This is just a quick post to point out some inconsistent logic from Google as it becomes ever more powerful over the lives of people and businesses across the world. And yes, we understand the irony as we post this using Google's blogging site.
Google is keen on ensuring all web sites use SSL/TLS (sites starting with the "https://" prefix) encryption, even when the content of a web site is not sensitive. Google's search product gives "rank" preference to web sites using HTTPS, even though HTTPS has nothing to say about the trustworthiness of those site owners or their content. While HTTPS does increase network security a tiny bit, Google also operates its own Public Key Infrastructure (PKI) Certificate Authority (CA) which it uses to sign all of its SSL certificates.
Why is that a problem? It's not.
But it is inconsistent and hypocritical in Google's imposition of ever more control over all web sites and ever more tracking of the actions of billions of people. Of course, Google's tracking software works just fine over HTTPS, ensuring no network monitoring can access or alter any of Google's omnipresent tracking communications.
The problem is its Chrome browser disparages web sites using self-signed certificates. Yet the reality is that all Google properties (google.com, blogger.com, youtube.com...) are effectively using self-signed certificates.
For many entities, of course, SSL certificates are expensive, need constant renewals, and are "approved" by self-proclaimed "Certificate Authorities" that really know nothing about you or the web sites to suggest any actual trust is involved. CAs don't offer any assurances about any of the web sites they approve, after being paid their fee of course. This is the reason why PKI in general has failed to be adopted much outside of its use for HTTPS-enabled web sites.
Secure communications is great and necessary, but there's no actual trust granted to a web site by purchasing a CA-approved certificate. There is really little evidence theses CAs provide useful services, or that any people actually have any trust whatsoever in those CAs pre-approved in web browsers. That pre-approved "trust" is actually just between the browser vendor and those CAs who have paid the browser vendors to be so pre-approved, not between any of the actual human beings who use the browser and any of those so-called CAs or the web sites they subsequently say you can trust. Yet Google still maintains that self-signed certificates are untrustworthy and will instill fear in users that the security is no good.
Of course, the security of the SSL connection (actually, more likely TLS 1.2 or better if you want reasonably good security) is identically strong regardless of how much money is given to CAs.
This is the sort of anti-trust activity of overly powerful and expansive corporations that needs to be tamed.
Google started off with search and "Don't be evil," then over the years it created its own browser and its own mobile platform, then created its own SSL CA where it pre-trusts itself for you, then modified its search results to give preference to CA-approved web sites without regard to the actual trust of those web sites or CAs, all while suggesting a self-signed certificate is not secure and you should alarmed at finding one.
All except for Google signing its own web site certificates.
Enterprise WebApps: Security, digital signatures and workflow online
Monday, March 11, 2019
Thursday, April 27, 2017
HR Onboarding Solutions wins business plan competition
Yozons is proud that one of its resellers, HR Onboarding Solutions, LLC, has won a business plan competition in San Angelo, Texas.
Read more in their local newspaper.
Brent Jameson, founder of HR Onboarding Solutions, started reselling Yozons Open eSignForms in 2014 after being a long-time customer of Yozons HR systems at multiple times at various companies in Texas, including a bank and a large chemical company.
Brent started out reselling our HR applicant tracking and onboarding product (previously called My HR eSignForms Suite) that he calls HROS, and quickly partnered to co-develop a DOT onboarding package of documents to track DOT drivers that can be deployed standalone or integrated into HROS.
With his ever growing list of clients, he now not only offers his customers solutions built on our https://esign-hr.com servers, but he also operates two independent private web servers for his larger "multi-client systems" where large numbers of his smaller clients share a single, yet customizable and brandable, service with a shared, outsourced HR management team.
Brent didn't stop with HROS and DOT. He now has two additional products he developed entirely on his own.
The first is his Student Onboarding Service (SOS) for accepting applications for families with 1-7 children and then providing student registration for those accepted applications. Often, applications must first go through a lottery to determine who is offered the opportunity to attend a given Texas charter school. SOS is primarily offered now as a multi-client service in partnership with the largest charter school organizations in Texas.
The second and most recent product offering is his Leave of Absence (LOA) system used by companies and financial/insurance providers related to employees who need to take leave based on the Family and Medical Leave Act of 1993 (FMLA) or Short-Term Disability (STD).
All of his products and services run on Yozons Open eSignForms. Please contact Brent by email for a demo of his rapidly expanding services.
Read more in their local newspaper.
Brent Jameson, founder of HR Onboarding Solutions, started reselling Yozons Open eSignForms in 2014 after being a long-time customer of Yozons HR systems at multiple times at various companies in Texas, including a bank and a large chemical company.
Brent started out reselling our HR applicant tracking and onboarding product (previously called My HR eSignForms Suite) that he calls HROS, and quickly partnered to co-develop a DOT onboarding package of documents to track DOT drivers that can be deployed standalone or integrated into HROS.
With his ever growing list of clients, he now not only offers his customers solutions built on our https://esign-hr.com servers, but he also operates two independent private web servers for his larger "multi-client systems" where large numbers of his smaller clients share a single, yet customizable and brandable, service with a shared, outsourced HR management team.
Brent didn't stop with HROS and DOT. He now has two additional products he developed entirely on his own.
The first is his Student Onboarding Service (SOS) for accepting applications for families with 1-7 children and then providing student registration for those accepted applications. Often, applications must first go through a lottery to determine who is offered the opportunity to attend a given Texas charter school. SOS is primarily offered now as a multi-client service in partnership with the largest charter school organizations in Texas.
The second and most recent product offering is his Leave of Absence (LOA) system used by companies and financial/insurance providers related to employees who need to take leave based on the Family and Medical Leave Act of 1993 (FMLA) or Short-Term Disability (STD).
All of his products and services run on Yozons Open eSignForms. Please contact Brent by email for a demo of his rapidly expanding services.
Monday, January 9, 2017
Why Yozons left social media -- Taking control of your life by not giving it away to enrich others as your friends' expense
Yozons has always been an independent company, one that leads in innovation, prides itself on customer privacy, and openly shares the wealth of its technologies and services to the world. The advent of social media -- which we distinguish as corporate-provided tools for continuously communicating with your social or business circles such as Twitter, Facebook, Snapchat and Instagram -- seems a great idea that revolutionizes business and personal interactions. But our gut suggested this just was not the case. Our brains finally told us it's time to quit this nasty habit and the purveyors of fake news that latch on to our trusted social connections.
