Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Privacy Chrome Electronic Frontier Foundation Encryption Firefox Security Your Rights Online

EFF's HTTPS Everywhere Detects and Warns About Cryptographic Vulnerabilities 46

Posted by samzenpus from the protect-ya-neck dept.
Peter Eckersley writes "EFF has released version 2 of the HTTPS Everywhere browser extension for Firefox, and a beta version for Chrome. The Firefox release has a major new feature called the Decentralized SSL Observatory. This optional setting submits anonymous copies of the HTTPS certificates that your browser sees to their Observatory database allowing them to detect attacks against the web's cryptographic infrastructure. It also allows us to send real-time warnings to users who are affected by cryptographic vulnerabilities or man-in-the-middle attacks. At the moment, the Observatory will send warnings if you connect to a device has a weak private key due to recently discovered random number generator bugs."
This discussion has been archived. No new comments can be posted.

EFF's HTTPS Everywhere Detects and Warns About Cryptographic Vulnerabilities More

EFF's HTTPS Everywhere Detects and Warns About Cryptographic Vulnerabilities

Comments Filter:

  • Re:I'm confused (Score:5, Informative)

    by 19thNervousBreakdown ( 768619 ) <davec-slashdot@@@lepertheory...net> on Wednesday February 29, 2012 @06:05PM (#39202801) Homepage

    No, they come with pre-trusted cert authorities. And any cert authority can issue a certificate for any domain. So, if somebody "convinces" Verisign to give them a cert for facebook.com, that's it, they are now facebook.com as far as every browser is concerned.

    In fact, sites like Facebook and Google change their certs so often (probably due to load-balancing or the simple challenge of synchronizing a certificate over a global set of datacenters), it's practically a full-time job keeping track of whether this "new" cert is valid or not.

  • Re:does it keep track.. ? (Score:5, Informative)

    by Anonymous Coward on Wednesday February 29, 2012 @06:10PM (#39202851)

    so how does that work? you know who's connected where?

    When going to an SSL website, your browser submits a copy of the SSL certificate to the EFF's server.

    The EFF's server does some sanity checking on the certificate to see if it is from a weak key.

    The EFF's server compares the SSL certificate your browser submits with the SSL certificates for the same hostname that the EFF has on file from other users who submitted certificates (or maybe the EFF also tries to connect to the https server themselves).

    If the certificate your browser sees is different from what the EFF expects you to see, the browser plugin displays a nasty warning to the end user.

    Of course, I expect that 99% of end users will still click OK, let me connect anyways despite all the security problems!

  • Re:I'm confused (Score:5, Informative)

    by lgw ( 121541 ) on Wednesday February 29, 2012 @06:21PM (#39202971) Journal

    Don't web browsers already come with pre-known public keys/certs to detect Man-In-The-Middle attacks?? I like the HTTPS everywhere part but I don't get why this is useful or needed as of today...

    I've read of 3 successful attempts to get fake "Bank of America" certs. One was a cert for "Bank of America\0My Phishing Site", and browers would stop at the null and accept it. One was simply an email request with forged headers to the CA, who responded with a BoA cert without double-checking the origin of the request. One was signed by one of the now-bogus CAs while most browers hadn't yet updated with awareness of that bogosity.

    And those are just the ones I've read about.

    CAs are simply no longer the "trusted 3rd party" needed to prevent MitM attacks. EFF is trying to fill that void, and I'm sure that will work well for a while!

  • Re:One more recipient of (part of) my browser hist (Score:5, Informative)

    by lgw ( 121541 ) on Wednesday February 29, 2012 @06:24PM (#39203021) Journal

    The TOR browser bundle includes this change (because the HTTPS-everywhere addon auto-updates, IIRC). For those who opt in, the EFF will know far more about their browsing history then their ISP.

    Of course, if you don't trust the EFF's claims that it will be anonymized, I'm not sure why you'd trust the anonymity of TOR, but that's a different topic.

  • Re:does it keep track.. ? (Score:5, Informative)

    by Peter Eckersley ( 66542 ) on Wednesday February 29, 2012 @06:42PM (#39203179) Homepage

    you know who's connected where?

    Great question. If you have Torbutton installed, the Decentralized SSL Observatory will use Tor to submit the certs via an anonymized HTTPS POST, and warnings (if there are any) are sent back through the Tor network in response.

    If you don't have Torbutton, you can still turn on the SSL Observatory, in which case the submission is direct. The server does not keep logs of which IPs certs are submitted from, though this is of course less secure than using Tor.

    Before you can turn the Observatory on, we have a UI that tries to explain all of this elegantly and succinctly, in language that even not-super-technical users can understand.

    The original design document is here: https://trac.torproject.org/projects/tor/wiki/doc/HTTPSEverywhere/SSLObservatorySubmission

  • Re:does it keep track.. ? (Score:3, Informative)

    by Anonymous Coward on Wednesday February 29, 2012 @08:34PM (#39204055)
    Erm, it's disabled by default and they recommend using Tor. They don't want you to trust them to not keep logs and they make it as easy as possible to do so.

Slashdot Top Deals

"What man has done, man can aspire to do." -- Jerry Pournelle, about space flight

Close