Honest Ahmed (2011) (opens in new tab)

I do this to defang the url to prevent unintentional clicks or automatic previewing when working and reporting on security events. Sometimes the habit bleeds over.

1 more reply

cr3cr31y ago

Yeah, and http only :) It would be hilarious if it had invalid cert.

burgerrito1y ago· 3 in thread

Meta question: where do people find these kinds of funny stuff??

TazeTSchnitzel1y ago

Front page of Hacker News

lionkor1y ago

Usually sharing between friends, communities, etc.

cpach1y ago

I’d say this one is a classic.

begueradj1y ago· 2 in thread

Achmed, not Ahmed ...

virtualritz1y ago

Yes as far as the title on the Mozilla page goes but: Ahmed is pronounced Achmed (if your first langues is e.g. English).

Among my Arab friends with that name the spelling that omits the 'c' is more common. Another common form is Ahmad which is still pronounced the same.

The version with 'c' is one that contains a pronunciation hint for people whose native language is not Arabic (but probably English). As is the one with the 'e' vs the 'a' as last vowel.

I.e. Ahmad == Ahmed == Achmed.

Narishma1y ago

> The version with 'c' is one that contains a pronunciation hint for people whose native language is not Arabic (but probably English).

What hint would that be? There's no 'c' sound in the Arabic version.

2 more replies

rich_sasha1y ago· 2 in thread

I get the sense it's not serious, but is there any more context?

nindalf1y ago

From the thread it seems like they’re poking fun at browser vendors adding untrustworthy CAs to their trust store and not removing them even for egregious violations.

Their point is that Honest Achmed is at least as honest as some of the other CAs they’ve allowed in. This issue was closed a few times because Honest Achmed hadn’t completed an external audit. It was reopened each time by users who pointed out that audits were redundant if Achmed quickly issued a tonne of certificates and became too big to remove.

In other words, this issue is an implicit critique of browsers certificate policies.

viraptor1y ago

It was written around the time one of the CAs got dropped for signing certificates they shouldn't. (I wanna say it was DigiNotar, but that was a long time ago)

Edit: it was Comodo https://en.m.wikipedia.org/wiki/Comodo_Cybersecurity who allowed an affiliate to grant 9 bogus certs. (Which is probably the "cousin" part of the joke)

resonanttoe1y ago· 1 in thread

For those looking for more context - If memory serves it was in response to https://en.wikipedia.org/wiki/Comodo_Cybersecurity#Certifica... and the various controversies around it.

Honest Achmed has been one of my favorites for as long as its been around.

fmajid1y ago

And also Symantec, and now Entrust. All of these CAs have incredibly sloppy vetting procedures and/or control over their resellers. In many cases they didn't even check CAA records to see if they'd be authorized to issue new certs, even though it has been a requirement for years. They had one job, and failed abysmally at it, relying on their too big to fail status. You can feel the frustration of people like Adam Langley at Google over his inability to bring the banhammer to bear fast enough on those clowns.

ramon1561y ago· 1 in thread

Am I the only one that understands 10% of what's going on? Obviously they won't add his CA, and there seems to be some other links to joke requests, but what am I missing?

nilsherzig1y ago

They are poking fun at the seemingly random (and non-trustworthy) companies which are allowed to issue root CAs and how hard it is to remove them if they reach the "too big to fail" status.

m30471y ago· 1 in thread

I'm getting warnings on an old Macbook Air that the Firefox CA certs are going to expire... except the OS is too old to update to a newer version. Oh noes!

Do I really care? That would imply I trusted CAs in the first place... all of them.

hulitu1y ago

> Do I really care?

Firefox will not connect to web sites when certificates are expired.

axus1y ago

This was closed as a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=233458 , which was the predecessor to LetsEncrypt

imadj1y ago

Previously:

Bug 647959 – Add Honest Achmed's root certificate - https://news.ycombinator.com/item?id=2463762 - April 2011 (114 comments)

Bug 647959 – Add Honest Achmed's root certificate (2011) - https://news.ycombinator.com/item?id=10839315 - January 2016 (68 comments)

Add Honest Achmed's root certificate (2011) - https://news.ycombinator.com/item?id=35490740 - April 2023 (25 comments)

sshine1y ago

(2011)

1 more reply

j / k navigate · click thread line to collapse

46 comments

28 comments · 11 top-level

lionkor1y ago· 4 in thread

why trust the others and not Achmed?

cpach1y ago

AFAIK, major browser vendors trust any Certification Authority that follows the Baseline Requirements of the CA/Browser Forum.

https://cabforum.org/working-groups/server/baseline-requirem...

hulitu1y ago

> why trust the others and not Achmed?