There is irony in the millennials and Occupy Wall Street protesters using Twitter and Facebook to spread their economic message while massively enriching the one percent via the over-sharing by the 99 percent. The same for the Arab Spring and the spring of Daesh (ISIL) using "free media" to spread hatred, violence and denounce actual freedom and replace reason with nonsense.
The final nudge for Yozons came after watching the TEDx presentation Quit social media with Dr. Cal Newport; this final straw encouraged us to leave social media behind forever. We encourage you to consider doing so as well. Many of the reasons cited in the TEDx presentation are far more troublesome for those who become addicted to social media, something we hadn't even considered ourselves.
While we never use Snapchat or Instagram, we closed our Facebook account a few years ago after using it's system for our own advertising. The level of targeting was tremendous, though quite frankly not well suited to our needs for finding companies that are looking to contract online and go paperless. It was clear that such refined targeting will lead to the decline of actual social bonds, the antithesis of the World Wide Web's open information model.
What was clear to us then is that Facebook had convinced billions of people to provide their personal information, often intimate details about family, friends, marriages, divorces, dates, vacations, schools, parties, etc., and to share it widely. Those who didn't manage their ever-changing privacy settings often shared to an unknown "public" that couldn't easily be retracted. This information was even abused by some employers and universities who thought it okay to demand access to social media accounts as a way to judge a prospect, the very definition of thought crimes and totalitarianism, a mingling of free expression with a demand to break the social contract regarding Liberty and Privacy and Human Decency.
But mostly it was abused by Facebook itself. Facebook, the company, effectively displays content you create and freely, if not thoughtfully, give to them so it can offer it as entertainment to others. It combines actual postings from "friends" with other targeted postings (aka "fake news" and "paid advertising posing as news") that often carries your friend's names even if they never intended to have their trusted names abused in this way. This is the subversive power of the 'like' button. If you like McDonalds or The New Yorker, then postings by those companies often appear in the "news feed" of your friends with a comment suggesting you like the posting itself, regardless of the content.
It may not feel that way to you, that you are just sharing photos of a recent marriage or birth with family and friends. But Facebook is monetizing your content. It is monetizing your family and friends using your as bait. And, of course, we all can see well that our Facebook "friends" have became a hodgepodge of actual family and actual friends, but also neighbors, acquaintances, classmates, business associates, and a slew of others who asked to become an online friend, making you appear to be mean to deny such a nice sounding request.
Well, Facebook the company isn't making money on your content itself so much as it causes more people to stay on Facebook the web site longer and across more devices in order to sell advertising to other corporations that attempt to sell their products and services to your so-called family and friends. All of their wealth is created based on your "sharing" that lures your family and friends to visit Facebook to see what you could have shared with them directly and privately and without advertising. The details you provide, and the social connections you share with a for-profit, super rich corporation, allows it to become richer still. You enrich them, but your compensation is primarily trivial entertainment that sucks a lot of your time via constant interruptions in your real life, often at the expense of being sold and marketed to on a constant basis, and worse, causing that to be foisted upon those you know.
We've finally decided to close our last remaining social media account, Twitter, as the last step to free ourselves from this grip and abuse of trust. Like Facebook, our early Twitter followers were actually interested in Yozons, often business partners, prospects and customers. But over time, our followers seem more like robot accounts that are themselves just trying to sell back to us (i.e. "Bob Jones the Real Estate agent liked your tweet about rising property taxes"). We'd post some link about encryption, or privacy, or tips on using the service, or own own bragging about record revenues or the millions of transactions handled through our service in 2016, and then we'd get "liked" or "followed" by odd accounts that were unrelated to our posting. They didn't appear to like or be interested in us at all, but were designed to broadcast a "new friend/follower" message that served their interest to sell us on them.
Previously, we had noted that a competitor was basically paying its customers, by providing a small discount to their service, if their customers agreed to have a tweet sent out every time they completed a contract online. It seemed bizarre to us, as none of our customers since 2000 have ever requested the ability to share details about their contracting with the world. Adding a Twitter hook is trivial, yet it is clear that this served nobody's actual interests -- well, the competitor that gave the discount no doubt hoped it could latch on to your social network to drive more sales of its service -- and is simply selling yourself cheap to benefit yet another corporation. Yozons is a corporation, and we enjoy the profits of our hard work, but we've never thought it ethical to make money indirectly by selling our customer information, who they interact with, the types of deals they do, or to show advertising to them all. We simply do not want to be a part of that, and never did and never will play in that game. Privacy matters to us by policy. We sell our services directly to accomplish useful tasks that our customers want, and we sell nothing more or on the side.
Data mining other people's data is wrong without absolutely clear consent. Too often, the consent is hidden behind unclear language. How many people understand that when they 'like' something that it's then used to sell that product to your expansive social net by saying that you like it over and over again regardless of whether you agree with any of the content. We may like The New York Times, but it's weird to see a posting by them such as "ISIS kills 35 in a market blast" coupled with "Yozons likes..." above it?
Don't get us wrong. If you really like Twitter and Facebook, and you don't mind that they monetize your content and connections, and you don't mind the never-ending cycle of interruptions to see "what's happening," we hold no grudge. Everyone gets to make up their own minds. We just no longer wish to participate.
Our experience is that most of our real interactions with actual customers and business associates are still best handled with direct communications rather than relying on third party entertainment providers who will do anything to keep you hooked and using their stuff. Email is the primary method and is a private message between directed parties. It's real communications rather than a simple bragging post thrown out there for some to see and most never to notice. It's real sharing in that we are sending you information, or a photo or link, because you are important and meaningful to us, or you are asking a question that we try to answer as honestly as possible. Conversation is much better when it's directed and bi-directional. And email -- other than perhaps those who use Gmail or similar corporate-provided free email services -- is almost never data mined or used to sell advertising to you and those you communicate with. Like a text message, it's generally private and no solicitations or personal data mining typically takes place. Even with Gmail, any ads are only shown to you as a user, not to those you send emails to and suggesting you approve of those ads.
