 - April 2023 (25 comments)

ramon156

Am I the only one that understands 10% of what's going on? Obviously they won't add his CA, and there seems to be some other links to joke requests, but what am I missing?

nilsherzig

They are poking fun at the seemingly random (and non-trustworthy) companies which are allowed to issue root CAs and how hard it is to remove them if they reach the "too big to fail" status.

bilong

[flagged]

Dragging-Syrup

The best part is the website hxxps://www.honestachmed.dyndns.org/ is still up.

agumonkey

pardon the side question, what is this trend of rewriting http in hxxp ? a reflex from platforms that don't allow sharing urls ?

batch12

I do this to defang the url to prevent unintentional clicks or automatic previewing when working and reporting on security events. Sometimes the habit bleeds over.

agumonkey

ha, makes total sense :)

I might get into this habit too (and it's somehow funny how ~ergonomics can backfire)

cr3cr3

Yeah, and http only :) It would be hilarious if it had invalid cert.

null

[deleted]

lionkor

why trust the others and not Achmed?

cpach

AFAIK, major browser vendors trust any Certification Authority that follows the Baseline Requirements of the CA/Browser Forum.

https://cabforum.org/working-groups/server/baseline-requirem...

ithkuil

He's too honest

begueradj

Achmed, not Ahmed ...

virtualritz

Yes as far as the title on the Mozilla page goes but: Ahmed is pronounced Achmed (if your first langues is e.g. English).

Among my Arab friends with that name the spelling that omits the 'c' is more common. Another common form is Ahmad which is still pronounced the same.

The version with 'c' is one that contains a pronunciation hint for people whose native language is not Arabic (but probably English). As is the one with the 'e' vs the 'a' as last vowel.

I.e. Ahmad == Ahmed == Achmed.

Narishma

> The version with 'c' is one that contains a pronunciation hint for people whose native language is not Arabic (but probably English).

What hint would that be? There's no 'c' sound in the Arabic version.

ludwigvan

Hint as in “Bach”

TazeTSchnitzel

“ch” like in Scottish English “loch” is closer to the “h” in “Ahmad” than the normal English “h"

null

[deleted]

rich_sasha

I get the sense it's not serious, but is there any more context?

nindalf

From the thread it seems like they’re poking fun at browser vendors adding untrustworthy CAs to their trust store and not removing them even for egregious violations.

Their point is that Honest Achmed is at least as honest as some of the other CAs they’ve allowed in. This issue was closed a few times because Honest Achmed hadn’t completed an external audit. It was reopened each time by users who pointed out that audits were redundant if Achmed quickly issued a tonne of certificates and became too big to remove.

In other words, this issue is an implicit critique of browsers certificate policies.

viraptor

It was written around the time one of the CAs got dropped for signing certificates they shouldn't. (I wanna say it was DigiNotar, but that was a long time ago)

Edit: it was Comodo https://en.m.wikipedia.org/wiki/Comodo_Cybersecurity who allowed an affiliate to grant 9 bogus certs. (Which is probably the "cousin" part of the joke)

burgerrito

Meta question: where do people find these kinds of funny stuff??

TazeTSchnitzel

Front page of Hacker News

lionkor

Usually sharing between friends, communities, etc.

null

[deleted]

sshine

(2011)

null

[deleted]