EFF Interviewed About Their Case Against AT&T 78
ntk writes "Glenn Greenwald from Salon has a long, informative interview with Cindy Cohn, the EFF attorney leading the suit against AT&T over their warrantless wiretapping of their customers. It talks about why the White House is pushing for retroactive immunity against the telco, what the suit has revealed so far, and how little Congressfolk appear to know about how Internet traffic is being monitored."
Salon was the wrong outlet for this article. (Score:5, Interesting)
Accessing the article, all I get is: Salon cannot set a cookie on your browser. This for an article on protecting privacy.
Re:VeriSign's role as an NSA subcontractor (Score:4, Interesting)
DailyKos is not a technology site, and the person who posted this diary doesn't understand that all Verisign normally gets is the signing request. (I'll probably post something like this there also.) They don't have your private key, they can't decode your communications.
What they could do is intercept it and man-in-the-middle it. With Verisign's help, they can trivially make a key that works in every browser. (And buying a non-verisign key won't help...end users will just be handed a 'legit' verisign one and don't know that server has a different one.)
I urge everyone with an SSL server to post the MD5 and SHA1 fingerprints of their public key, or even their entire public key, on their site and I urge people to occasionally check them against what their browser reports. Sadly, Firefox, at least, doesn't seem to actually report the public key in any usable format, and I can't see how to get the MD5 and SHA1 fingerprints from the key using openssl. If anyone has a set of step-by-step instructions, that tell exactly what to put up and how to instruct end users to check it, that would be nice to link to.
And if you have an SSL server and a Linux shell somewhere else, and run 'openssl s_client -connect example.com:443' from both the server and that other place to make sure the 'BEGIN CERTIFICATE' part matches.
I seriously doubt the NSA is doing this, but it should be easy enough to notice if it is.
And, speaking of 'occasionally checking', it would be nice if there was some Firefox extension to inform you that the encryption key had changed, and what the old and new key were. If the old key wasn't due to expire, and the new key has the same date as the old, it probably means someone is running a man-in-the-middle attack. They'd keep the dates the same, along with all the other info, to make it harder to notice, whereas while someone could buy a new key in advance, they wouldn't get one with the same date as the old.