EFF System To Warn of Certificate Breaches

← Back to Stories (view on slashdot.org)

EFF System To Warn of Certificate Breaches

Posted by samzenpus on Wednesday September 21, 2011 @08:47AM from the early-warning-system dept.

snydeq writes "With its distributed SSL Observatory, the Electronic Frontier Foundation hopes to detect compromised certificate authorities and warn users about attacks, InfoWorld reports. 'The EEF, along with developers at the Tor Project and consulting firm iSec Partners, has updated its existing HTTPS Everywhere program with the ability to anonymously report every certificate encountered. The group will analyze the data so that it can detect any rogue certificates — and by extension, compromised authorities — its users encounter, says Peter Eckersley, technology projects director for the EFF.'"

35 comments

Min score:

Reason:

Sort:

We'll see by L1B3R4710N · 2011-09-21 08:50 · Score: 3, Insightful

Sounds really good on paper (or, for the literal ones here, on webpage), but we'll see how it works in practice. I hope it does what it hopes to do, but who knows?

--
"...the number of UNIX installations has grown to 10, with more expected..." - Dennis Ritchie/Ken Thompson, 1972
1. Re:We'll see by increment1 · 2011-09-21 09:26 · Score: 1
  
  Sounds really good on paper (or, for the literal ones here, on webpage), but we'll see how it works in practice.
  I think in practice that the people perpetuating the man in the middle attacks will now just have to man in the middle two connections, instead of just one.
  Unless the EFF has some magic special way of getting this data reported to them that isn't also susceptible to MITM attacks.
2. Re:We'll see by Anonymous Coward · 2011-09-21 10:17 · Score: 0
  
  Am I missing something? Just encrypt the communication with their public key. There's no need for key handshake here, and so MITM is not possible.
3. Re:We'll see by mrmeval · 2011-09-21 13:00 · Score: 1
  
  I clicked on the link then clicked on "URL:https://www.eff.org/files/https-everywhere-latest.xpi" and I get this
  
  This Connection is Untrusted
  Am I missing something here?
  
  --
  I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
4. Re:We'll see by flonker · 2011-09-21 14:05 · Score: 1
  
  Where would you get the public key from? And how would you know they aren't compromised?
5. Re:We'll see by tomtomtom · 2011-09-21 19:41 · Score: 1
  
  Yes. You probably distrusted the Comodo CA a while ago, which signs the EFF's certificate.
6. Re:We'll see by mrmeval · 2011-09-22 12:16 · Score: 1
  
  +1 to parent. Yes I did that. Thanks. I shall inquire if they are going to continue trusting them or not.
  
  --
  I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
Whoa by Anonymous Coward · 2011-09-21 08:51 · Score: 0

Some people don't know?
HTTPS Everywhere by Hatta · 2011-09-21 08:53 · Score: 1

But only on Firefox.

--
Give me Classic Slashdot or give me death!
1. Re:HTTPS Everywhere by MetalliQaZ · 2011-09-21 09:01 · Score: 3, Insightful
  
  I know Firefox is unpopular lately, but among the major browsers it stands out for Add-on support. Please direct complaints to MS/Google/Opera/etc.
  I really love the HTTPS Everywhere tool, and I'm glad to see this news. Perhaps it can become popular enough to trigger "ports" to other browsers. EFF will also gladly accept your donations, long with which you could include a request for chrome/ie/opera support.
  
  --
  "Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
2. Re:HTTPS Everywhere by Anonymous Coward · 2011-09-21 09:08 · Score: 0, Troll
  
  I know Firefox is unpopular lately, but among the major browsers it stands out for Add-on support.
  But not for long! With the upcoming fast release schedule, add-ons will be outdated and cannot run on the latest version of Firefox when they've been updated to support what was the current version of Firefox. Add-ons will be supported for the version of Firefox just before the current.
  Yes, Firefox will move and make a new release just before devs fix their addons to support the old one!
3. Re:HTTPS Everywhere by Richard_at_work · 2011-09-21 09:14 · Score: 1, Informative
  
  IE has had plugin support for a decade, how do you think the Google Toolbar works on IE?
4. Re:HTTPS Everywhere by Hatta · 2011-09-21 09:27 · Score: 1
  
  Why do you need add-on support to provide this functionality? Wouldn't an HTTP proxy on localhost be able to do the same thing? That would be completely browser agnostic.
  