Because, "trust us". Seriously, Google, Microsoft, Cloudfare, etc. at the same level as Achmed. The only thing Achmed lacks is marketing.

emmelaich1y ago

See comment 13.

ithkuil1y ago

He's too honest

Dragging-Syrup1y ago· 3 in thread

The best part is the website hxxps://www.honestachmed.dyndns.org/ is still up.

agumonkey1y ago

pardon the side question, what is this trend of rewriting http in hxxp ? a reflex from platforms that don't allow sharing urls ?

batch121y ago

I do this to defang the url to prevent unintentional clicks or automatic previewing when working and reporting on security events. Sometimes the habit bleeds over.

1 more reply

cr3cr31y ago

Yeah, and http only :) It would be hilarious if it had invalid cert.

burgerrito1y ago· 3 in thread

Meta question: where do people find these kinds of funny stuff??

TazeTSchnitzel1y ago

Front page of Hacker News

lionkor1y ago

Usually sharing between friends, communities, etc.

cpach1y ago

I’d say this one is a classic.

begueradj1y ago· 2 in thread

Achmed, not Ahmed ...

virtualritz1y ago

Yes as far as the title on the Mozilla page goes but: Ahmed is pronounced Achmed (if your first langues is e.g. English).

Among my Arab friends with that name the spelling that omits the 'c' is more common. Another common form is Ahmad which is still pronounced the same.

The version with 'c' is one that contains a pronunciation hint for people whose native language is not Arabic (but probably English). As is the one with the 'e' vs the 'a' as last vowel.

I.e. Ahmad == Ahmed == Achmed.

Narishma1y ago

> The version with 'c' is one that contains a pronunciation hint for people whose native language is not Arabic (but probably English).

What hint would that be? There's no 'c' sound in the Arabic version.

2 more replies

rich_sasha1y ago· 2 in thread

I get the sense it's not serious, but is there any more context?

nindalf1y ago

From the thread it seems like they’re poking fun at browser vendors adding untrustworthy CAs to their trust store and not removing them even for egregious violations.

In other words, this issue is an implicit critique of browsers certificate policies.

viraptor1y ago

It was written around the time one of the CAs got dropped for signing certificates they shouldn't. (I wanna say it was DigiNotar, but that was a long time ago)

Edit: it was Comodo https://en.m.wikipedia.org/wiki/Comodo_Cybersecurity who allowed an affiliate to grant 9 bogus certs. (Which is probably the "cousin" part of the joke)

resonanttoe1y ago· 1 in thread

For those looking for more context - If memory serves it was in response to https://en.wikipedia.org/wiki/Comodo_Cybersecurity#Certifica... and the various controversies around it.

Honest Achmed has been one of my favorites for as long as its been around.

fmajid1y ago

ramon1561y ago· 1 in thread

Am I the only one that understands 10% of what's going on? Obviously they won't add his CA, and there seems to be some other links to joke requests, but what am I missing?

nilsherzig1y ago

They are poking fun at the seemingly random (and non-trustworthy) companies which are allowed to issue root CAs and how hard it is to remove them if they reach the "too big to fail" status.

m30471y ago· 1 in thread

I'm getting warnings on an old Macbook Air that the Firefox CA certs are going to expire... except the OS is too old to update to a newer version. Oh noes!

Do I really care? That would imply I trusted CAs in the first place... all of them.

hulitu1y ago

> Do I really care?

Firefox will not connect to web sites when certificates are expired.

axus1y ago

This was closed as a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=233458 , which was the predecessor to LetsEncrypt

imadj1y ago

Previously:

Bug 647959 – Add Honest Achmed's root certificate - https://news.ycombinator.com/item?id=2463762 - April 2011 (114 comments)

Bug 647959 – Add Honest Achmed's root certificate (2011) - https://news.ycombinator.com/item?id=10839315 - January 2016 (68 comments)

Add Honest Achmed's root certificate (2011) - https://news.ycombinator.com/item?id=35490740 - April 2023 (25 comments)

sshine1y ago

(2011)

1 more reply

j / k navigate · click thread line to collapse