Five years ago I made a website that allowed you to put in a few domains and get
an email when the SSL certificate was about to expire. No ads, no fuss, just
an easy way for people to keep tabs on their sites without setting up their
own monitoring like Nagios. As with all of my software, I released it under
the GPL, specificaly the AGPL due to it being web based software. The AGPL
differs from the GPL on one point, simplified, you have to release the source
of any modifications you make under the same license, even when you host the software (not distribute)
online. With the regular GPL, you don’t have to release the source if you
provide a modified version online, only if you distribute it.

Recently I found a company that hosted certificatemonitor, with some modifications
(branding and a dutch tanslation), without any reference to its origin, no source
code provided and no mention of the license. I’m not going to link to the company,
you can see the screenshots, but I don’t want to give them any extra exposure.

In this article I’ll talk about what I did to enforce the license and how it went.
TL;DR, not as expected. The company responded timely and friendly, but did a half assed
attempt (added a link to my site with Inspired By Remy as the text), then after my
complaints, took down the entire site.

I was a member of the Free Software Foundation Europe back in 2010
and have donated many times to the Software Freedom Law Center / Software
Freedom Conservancy (the thing Bradley always talked about on the Linux Outlaws Podcast)
and at work I’m the goto guy whenever we get a GPL request for our coffee
machines, so you might say I have a heart for open source. If anyone from the SFC or FSF
or GPL violations.org is reading this and wants to do more with it, please send me an email.

I license all my personall stuff under the GPL and AGPL (where applicable)
and dislike the permissive licenses (MIT, 3 clause BSD, X11, Apache) because
they allow people to take your stuff and never contribute back. I prefer
strong copyleft licenses that force you to contribute. Here is a good
article going into permissive vs copyleft licensing.

The following two paragraphs are taken from the Plausible.io article
explaining their license switch. I found them to explain the AGPL so well,
that I cited them here. Please go read their article, I found out that
Google has a anti AGPL policy by reading their article.

What are the benefits of the AGPLv3?

The AGPL license is identical to the original GPL license with the only
additional term being to allow users who interact with the licensed software
over a network to receive the source for that program.

AGPL is designed to ensure corporations contribute back to the open source
community even when running the software as a service in the cloud.

If you used AGPL-licensed code in your web service in the cloud, you are
required to open source it. It basically prevents corporations that never had
any intention to contribute to open source from profiting from the open source
work.

It explicitly prohibits corporations from parasitically competing with an open
source project. They won’t be able to take the code, make changes to it and
sell it as a competing product without contributing those changes back to the
original project.

Here’s that extra paragraph:

If you run a modified program on a server and let other users communicate
with it there, your server must also allow them to download the source code
corresponding to the modified version running there

What are the restrictions with the AGPLv3?

A corporation needs to be clear and provide a prominent mention and link to
the original project so people that are considering to use their version of
software can be aware of the original source

If a corporation modifies the original software, they need to open source and
publish their modifications by for instance contributing back to the original
project

Hey, that looks a lot like my code

I sadly only took a few screenshots on my phone, so I cannot show more than this,
but the similarities will be more than clear. In the email conversation we had,
they ackowledged that it was my code, so there’s no doubt on that.

Here are the pictures, including the statement that triggered my enforcement
action (their copyright).

First the FAQ items on my original code and next to it their translated version:

• Their headings are collapsed, but match mine, translated in dutch.
• Their cert check times are exactly the same as mine.
• They claim full copyright as authors (which is wrong, they’re not authors and its not their copyright)

Here’s the confirmation page after you’ve signed up.

• The blue Email: is exactly the same (twitter bootstrap styling).
• The green Confirmation is exactly the same.
• They’ve added call a to action “Buy Now” button

Last but not least, here is the confirmation email you get after signing
up.

• The confirmation link has the same UUID format
• The date time format matches
• It lists the IP you signed up from

They however forgot to remove the Unsubscribe link from the first email,
it says, To receive no more emails, click this link and then, no link to click.

Our email conversation

It was pretty hard to find an actual email address for this company. Nothing listed
on their website, just a contact form. Hidden on their jobs page I found a
job listing which included an address and on their General Terms and Conditions
page their was a support address.

Maybe thats just me, but every major support ticket system
supports emailing, next to web portals. Please let me just send an email instead of forcing
me to use a webpage.

So I decided to go for the Jobs email, not a large organisation so probably no dedicated HR,
big change that jobs go right to the founders.

Our email conversation was polite and they responded in a timely fashion, within days,
other GPL requests I did never got any response or took at least two weeks for an
initial reply, they did score some points there.

I’ll summarize the emails for those who do not speak dutch.

My first email stated that their tool looks a lot like one I wrote a few
years ago and that they probably should provide the source code. I stated that
they did provice the source/links on another tool they host (ssl decoder) and
that they should do that here as well. I also noted the dificulty in finding
an email address.

Their first response, three days later, says some companyspeak thank you
for your service, we looked into it and indeed, we are using your code for 3
years, without providing any attribution. We’ve added something to the
footer, if you want textual changes, please let us know.

I sadly did not take a screenshot of the new footer text, but it said
Inspired by Remy, and linked to this site. That’s not how it works guys,
my first email was clear enough, full source code and license, not this crap.
It really is not that hard to create a new github/gitlab repo, do one initial
commit and never touch it again.

My response said, in a more civil way, that they should provide
source code under the same license.

Four days later, they responded, stating that they had discussed internally
and decided to take the site offline.

That concludes our conversation, they took down their site and never complied with
the license. I think they’re not violating it now, but have done for a few years.

How should they have acted?

They should have provided the source code to anyone asking, preferably online, right
from the start when they set up their service. Even if they would not have named
me, but had provided source code, it would be fine by me.

I’m not sure how long their site was online (they state 3 years in the email),
but they have been violating the license all that time, and the half-assed
attempt ended badly. I suspect their service was not used that much, because
they just took it down without notice. I hope all their subscribers know of
it, since they will never be notified if their certificate is about to expire.

When I still hosted this code myself, I had about 20,000 (twenty thousand) domains being
checked. When I cancelled the service, each and every one of those domains got a message
notifying them that their service would be cancelled after 30 days with a few alternative
services they could use.

And you know what the strange thing is? They have also hosted the SSL decoder,
another piece of software I wrote in the same vein, with a link to the source code.
Here’s an image where you can see the URL and at the bottom, the license and source
code link:

So why do it there but not on the other site? I suspect it’s because they changed
the source code to translate it, and the ssl decoder site doesn’t seem to be changed.

A good example (sig-i/o)

A friend and fellow revspace member Mark Janssen has also hosted these services.
Read his post here, where he states that he has forked the repositories, links
to the source code and has used the same license for the forks.

If you want to use the software I made, please use Mark’s versions here:

• https://ssldecoder.eu — Print information about site-certificates or CSR’s
• https://sslmonitor.eu — Get mail notifications about expiring certificates
• https://cipherlist.eu — Recommended TLS/SSL configurations for populair services

It’s not that hard to provide the source and use the same license. “Just do it”.

Tags: agpl
, blog
, gpl
, legal
, license
, php
, security
, ssl