  --
  Give me Classic Slashdot or give me death!
5. Re:HTTPS Everywhere by RulerOf · 2011-09-21 09:31 · Score: 2
  
  IE has had plugin support for a decade, how do you think the Google Toolbar works on IE?
  If it's anything like 99% of the plugins I find on most peoples' computers when I work on them, it's probably an absolute pile of shit :P
  
  Kidding aside, I almost cried a tear of joy when I read that Chrome actually can't support a toolbar.
  
  I felt the same way when I saw a Chrome extension inject Javascript into every web page on a computer to create a frame at the top with toolbar-like features. Oh well.
  
  --
  Boot Windows, Linux, and ESX over the network for free.
6. Re:HTTPS Everywhere by Anonymous Coward · 2011-09-21 10:09 · Score: 0
  
  I felt the same way when I saw a Chrome extension inject Javascript into every web page on a computer to create a frame at the top with toolbar-like features. Oh well.
  LOL. Goddamn bloatware makers, they're unstoppable!
7. Re:HTTPS Everywhere by Anonymous Coward · 2011-09-21 12:36 · Score: 0
  
  The KB SSL Enforcer extension for Chrome has had a bug for a long time that's awaiting this functionality to be possible in Chrome. As soon as HTTP(S) requests and the responses can be intercepted by an extension, then this will be possible. For now, you can blame Google, since we have as much as is possible currently.
8. Re:HTTPS Everywhere by bill_mcgonigle · 2011-09-21 13:35 · Score: 1
  
  But only on Firefox.
  Paranoid security and open source browsers are a good match-up. Most people are wrong to be paranoid, but obviously some are right to be. I guess most people are wrong to buy fire insurance too, but erring on the side of paranoid there isn't quite so stigmatized. I bet in Iran secure browsing isn't stigmatized among the people either.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
9. Re:HTTPS Everywhere by Richard_at_work · 2011-09-22 00:18 · Score: 1
  
  Nice to see the mod tards out in force today - how the fuck is my post "redundant"?
If only by Anonymous Coward · 2011-09-21 09:00 · Score: -1

If only the EFF wasn't an irrelevant group of freetards this might actually be meaningful. Do they really think that most people will trust a group that defends pirates and hackers?
1. Re:If only by MetalliQaZ · 2011-09-21 09:03 · Score: 2
  
  Yes. They defend everyone's rights, including hackers and including you.
  
  --
  "Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
Spelling by uigrad_2000 · 2011-09-21 09:01 · Score: 2

'The EEF, along with developers
I know that abbreviation is long and complex, but since this article is mostly about them, can't you at least get it right in the summary?

--
Free unix account: freeshell.org
1. Re:Spelling by Anonymous Coward · 2011-09-21 09:23 · Score: 0
  
  I know the FFF would be appalled.
2. Re:Spelling by Reason58 · 2011-09-21 16:49 · Score: 1
  
  That is a direct [sic] from the linked article.
LOL by Anonymous Coward · 2011-09-21 09:02 · Score: 0

lol, now the certificate issuers need certificate issuers.
1. Re:LOL by Dthief · 2011-09-21 09:04 · Score: 1
  
  so do the certificate issuers for the Certificate issuers for the certificate Issuers for the certificate issuers for the certificate issuers.........
  
  --
  www.RacquetUp.org - Helping Detroit Youth
So another certificate authority eh? by BitZtream · 2011-09-21 09:05 · Score: 1

The difference is that instead of issuing them, it will just copy them and verify them for others ...
So you get certdiff, which is useful, just like SSL certs themselves ... its useful right up until someone poisons the central authority.
Then what you do, is create another authority to watch the first authority who watches everyone elses authority so no one has any clue who is actually the authoritative source.
I see the idea, it has merit, but its just more of the same thing. You can't solve the problem by repeating the same non-functioning act over and over again. Its the definition of insanity you know.

