EFF System To Warn of Certificate Breaches 35
snydeq writes "With its distributed SSL Observatory, the Electronic Frontier Foundation hopes to detect compromised certificate authorities and warn users about attacks, InfoWorld reports. 'The EEF, along with developers at the Tor Project and consulting firm iSec Partners, has updated its existing HTTPS Everywhere program with the ability to anonymously report every certificate encountered. The group will analyze the data so that it can detect any rogue certificates — and by extension, compromised authorities — its users encounter, says Peter Eckersley, technology projects director for the EFF.'"
We'll see (Score:3, Insightful)
Re: (Score:2)
Sounds really good on paper (or, for the literal ones here, on webpage), but we'll see how it works in practice.
I think in practice that the people perpetuating the man in the middle attacks will now just have to man in the middle two connections, instead of just one.
Unless the EFF has some magic special way of getting this data reported to them that isn't also susceptible to MITM attacks.
Re: (Score:2)
Where would you get the public key from? And how would you know they aren't compromised?
Re: (Score:2)
I clicked on the link then clicked on "URL:https://www.eff.org/files/https-everywhere-latest.xpi" and I get this
Am I missing something here?
Re: (Score:2)
Yes. You probably distrusted the Comodo CA a while ago, which signs the EFF's certificate.
Re: (Score:2)
+1 to parent. Yes I did that. Thanks. I shall inquire if they are going to continue trusting them or not.
HTTPS Everywhere (Score:2)
But only on Firefox.
Re:HTTPS Everywhere (Score:4, Insightful)
I know Firefox is unpopular lately, but among the major browsers it stands out for Add-on support. Please direct complaints to MS/Google/Opera/etc.
I really love the HTTPS Everywhere tool, and I'm glad to see this news. Perhaps it can become popular enough to trigger "ports" to other browsers. EFF will also gladly accept your donations, long with which you could include a request for chrome/ie/opera support.
Re: (Score:2, Informative)
IE has had plugin support for a decade, how do you think the Google Toolbar works on IE?
Re: (Score:3)
IE has had plugin support for a decade, how do you think the Google Toolbar works on IE?
If it's anything like 99% of the plugins I find on most peoples' computers when I work on them, it's probably an absolute pile of shit :P
Kidding aside, I almost cried a tear of joy when I read that Chrome actually can't support a toolbar.
I felt the same way when I saw a Chrome extension inject Javascript into every web page on a computer to create a frame at the top with toolbar-like features. Oh well.
Re: (Score:2)
Nice to see the mod tards out in force today - how the fuck is my post "redundant"?
Re: (Score:2)
Why do you need add-on support to provide this functionality? Wouldn't an HTTP proxy on localhost be able to do the same thing? That would be completely browser agnostic.
Re: (Score:2)
But only on Firefox.
Paranoid security and open source browsers are a good match-up. Most people are wrong to be paranoid, but obviously some are right to be. I guess most people are wrong to buy fire insurance too, but erring on the side of paranoid there isn't quite so stigmatized. I bet in Iran secure browsing isn't stigmatized among the people either.
Re: (Score:3)
Yes. They defend everyone's rights, including hackers and including you.
Spelling (Score:3)
I know that abbreviation is long and complex, but since this article is mostly about them, can't you at least get it right in the summary?
Re: (Score:2)
Re: (Score:2)
So another certificate authority eh? (Score:2)
The difference is that instead of issuing them, it will just copy them and verify them for others ...
So you get certdiff, which is useful, just like SSL certs themselves ... its useful right up until someone poisons the central authority.
Then what you do, is create another authority to watch the first authority who watches everyone elses authority so no one has any clue who is actually the authoritative source.
I see the idea, it has merit, but its just more of the same thing. You can't solve the problem by
Re: (Score:1)
Except for by having two groups work on the same certificate, they would have to get both in order for you to have misplaced trust. Personally, I think this is a good idea so that there won't be a single point of failure.
Interesting associations (Score:1)
The Tor Project [wikipedia.org] is heavily associated with Jacob Appelbaum [wikipedia.org], one of their core members and proponents (and also a major proponent of Wikileaks). Jacob was also part of the team that exploited the MD5 weakness of SSL and created their own rogue Certification Authority [zdnet.com].
So at least they know what to look for. Information wants to be free, except when it doesn't.
classic CA system nearing death (Score:2)
This "decentralized SSL Observatory" idea is fantastic. The notaries paradigm we've been discussing (Perspectives, Convergence) requires multiple views for efficacy, the more the better (within certain parameters). I'd been imagining a system in which individuals could opt to be notaries/cert reporters, and this is a step in that direction. Now the EFF could turn into a nexus for thousands and thousands of views. Of course they'd aggregate those thousands of views into a single point of failure, but tha
Use convergence.io (Score:2)
I think Convergence [convergence.io] is better. The EFF should put up their own notary and just join Convergence instead of having their own separate way of doing the same...
I have already switched and added a bunch of random notaries. Everyone can just self sign and the notaries do the rest. Man in the Middle? Most notaries will warn your data differs. If a notary sucks, kick it and add another. Simple and clean.