Some old school people still prefer to talk over the phone, and yet again this is a direct, two-way conversation. It's often the best method when face-to-face is not possible. It's private and doesn't enrich the provider by selling your conversation to others or just advertising junk to those you talk to. Technologies like GoToMeeting serve an online version of this, providing a real conversation among a limited group in a way that doesn't result in your content being processed to aid advertising to those you communicate with.
Of course, we still have a web site as it's a great way for us to provide information about our products and services, pricing, links to online documentation, and to remind people of how to contact us directly when that's best. We do have this blog and helpful YouTube videos and even a Google Group for a public technology discussion forum, and those suffer some of the issues of a Twitter or Facebook, but we find they are much less constant and don't really create a social graph that serves the interest of unknown advertisers. In fact, we don't buy any Google or other social media advertising either, a truly rare trait among vendors who care more about your dollars than your success.
We trust you won't miss our Tweets and Facebook postings, and we look forward to continued direct conversations with your prospects, customers and business partners.
Happy New Year and we wish you all the best for 2017.
------------
Updated 7/18/2017 -- FAKE NEWS: More troubles with believing the nonsense posted in social media.
Updated 11/10/2017 -- MANIPULATED: Facebook’s first president, on Facebook: ‘God only knows what it’s doing to our children’s brains’
Updated 11/20/2017 -- NONSENSE ECHO CHAMBER: Expert on bots and social-media manipulation hopes people are finally listening
Updated 4/12/2018 -- FACEBOOK PRIVACY SELLOFF: What you don’t know about how Facebook uses your data
There is irony in the millennials and Occupy Wall Street protesters using Twitter and Facebook to spread their economic message while massively enriching the one percent via the over-sharing by the 99 percent. The same for the Arab Spring and the spring of Daesh (ISIL) using "free media" to spread hatred, violence and denounce actual freedom and replace reason with nonsense.
The final nudge for Yozons came after watching the TEDx presentation Quit social media with Dr. Cal Newport; this final straw encouraged us to leave social media behind forever. We encourage you to consider doing so as well. Many of the reasons cited in the TEDx presentation are far more troublesome for those who become addicted to social media, something we hadn't even considered ourselves.
While we never use Snapchat or Instagram, we closed our Facebook account a few years ago after using it's system for our own advertising. The level of targeting was tremendous, though quite frankly not well suited to our needs for finding companies that are looking to contract online and go paperless. It was clear that such refined targeting will lead to the decline of actual social bonds, the antithesis of the World Wide Web's open information model.
What was clear to us then is that Facebook had convinced billions of people to provide their personal information, often intimate details about family, friends, marriages, divorces, dates, vacations, schools, parties, etc., and to share it widely. Those who didn't manage their ever-changing privacy settings often shared to an unknown "public" that couldn't easily be retracted. This information was even abused by some employers and universities who thought it okay to demand access to social media accounts as a way to judge a prospect, the very definition of thought crimes and totalitarianism, a mingling of free expression with a demand to break the social contract regarding Liberty and Privacy and Human Decency.
But mostly it was abused by Facebook itself. Facebook, the company, effectively displays content you create and freely, if not thoughtfully, give to them so it can offer it as entertainment to others. It combines actual postings from "friends" with other targeted postings (aka "fake news" and "paid advertising posing as news") that often carries your friend's names even if they never intended to have their trusted names abused in this way. This is the subversive power of the 'like' button. If you like McDonalds or The New Yorker, then postings by those companies often appear in the "news feed" of your friends with a comment suggesting you like the posting itself, regardless of the content.
It may not feel that way to you, that you are just sharing photos of a recent marriage or birth with family and friends. But Facebook is monetizing your content. It is monetizing your family and friends using your as bait. And, of course, we all can see well that our Facebook "friends" have became a hodgepodge of actual family and actual friends, but also neighbors, acquaintances, classmates, business associates, and a slew of others who asked to become an online friend, making you appear to be mean to deny such a nice sounding request.
Well, Facebook the company isn't making money on your content itself so much as it causes more people to stay on Facebook the web site longer and across more devices in order to sell advertising to other corporations that attempt to sell their products and services to your so-called family and friends. All of their wealth is created based on your "sharing" that lures your family and friends to visit Facebook to see what you could have shared with them directly and privately and without advertising. The details you provide, and the social connections you share with a for-profit, super rich corporation, allows it to become richer still. You enrich them, but your compensation is primarily trivial entertainment that sucks a lot of your time via constant interruptions in your real life, often at the expense of being sold and marketed to on a constant basis, and worse, causing that to be foisted upon those you know.
We've finally decided to close our last remaining social media account, Twitter, as the last step to free ourselves from this grip and abuse of trust. Like Facebook, our early Twitter followers were actually interested in Yozons, often business partners, prospects and customers. But over time, our followers seem more like robot accounts that are themselves just trying to sell back to us (i.e. "Bob Jones the Real Estate agent liked your tweet about rising property taxes"). We'd post some link about encryption, or privacy, or tips on using the service, or own own bragging about record revenues or the millions of transactions handled through our service in 2016, and then we'd get "liked" or "followed" by odd accounts that were unrelated to our posting. They didn't appear to like or be interested in us at all, but were designed to broadcast a "new friend/follower" message that served their interest to sell us on them.
Previously, we had noted that a competitor was basically paying its customers, by providing a small discount to their service, if their customers agreed to have a tweet sent out every time they completed a contract online. It seemed bizarre to us, as none of our customers since 2000 have ever requested the ability to share details about their contracting with the world. Adding a Twitter hook is trivial, yet it is clear that this served nobody's actual interests -- well, the competitor that gave the discount no doubt hoped it could latch on to your social network to drive more sales of its service -- and is simply selling yourself cheap to benefit yet another corporation. Yozons is a corporation, and we enjoy the profits of our hard work, but we've never thought it ethical to make money indirectly by selling our customer information, who they interact with, the types of deals they do, or to show advertising to them all. We simply do not want to be a part of that, and never did and never will play in that game. Privacy matters to us by policy. We sell our services directly to accomplish useful tasks that our customers want, and we sell nothing more or on the side.