--
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
1. Re:So another certificate authority eh? by Anonymous Coward · 2011-09-21 09:31 · Score: 1
  
  Except for by having two groups work on the same certificate, they would have to get both in order for you to have misplaced trust. Personally, I think this is a good idea so that there won't be a single point of failure.
Just add more annoying UI to Firefox. by Anonymous Coward · 2011-09-21 09:10 · Score: 0

"Although this site's certificate is signed, and you approved the same certificate to be stored permanently about three years ago, the signing authority may have been compromised.
[Get me out of here] [I understand the risks, but fuck me with more dialogs because I need a refresher course in crypto]
[My name is Bruce Schneier; just show me the goddamned page]
[OK] [Cancel] [Apply] [Abort] [Revert] [Save]
Will they follow through? by Anonymous Coward · 2011-09-21 09:15 · Score: 0

Hopefully they have better follow-through on this than they did with TOSBack, which seems to have withered on the vine.
Interesting associations by Anonymous Coward · 2011-09-21 09:25 · Score: 1

The Tor Project is heavily associated with Jacob Appelbaum, one of their core members and proponents (and also a major proponent of Wikileaks). Jacob was also part of the team that exploited the MD5 weakness of SSL and created their own rogue Certification Authority.
So at least they know what to look for. Information wants to be free, except when it doesn't.
Obligatory Xzibit by Anonymous Coward · 2011-09-21 10:05 · Score: 0

Sup DAWG, we heard you like to verify trust so we put a certificate authority on your certificate authority so you can verify trust while you verify trust.
classic CA system nearing death by Onymous+Coward · 2011-09-21 10:50 · Score: 1

This "decentralized SSL Observatory" idea is fantastic. The notaries paradigm we've been discussing (Perspectives, Convergence) requires multiple views for efficacy, the more the better (within certain parameters). I'd been imagining a system in which individuals could opt to be notaries/cert reporters, and this is a step in that direction. Now the EFF could turn into a nexus for thousands and thousands of views. Of course they'd aggregate those thousands of views into a single point of failure, but that's okay, you'd only be using the EFF as one notary in your council of many. There are plenty of other trustworthy organizations who could run their own notaries based on similar methods or otherwise effective methods. I expect even individuals will run their own notaries, much as they run Tor servers or even NTP or SMTP.
Why hardcodes in HOSTS files = great by Anonymous Coward · 2011-09-21 12:50 · Score: -1

Simply because I am not going to be "suckered" by this in the first place because I do my fav sites where I spend 99% of my time online into my HOSTS file.
(I.E./E.G.-> I verify (triple verify) via pings, whois, and not only from my local machine, but others also later)
I also am NOT calling out to some DNS server that might be redirected (even for SSL sites) and stupid things like this can't "get to me" that way either when I visit my fav. 250 sites I have resolved locally inside my HOSTS file!
The "hosts file hardcoding" I do of my fav. 250 sites in my HOSTS file also resolves hosts-domain names to IP addresses for me, RELIABLY, & FAR faster than calling out to a potentially redirected/dns-poisoned DNS server as well!
(I.E.-> The speed of SSD access, virtually ZERO elapsed time, vs. 30-70 or so ms return time from external DNS servers).
APK
P.S.=> This particular attack's NOT going to get to me because of the above, and not others either (haven't been "infested online" since 1996 in fact), & MAINLY because for the MOST part (only 2-3 sites I use it on, ecommerce related), I don't use javascript @ all! It's a great tool, but like a razor or a gun, it can "backfire" on you & be misused by others unfortunately as you all most likely realize.
(Globally I don't activate javascript @ least, because Opera allows for "by site" setting on that, plugins, cookies, javascript & more)
Also, TLS 1.2 for SSL communique is active in Opera here (protecting vs. "THE BEAST" script -> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/page2.html that's been "raising hell" this week either)... apk
1. Re:Why hardcodes in HOSTS files = great by Anonymous Coward · 2011-09-22 04:07 · Score: 0
  
  Why was post modded down? It shows SSL in Opera TLS 1.2, host can directly send you to a site concerned, and disabling javascript in Opera by site preferences prevents the latest attack in *beast* against SSL. The downmodder must have been the malware maker of the beast script I suspect who is upset that his script kiddie attack is useless against someone that knows what they're doing and is trying to bury it so others aren't made aware of how and why they can protect themselves versus it. The same poster did a better post today here on all of this which was very informative http://it.slashdot.org/comments.pl?sid=2439924&cid=37478006 [slashdot.org] in combination with what others there wrote in that conversation thread.
Use convergence.io by Artemis3 · 2011-09-21 14:53 · Score: 1

I think Convergence is better. The EFF should put up their own notary and just join Convergence instead of having their own separate way of doing the same...
I have already switched and added a bunch of random notaries. Everyone can just self sign and the notaries do the rest. Man in the Middle? Most notaries will warn your data differs. If a notary sucks, kick it and add another. Simple and clean.

--
Artix
Your Linux, your init.