Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Chrome Electronic Frontier Foundation Encryption Firefox Security Your Rights Online

EFF's HTTPS Everywhere Detects and Warns About Cryptographic Vulnerabilities 46

Peter Eckersley writes "EFF has released version 2 of the HTTPS Everywhere browser extension for Firefox, and a beta version for Chrome. The Firefox release has a major new feature called the Decentralized SSL Observatory. This optional setting submits anonymous copies of the HTTPS certificates that your browser sees to their Observatory database allowing them to detect attacks against the web's cryptographic infrastructure. It also allows us to send real-time warnings to users who are affected by cryptographic vulnerabilities or man-in-the-middle attacks. At the moment, the Observatory will send warnings if you connect to a device has a weak private key due to recently discovered random number generator bugs."
This discussion has been archived. No new comments can be posted.

EFF's HTTPS Everywhere Detects and Warns About Cryptographic Vulnerabilities

Comments Filter:
  • by gl4ss ( 559668 ) on Wednesday February 29, 2012 @04:30PM (#39202439) Homepage Journal

    "It also allows us to send real-time warnings to users who are affected by cryptographic vulnerabilities or man-in-the-middle attacks."

    so how does that work? you know who's connected where?

    • by Anonymous Coward

      Welcome to the EFF botnet.

    • We can't answer you as we're all busy installing the addon...please hold...

    • by Anonymous Coward on Wednesday February 29, 2012 @05:10PM (#39202851)

      so how does that work? you know who's connected where?

      When going to an SSL website, your browser submits a copy of the SSL certificate to the EFF's server.

      The EFF's server does some sanity checking on the certificate to see if it is from a weak key.

      The EFF's server compares the SSL certificate your browser submits with the SSL certificates for the same hostname that the EFF has on file from other users who submitted certificates (or maybe the EFF also tries to connect to the https server themselves).

      If the certificate your browser sees is different from what the EFF expects you to see, the browser plugin displays a nasty warning to the end user.

      Of course, I expect that 99% of end users will still click OK, let me connect anyways despite all the security problems!

      • The EFF's server compares the SSL certificate your browser submits with the SSL certificates for the same hostname that the EFF has on file from other users who submitted certificates (or maybe the EFF also tries to connect to the https server themselves).

        So, similar in effect to the "multiple views" or "notaries" method of validation (a là Perspectives / Convergence). How do you know this is what HTTPS Everywhere is doing? I wondered about it and wasn't able to find any information on it, includi

    • by Peter Eckersley ( 66542 ) on Wednesday February 29, 2012 @05:42PM (#39203179) Homepage

      you know who's connected where?

      Great question. If you have Torbutton installed, the Decentralized SSL Observatory will use Tor to submit the certs via an anonymized HTTPS POST, and warnings (if there are any) are sent back through the Tor network in response.

      If you don't have Torbutton, you can still turn on the SSL Observatory, in which case the submission is direct. The server does not keep logs of which IPs certs are submitted from, though this is of course less secure than using Tor.

      Before you can turn the Observatory on, we have a UI that tries to explain all of this elegantly and succinctly, in language that even not-super-technical users can understand.

      The original design document is here: https://trac.torproject.org/projects/tor/wiki/doc/HTTPSEverywhere/SSLObservatorySubmission

      • by Nimey ( 114278 )

        I don't seem able to turn on the Observatory in Chrome OS.

      • Hey Peter...thank you and the rest of the folks at the EFF for such great and important work! Beer's on me if we ever run into each other! :-)

      • by gl4ss ( 559668 )

        okays, thanks for the response. tor makes sense for this perfectly, I guess it's as good solution as one can get now, it's probably not feasible to mirror the entire repo to local.

    • by Suki I ( 1546431 )

      "It also allows us to send real-time warnings to users who are affected by cryptographic vulnerabilities or man-in-the-middle attacks."

      so how does that work? you know who's connected where?

      When I first added it to Chrome, it kept "going off" whenever I went to my Blogspot.Com blog. It has stopped now.

  • I noticed this add-on pop up when I started the latest TOR release. Seems like a good idea.
  • So to enable this feature, you basically have to tell them when you visit a site over SSL. Good thing it's the EFF, because we're spreading our browsing history every which way as it is. Phishing detection, WOT, sometimes the browser vendors themselves, not to mention all the ads, cookies and trackers. But I guess the people who are likely to install HTTPSEverywhere know how to protect themselves against the last three (AdBlock+, Ghostery, NoScript, etc).

    CJ

    • by bmo ( 77928 )

      Good thing it's the EFF, because we're spreading our browsing history every which way as it is.

      Your ISP knows all about you, and your family, and what the cat looks at while you are away.

      Just in case you didn't think the tinfoil was tight enough.

      --
      BMO

      • Your ISP knows all about you, and your family, and what the cat looks at while you are away.

        No they don't, because my cat and I are using SSL :)

        CJ

      • So? They cannot legally do anything with it, and there is no way they can be legally compelled to perform espionage without a warrant.

        • by Anonymous Coward

          So? They cannot legally do anything with it, and there is no way they can be legally compelled to perform espionage without a warrant.

          You have just blown my mind. You are right, of course, it is only the people who can legally do things with the information that scare me.

          • Seems like some perfectly reasonable paranoia, assuming everyone is out to get you all the time. The powers that be can't do much without actually charging you with a crime.

        • So? They cannot legally do anything with it, and there is no way they can be legally compelled to perform espionage without a warrant.

          Legally compelled? Hell, they will do it voluntarily and in return the powers that be will grant them retroactive immunity for their criminal actions. I've seen it happen!

      • by lgw ( 121541 ) on Wednesday February 29, 2012 @05:24PM (#39203021) Journal

        The TOR browser bundle includes this change (because the HTTPS-everywhere addon auto-updates, IIRC). For those who opt in, the EFF will know far more about their browsing history then their ISP.

        Of course, if you don't trust the EFF's claims that it will be anonymized, I'm not sure why you'd trust the anonymity of TOR, but that's a different topic.

      • Your ISP knows all about . . . what the cat looks at while you are away.

        http://barelyferal.tumblr.com/ [tumblr.com]

  • I want a browser extension to record and track my connections into a centralized database. It's for my own benefit, you see.
    • Re:Good (Score:4, Insightful)

      by Anonymous Coward on Wednesday February 29, 2012 @05:32PM (#39203095)

      I want a browser extension to record and track my connections into a centralized database. It's for my own benefit, you see.

      Well, it's only the https connections, and your ISP and the TLAs already have that.

      I would trust the EFF more than I would trust google, omniture, doubleclick, comscore (which slashdot uses), etc.

    • by suutar ( 1860506 )
      You don't need a browser extension for that. Your ISP can handle it.
  • Donate. (Score:5, Insightful)

    by metrometro ( 1092237 ) on Wednesday February 29, 2012 @05:14PM (#39202895)

    The list of people who both care about the non-commercial interests of an end user and are technically proficient to do something about it is pretty small.

  • You'd think that somebody coming out with version 2 of a security-sensitive browser extension would deploy it in a manner that would ensure auto-updates. I searched in the Chrome Web Store and there was no sign of this. You have to install it directly from their website. That means that it won't auto-update, and I need to remember to install/maintain it on every Chrome profile I have (no auto-syncing).

    I'd rather not have to guess or check whether any particular browser I'm using has the extension install

You are always doing something marginal when the boss drops by your desk.

Working...