Data mining other people's data is wrong without absolutely clear consent. Too often, the consent is hidden behind unclear language. How many people understand that when they 'like' something that it's then used to sell that product to your expansive social net by saying that you like it over and over again regardless of whether you agree with any of the content. We may like The New York Times, but it's weird to see a posting by them such as "ISIS kills 35 in a market blast" coupled with "Yozons likes..." above it?
Don't get us wrong. If you really like Twitter and Facebook, and you don't mind that they monetize your content and connections, and you don't mind the never-ending cycle of interruptions to see "what's happening," we hold no grudge. Everyone gets to make up their own minds. We just no longer wish to participate.
Our experience is that most of our real interactions with actual customers and business associates are still best handled with direct communications rather than relying on third party entertainment providers who will do anything to keep you hooked and using their stuff. Email is the primary method and is a private message between directed parties. It's real communications rather than a simple bragging post thrown out there for some to see and most never to notice. It's real sharing in that we are sending you information, or a photo or link, because you are important and meaningful to us, or you are asking a question that we try to answer as honestly as possible. Conversation is much better when it's directed and bi-directional. And email -- other than perhaps those who use Gmail or similar corporate-provided free email services -- is almost never data mined or used to sell advertising to you and those you communicate with. Like a text message, it's generally private and no solicitations or personal data mining typically takes place. Even with Gmail, any ads are only shown to you as a user, not to those you send emails to and suggesting you approve of those ads.
Some old school people still prefer to talk over the phone, and yet again this is a direct, two-way conversation. It's often the best method when face-to-face is not possible. It's private and doesn't enrich the provider by selling your conversation to others or just advertising junk to those you talk to. Technologies like GoToMeeting serve an online version of this, providing a real conversation among a limited group in a way that doesn't result in your content being processed to aid advertising to those you communicate with.
Of course, we still have a web site as it's a great way for us to provide information about our products and services, pricing, links to online documentation, and to remind people of how to contact us directly when that's best. We do have this blog and helpful YouTube videos and even a Google Group for a public technology discussion forum, and those suffer some of the issues of a Twitter or Facebook, but we find they are much less constant and don't really create a social graph that serves the interest of unknown advertisers. In fact, we don't buy any Google or other social media advertising either, a truly rare trait among vendors who care more about your dollars than your success.
We trust you won't miss our Tweets and Facebook postings, and we look forward to continued direct conversations with your prospects, customers and business partners.
Happy New Year and we wish you all the best for 2017.
------------
Updated 7/18/2017 -- FAKE NEWS: More troubles with believing the nonsense posted in social media.
Updated 11/10/2017 -- MANIPULATED: Facebook’s first president, on Facebook: ‘God only knows what it’s doing to our children’s brains’
Updated 11/20/2017 -- NONSENSE ECHO CHAMBER: Expert on bots and social-media manipulation hopes people are finally listening
Updated 4/12/2018 -- FACEBOOK PRIVACY SELLOFF: What you don’t know about how Facebook uses your data
Wednesday, August 3, 2016
Patent licensing updates: 11 licensees and growing
In our previous installment "Patents and the small business inventor," we noted the high cost of acquiring a patent, maintaining it with the patent office, fighting off ex-parte re-examinations, and then enforcing the granted legal rights to your intellectual property (IP) against companies that are often much richer than you are as a small inventor. With the advent of the Alice ruling, some even hope your patent will fail this legal challenge, though all such challenges to our patent have been dropped or lost.
Competitors will threaten you with counter lawsuits. Competitors will threaten you with high legal fees needed to protect your IP as they play linguistic games around the meaning of "is" (no actual confusion) and "publishing house" (means nothing without context) and present straw man arguments. They will say what you invented was obvious, a conclusion they wish to reach by discounting the truly obvious fact that sufficient technology existed for decades under public key infrastructure (PKI), yet not a single vendor or academic offered the new approach before. And once you did offer the approach along with a publicly available patent disclosing it, everyone followed this "now obvious" solution.
Fortunately, Yozons has been working with our law firm to iron out patent license agreements with various parties. We now have 11 companies covered by our patent license, from the largest to the smallest of competitors in the e-signature space, as well as PDF vendors and real estate vendors. It is a slow moving process involving lawyers, bean counters and sometimes the courts themselves.
Two companies we approached had suggested they would cease operations rather than acquire the license, but in the end, both ended up purchasing the license rather than closing shop. This is good as competition is much needed, and our license fees are most reasonable.
Our '079 patent works well in the United States, Canada, Australia and New Zealand. We have some success in the U.K., but as the E.U. moves itself backwards with it's updated (they had a previously sound e-signature directive) Advanced Electronic Signature regulation called eIDAS, our invention cannot work. Our IP has no place in a PKI world, and that's a good thing.
In fact, no web-based solution will work easily with eIDAS, and it's just silly to suggest that end users will be better suited to keeping digital signature keys and documents secure on their own. Security is hard, and end users are known for skipping anything hard. Click here? Looks legit to me? Gotta see this? Pretending that infected PCs and misplaced laptops, phones and tablets is the route to "advanced" electronic signatures misunderstands that adjective, as if going back to 1990s failed PKI via committee-generated standards will ever work in practice.
There is a reason why e-signatures in the U.S.A. have taken off compared to other countries and the E.U. We invented it!
Competitors will threaten you with counter lawsuits. Competitors will threaten you with high legal fees needed to protect your IP as they play linguistic games around the meaning of "is" (no actual confusion) and "publishing house" (means nothing without context) and present straw man arguments. They will say what you invented was obvious, a conclusion they wish to reach by discounting the truly obvious fact that sufficient technology existed for decades under public key infrastructure (PKI), yet not a single vendor or academic offered the new approach before. And once you did offer the approach along with a publicly available patent disclosing it, everyone followed this "now obvious" solution.
Fortunately, Yozons has been working with our law firm to iron out patent license agreements with various parties. We now have 11 companies covered by our patent license, from the largest to the smallest of competitors in the e-signature space, as well as PDF vendors and real estate vendors. It is a slow moving process involving lawyers, bean counters and sometimes the courts themselves.
Two companies we approached had suggested they would cease operations rather than acquire the license, but in the end, both ended up purchasing the license rather than closing shop. This is good as competition is much needed, and our license fees are most reasonable.
Our '079 patent works well in the United States, Canada, Australia and New Zealand. We have some success in the U.K., but as the E.U. moves itself backwards with it's updated (they had a previously sound e-signature directive) Advanced Electronic Signature regulation called eIDAS, our invention cannot work. Our IP has no place in a PKI world, and that's a good thing.
In fact, no web-based solution will work easily with eIDAS, and it's just silly to suggest that end users will be better suited to keeping digital signature keys and documents secure on their own. Security is hard, and end users are known for skipping anything hard. Click here? Looks legit to me? Gotta see this? Pretending that infected PCs and misplaced laptops, phones and tablets is the route to "advanced" electronic signatures misunderstands that adjective, as if going back to 1990s failed PKI via committee-generated standards will ever work in practice.
There is a reason why e-signatures in the U.S.A. have taken off compared to other countries and the E.U. We invented it!
Saturday, February 14, 2015
HTML-based documents are compact and readable, and allow for a flexible, responsive design
Some have asked why Yozons Open eSignForms doesn't work with uploaded documents like those of most every other competing web-based contracting system. These people point out that they already have legacy systems that produce PDFs or Word documents and they'd like to drive those through a modern workflow, often mostly for electronic signatures.
Of course, there is a need for such a requirement, and it's pretty common for those who work with older applications created before e-signatures grew in popularity. Previously, those PDF documents were printed for a wet signature. Yozons believes that this sort of capability is already well provided by competitors, almost all of which take the approach of accepting PDF, Word or other types of files. Yozons' original Signed & Secured allows for signing of any type of file since 2001, but this approach was deprecated by Yozons in favor of HTML documents starting back in 2004, which eventually lead to the eSignForms in 2005 predecessor to Open eSignForms in 2011.
Open eSignForms is designed to use HTML-based documents. Sure, with Open eSignForms you can attach PDFs and other types of files with ease, and you can even export signed HTML documents in PDF format to produce legal copies (the legal original remains the digitally signed HTML version), but we don't allow them become the primary document to be filled out and signed. There is an image overlay scheme that provides something similar for filling out an inflexible document that must maintain its exact layout, but this has all of the same limitations of using uploaded PDFs.
A big benefit of HTML documents over PDFs and Word is that they are typically much smaller in size. If you do only a few contracts, size may not matter, but if you do hundreds or thousands per day, size matters, and this gets more important if you need to store those documents for many years or decades. Long term viability of a document format is important for e-signatures, and anybody who has done word processing for a long time can point out how older file formats are no longer useful because of software version changes. HTML has always been supported by many different browsers, so no one vendor controls HTML to produce vendor lock-in.
PDFs do have advantages, of course, such as being able to create a document that will render and print just as it was laid out, including working with fonts that the reader may not have available. But font availability is changing with the web open font format (WOFF) that allows fonts to be downloaded from the Internet even if the user's browser doesn't support that font directly. We won't mention the ongoing and myriad security issues related to Adobe Reader and the need to have that troublesome plugin updated regularly to avoid putting your computer at risk.
PDF and Word files require special software to view them in any meaningful way. If you open either in a text editor, it's pretty hard to read the content or make any sense of it. However, with HTML, a document is still pretty readable. The contractual terms can be seen even if no web browser were available, but of course web browsers are not only available, they are appearing in more and more places.
With HTML, Open eSignForms is able to do things that fixed documents in PDF or Word format simply cannot match. With HTML, whole sections of a document can be replaced at run-time based on which party is working the document, or based on data values, etc. You just can't make a PDF document hide a paragraph or swap out some language based on data in a transaction. And of course a PDF cannot natively support data entry over the web.
HTML also supports form input natively, so using HTML documents to allow for data entry is built-in and understood by all Internet users.
Also, as the mobile web has most recently demonstrated, the Internet will continue to change over time and gain more powers that are available via HTML. The mobile web has introduced the concept of responsive design so that a page renders well on a small phone screen as well as on a large monitor. HTML is suited for all of these ever-changing needs.
HTML is a very good format for documents. It is standardized internationally, can be read even without special software (at least when it's HTML and not a Web 2.0 document where most of the rendering is done via Javascript and thus is no longer readable without a browser, making them suffer some of the same issues that PDF and Word documents already have), is compact, and supports screens of all sizes without the need for any special plug-ins.
Lastly, those with disabilities can have HTML documents read to them or shown in braille, etc. HTML is the new international, interoperable document format, whereas PDF and Word are old, proprietary formats that continue to morph as they try to remain relevant for those who are locked in and cannot yet migrate to the HTML standard.
Of course, there is a need for such a requirement, and it's pretty common for those who work with older applications created before e-signatures grew in popularity. Previously, those PDF documents were printed for a wet signature. Yozons believes that this sort of capability is already well provided by competitors, almost all of which take the approach of accepting PDF, Word or other types of files. Yozons' original Signed & Secured allows for signing of any type of file since 2001, but this approach was deprecated by Yozons in favor of HTML documents starting back in 2004, which eventually lead to the eSignForms in 2005 predecessor to Open eSignForms in 2011.
Open eSignForms is designed to use HTML-based documents. Sure, with Open eSignForms you can attach PDFs and other types of files with ease, and you can even export signed HTML documents in PDF format to produce legal copies (the legal original remains the digitally signed HTML version), but we don't allow them become the primary document to be filled out and signed. There is an image overlay scheme that provides something similar for filling out an inflexible document that must maintain its exact layout, but this has all of the same limitations of using uploaded PDFs.
A big benefit of HTML documents over PDFs and Word is that they are typically much smaller in size. If you do only a few contracts, size may not matter, but if you do hundreds or thousands per day, size matters, and this gets more important if you need to store those documents for many years or decades. Long term viability of a document format is important for e-signatures, and anybody who has done word processing for a long time can point out how older file formats are no longer useful because of software version changes. HTML has always been supported by many different browsers, so no one vendor controls HTML to produce vendor lock-in.
PDFs do have advantages, of course, such as being able to create a document that will render and print just as it was laid out, including working with fonts that the reader may not have available. But font availability is changing with the web open font format (WOFF) that allows fonts to be downloaded from the Internet even if the user's browser doesn't support that font directly. We won't mention the ongoing and myriad security issues related to Adobe Reader and the need to have that troublesome plugin updated regularly to avoid putting your computer at risk.
PDF and Word files require special software to view them in any meaningful way. If you open either in a text editor, it's pretty hard to read the content or make any sense of it. However, with HTML, a document is still pretty readable. The contractual terms can be seen even if no web browser were available, but of course web browsers are not only available, they are appearing in more and more places.
With HTML, Open eSignForms is able to do things that fixed documents in PDF or Word format simply cannot match. With HTML, whole sections of a document can be replaced at run-time based on which party is working the document, or based on data values, etc. You just can't make a PDF document hide a paragraph or swap out some language based on data in a transaction. And of course a PDF cannot natively support data entry over the web.
HTML also supports form input natively, so using HTML documents to allow for data entry is built-in and understood by all Internet users.
Also, as the mobile web has most recently demonstrated, the Internet will continue to change over time and gain more powers that are available via HTML. The mobile web has introduced the concept of responsive design so that a page renders well on a small phone screen as well as on a large monitor. HTML is suited for all of these ever-changing needs.
HTML is a very good format for documents. It is standardized internationally, can be read even without special software (at least when it's HTML and not a Web 2.0 document where most of the rendering is done via Javascript and thus is no longer readable without a browser, making them suffer some of the same issues that PDF and Word documents already have), is compact, and supports screens of all sizes without the need for any special plug-ins.
Lastly, those with disabilities can have HTML documents read to them or shown in braille, etc. HTML is the new international, interoperable document format, whereas PDF and Word are old, proprietary formats that continue to morph as they try to remain relevant for those who are locked in and cannot yet migrate to the HTML standard.
Tuesday, January 20, 2015
Untrustworthy electronic signatures
Eileen Y. Chou, of the Frank Batten School of Leadership and Public Policy at the University of Virginia, published a study on how people perceive electronic signatures over traditional handwritten signatures. It appears in the December 2, 2014 issue of Social Psychological and Personality Science.
We find the study fascinating because the usage of e-signatures has exploded in the past decade, indicating growing acceptance and preference, while the study suggests such e-signatures are viewed by some as less trustworthy. No doubt there is both a generational as well as a business-versus-consumer difference in perception. And of course the breadth of implementations of e-signatures truly does mean that some are indeed more trustworthy than others. Some suggest checkboxes are valid e-signatures, but we wouldn't bet that the courts will side with you if that's all you can present as evidence of a signed contract. We know there are even e-signature vendors that provide no credible proof, such as via digital signatures, that electronic documents or their signatures are valid.
Then again, this is true for wet signatures, too. Most people just don't think about them. For example, signatures on checks and credit card receipts are effectively never checked for validity. The cost of comparing handwritten signatures is just too high and few can do it well. Fewer still have a sample wet signature on file to compare against, and of course handwritten signatures change over the course of time, the type of writing implement used, whether it's cold or hot or damp, etc. As a leftie, far too many of my signatures ended up smeared.
Wet signatures also come with built-in delays and expenses for printing and delivery, and all returned documents have to be checked to ensure nothing has been altered since it was originally provided. Paper faxes are often impossible to read, especially when receiving a fax of your fax, and few users have a fax machine handy these days as they require a both a device and a landline. In the days of cell phones and Internet browsers and email, paper is not as easily processed as it once was.
The study discusses the idea of "presence," indicating that most felt a handwritten signature indicated greater presence of the signer. Of course, there is no basis for this belief, it's just something most do not take time to consider. Sure, if you get a notarized signature in which both parties present valid identification and the signing takes place in front of each other, there is substantial presence involved. Naturally, it's precisely this sort of presence -- including its hassle and expense -- that most drives the adoption of e-signatures. Every time a paper letter arrives in my mailbox for my son who is now at the university, it is clear how much trouble paper is, presence is, and of course the privacy issues it raises. Did I open the letter? Toss it? Did it arrive in my neighbor's box yet again so they had possession before me? Did they toss it or tell me "they didn't notice" it was misdelivered until after they opened it? Am I traveling? Even if I'm home, must I wait several days to receive it? Will I have to drive to the post office to return it should it require a response?
If a signed paper document arrives by mail or fax, the recipient has no idea about any presence involved in the signing. In fact, we all know from daily experience that even legitimately signed signed documents are often actually signed by spouses and admins. Most "handwritten" signatures you see were created by a machine, such as those on business checks or mass mailings. Even the President uses a machine to sign most documents sent out.
The study abstract does not discuss how the signed documents were presented to subjects for their gut reaction. Were e-signed documents presented on paper or electronically? Were paper documents presented on paper or electronically (most businesses end up scanning paper records for long term storage and to provide availability anyway)? How did the perceived validity change for those with familiarity and general acceptance of technology?
Presumably, there was no education provided to participants about handwritten signatures or electronic signatures before undergoing the experiment, so we are left with gut feelings that rarely are correct. After all, validating a handwritten signature based on whether it looks right is the very basis for most scams because looks are deceiving. All phishing attacks work because everything looks correct. Signature verification is more art than science even for those few who have a previous sample signature on file to compare against?
Do subjects know that paper documents created with high resolution scanners and printers make the creation of fraudulent documents easier than ever before? Does Ms. Chou know that if she writes a letter of recommendation once, the holder can change the letter or make it so she's written similar letters for anybody else using simple copy/paste operations on a computer? Or simply lift her signature image and put on any other document. Or that a forged paper document could just be created with a forged ink signature because nobody else knows what Ms. Chou's signature looks like.
Was there any discussion about the powers of a digital signature to detect any change to a document after it was signed? Or that e-signatures, when done correctly, come with accurate timestamps, IP address tracking, etc., and that all parties can have an immediate copy for their records? For example, with Open eSignForms, we digitally sign the document and embedded data at each step of the process, so we can show you how it looked as it was originally sent out, and how it looked as each signature was applied. And of course many documents with signatures have more data to be provided (good old forms!), and trying to read handwritten data is often tricky and generally requires re-keying to get that data into business applications. Try adding data validation to a paper form!
Are the results of this study any different than those about paper correspondence being more meaningful to some than email? Some prefer paper books to ebooks too, and some prefer dirty newsprint to online reading. How about ATMs versus cashing checks? How about cash over cards and smart phones? Every new innovation goes through a transition period as people adjust. E-signatures are very new to most people, so the fact that some hold to the idea that the old ways are better is fully expected.
Heck, even autographs are giving way to selfies with the celebrity.
We find the study fascinating because the usage of e-signatures has exploded in the past decade, indicating growing acceptance and preference, while the study suggests such e-signatures are viewed by some as less trustworthy. No doubt there is both a generational as well as a business-versus-consumer difference in perception. And of course the breadth of implementations of e-signatures truly does mean that some are indeed more trustworthy than others. Some suggest checkboxes are valid e-signatures, but we wouldn't bet that the courts will side with you if that's all you can present as evidence of a signed contract. We know there are even e-signature vendors that provide no credible proof, such as via digital signatures, that electronic documents or their signatures are valid.
Then again, this is true for wet signatures, too. Most people just don't think about them. For example, signatures on checks and credit card receipts are effectively never checked for validity. The cost of comparing handwritten signatures is just too high and few can do it well. Fewer still have a sample wet signature on file to compare against, and of course handwritten signatures change over the course of time, the type of writing implement used, whether it's cold or hot or damp, etc. As a leftie, far too many of my signatures ended up smeared.
Wet signatures also come with built-in delays and expenses for printing and delivery, and all returned documents have to be checked to ensure nothing has been altered since it was originally provided. Paper faxes are often impossible to read, especially when receiving a fax of your fax, and few users have a fax machine handy these days as they require a both a device and a landline. In the days of cell phones and Internet browsers and email, paper is not as easily processed as it once was.
The study discusses the idea of "presence," indicating that most felt a handwritten signature indicated greater presence of the signer. Of course, there is no basis for this belief, it's just something most do not take time to consider. Sure, if you get a notarized signature in which both parties present valid identification and the signing takes place in front of each other, there is substantial presence involved. Naturally, it's precisely this sort of presence -- including its hassle and expense -- that most drives the adoption of e-signatures. Every time a paper letter arrives in my mailbox for my son who is now at the university, it is clear how much trouble paper is, presence is, and of course the privacy issues it raises. Did I open the letter? Toss it? Did it arrive in my neighbor's box yet again so they had possession before me? Did they toss it or tell me "they didn't notice" it was misdelivered until after they opened it? Am I traveling? Even if I'm home, must I wait several days to receive it? Will I have to drive to the post office to return it should it require a response?
If a signed paper document arrives by mail or fax, the recipient has no idea about any presence involved in the signing. In fact, we all know from daily experience that even legitimately signed signed documents are often actually signed by spouses and admins. Most "handwritten" signatures you see were created by a machine, such as those on business checks or mass mailings. Even the President uses a machine to sign most documents sent out.
The study abstract does not discuss how the signed documents were presented to subjects for their gut reaction. Were e-signed documents presented on paper or electronically? Were paper documents presented on paper or electronically (most businesses end up scanning paper records for long term storage and to provide availability anyway)? How did the perceived validity change for those with familiarity and general acceptance of technology?
Presumably, there was no education provided to participants about handwritten signatures or electronic signatures before undergoing the experiment, so we are left with gut feelings that rarely are correct. After all, validating a handwritten signature based on whether it looks right is the very basis for most scams because looks are deceiving. All phishing attacks work because everything looks correct. Signature verification is more art than science even for those few who have a previous sample signature on file to compare against?
Do subjects know that paper documents created with high resolution scanners and printers make the creation of fraudulent documents easier than ever before? Does Ms. Chou know that if she writes a letter of recommendation once, the holder can change the letter or make it so she's written similar letters for anybody else using simple copy/paste operations on a computer? Or simply lift her signature image and put on any other document. Or that a forged paper document could just be created with a forged ink signature because nobody else knows what Ms. Chou's signature looks like.
Was there any discussion about the powers of a digital signature to detect any change to a document after it was signed? Or that e-signatures, when done correctly, come with accurate timestamps, IP address tracking, etc., and that all parties can have an immediate copy for their records? For example, with Open eSignForms, we digitally sign the document and embedded data at each step of the process, so we can show you how it looked as it was originally sent out, and how it looked as each signature was applied. And of course many documents with signatures have more data to be provided (good old forms!), and trying to read handwritten data is often tricky and generally requires re-keying to get that data into business applications. Try adding data validation to a paper form!
Are the results of this study any different than those about paper correspondence being more meaningful to some than email? Some prefer paper books to ebooks too, and some prefer dirty newsprint to online reading. How about ATMs versus cashing checks? How about cash over cards and smart phones? Every new innovation goes through a transition period as people adjust. E-signatures are very new to most people, so the fact that some hold to the idea that the old ways are better is fully expected.
Heck, even autographs are giving way to selfies with the celebrity.
Wednesday, October 15, 2014
SHA-1 is considered insecure while the EU pretends to legislate "advanced" e-signatures
Google announced that it is updating its Chrome browser to display warnings on web sites that use HTTPS (SSL/TLS) backed by a digital certificate signed with SHA-1. In Why Google is Hurring the Web to Kill SHA-1, Eric Mill gives many reasons why Google is pushing ahead of schedule to rid the web of SSL certs that are considered less secure because they are signed by a Certificate Authority (CA) using SHA-1.
While it's true that SHA-1 is approaching the end of its useful life, it's stubbornly present in many systems and applications. Getting rid of it isn't easy. But we have to start sometime!
Of course, creating useful collisions in SHA-1 is still mostly an uncertain game. We have not heard of any actual SHA-1 collisions that are useful. "Useful" is a key consideration in that creating a second set of data the hashes to the same SHA-1 hash as some "real" document is hard enough, but doing so in which that second data is a meaningful replacement for the first is even harder. If a collision could change "$100" to "$200," you'd have a real problem (of course this is just a short text example to illustrate the point, not a real scenario). But if "x4z]" ended up hashing to the same as "$100", it would be less interesting because the replacement is not meaningful and thus would not be a realistic spoof.
While the Google announcement surrounds SSL certificates, digital signatures for e-signatures are likely a bigger problem. SSL certificates tend to be renewed every 1 to 3 years, so they do not last very long, and most new certificates issued will use SHA-2 instead of SHA-1.
Digital signatures on documents tend to be "forever." They do not expire. While the user's signing keys may change from time to time, once a digital signature is applied to a document, it remains that way going forward. Since most e-sign vendors use SHA-1 in their digital signatures (aside from the few odd players that don't appear to use any digital signatures at all like Sertifi and AssureSign), all documents being signed may be forged in the future. Fortunately, most documents become somewhat obsolete after years go by (that is, few want to forge a 5-year sales agreement for example).
In the EU, they promote word play like "advanced" and "qualified" for electronic signatures based on digital signatures created using a typical PKI in which the signer has been issued a digital certificate (no doubt signed with SHA-1!) for a private key the user keeps secure. This sounds good, but of course has serious flaws:
Documents digitally signed using Yozons Open eSignForms employ a 4096-bit RSA keypair with SHA-512. This is not the norm among esign vendors who generally use much less secure technologies (including those absolutely worthless vendors/products that don't digitally sign at all). While the greater security provided by Yozons is powerful today, eventually it will no longer be considered secure just like SHA-1's fate today and MD5 before.
Unlike "advanced" e-signatures created by users for themselves, a service can ensure documents are secure going into the distant future. For example, if a digitally signed document in Yozons previously used 1024-bit RSA with SHA-1 (a very typical scenario still in practice today), our technology could easily retrieve that document, ensure the older digital signature is still valid, and if so, then re-digitally sign the document using 4096-bit RSA with SHA-512. Such a document can remain secure for as long as necessary.
It is time for SHA-1 to be retired. Yozons has updated all of its server SSL certificates to ensure they are protected with SHA-2. But what about all those web sites and users who do this for themselves? They most likely will not be on top of security issues like this, and that's the very problem we solve for our customers and their users.
While it's true that SHA-1 is approaching the end of its useful life, it's stubbornly present in many systems and applications. Getting rid of it isn't easy. But we have to start sometime!
Of course, creating useful collisions in SHA-1 is still mostly an uncertain game. We have not heard of any actual SHA-1 collisions that are useful. "Useful" is a key consideration in that creating a second set of data the hashes to the same SHA-1 hash as some "real" document is hard enough, but doing so in which that second data is a meaningful replacement for the first is even harder. If a collision could change "$100" to "$200," you'd have a real problem (of course this is just a short text example to illustrate the point, not a real scenario). But if "x4z]" ended up hashing to the same as "$100", it would be less interesting because the replacement is not meaningful and thus would not be a realistic spoof.
While the Google announcement surrounds SSL certificates, digital signatures for e-signatures are likely a bigger problem. SSL certificates tend to be renewed every 1 to 3 years, so they do not last very long, and most new certificates issued will use SHA-2 instead of SHA-1.
Digital signatures on documents tend to be "forever." They do not expire. While the user's signing keys may change from time to time, once a digital signature is applied to a document, it remains that way going forward. Since most e-sign vendors use SHA-1 in their digital signatures (aside from the few odd players that don't appear to use any digital signatures at all like Sertifi and AssureSign), all documents being signed may be forged in the future. Fortunately, most documents become somewhat obsolete after years go by (that is, few want to forge a 5-year sales agreement for example).
In the EU, they promote word play like "advanced" and "qualified" for electronic signatures based on digital signatures created using a typical PKI in which the signer has been issued a digital certificate (no doubt signed with SHA-1!) for a private key the user keeps secure. This sounds good, but of course has serious flaws:
- Users cannot deny an electronic signature created using their "advanced/qualified" signature. The EU law says these are guaranteed to be valid. No wet signature ever had such an absurd notion attached to it; that's why we have courts to decide based on evidence.
- Users may in fact not keep their private keys secure. Users are famous for being unable to keep such stuff secure because they really have no idea what their encryption keys are or how exploits can take place. Every virus and hack attack is a potential theft of a user's encryption keys.
- All encryption requires software and hardware, and all software and hardware is vulnerable to attack. Thus, your keystore can be hacked. The device the key is stored on can be hacked. The device (like a PC, phone or tablet) the key is used on can be hacked. Any network connections involved can be hacked. As the various credit card hacks have shown, devices can be hacked, replaced or have another device put in the middle of the communications cable (or wireless).
- The user may forget the password related to securing their private key. While this would prevent future signing, it could also mean that all data encrypted for storage would no longer be accessible. There will be millions of users who will lose a lot of their data because it's encrypted using a key they no longer have access to.
- Users can be tricked into using their keys insecurely, including phishing attacks and social engineering attacks.
- What happens to all digitally signed documents done between the loss of control of a user's keys and detection that the keys were lost? A user can revoke his keys, but only once he knows something has gone wrong. But that user will not know what, if anything, was ever forged.
- How can a user know where his forged credentials are being used? Cannot!
- Once a digital signature is applied by a user, that document will remain secure only for as long as the digital signature is valid. If the digital signature uses SHA-1, that may only be a few years away.
Documents digitally signed using Yozons Open eSignForms employ a 4096-bit RSA keypair with SHA-512. This is not the norm among esign vendors who generally use much less secure technologies (including those absolutely worthless vendors/products that don't digitally sign at all). While the greater security provided by Yozons is powerful today, eventually it will no longer be considered secure just like SHA-1's fate today and MD5 before.
Unlike "advanced" e-signatures created by users for themselves, a service can ensure documents are secure going into the distant future. For example, if a digitally signed document in Yozons previously used 1024-bit RSA with SHA-1 (a very typical scenario still in practice today), our technology could easily retrieve that document, ensure the older digital signature is still valid, and if so, then re-digitally sign the document using 4096-bit RSA with SHA-512. Such a document can remain secure for as long as necessary.
It is time for SHA-1 to be retired. Yozons has updated all of its server SSL certificates to ensure they are protected with SHA-2. But what about all those web sites and users who do this for themselves? They most likely will not be on top of security issues like this, and that's the very problem we solve for our customers and their users.
Subscribe to:
Posts (Atom)