EFF System To Warn of Certificate Breaches

← Back to Stories (view on slashdot.org)

EFF System To Warn of Certificate Breaches

Posted by samzenpus on Wednesday September 21, 2011 @08:47AM from the early-warning-system dept.

snydeq writes "With its distributed SSL Observatory, the Electronic Frontier Foundation hopes to detect compromised certificate authorities and warn users about attacks, InfoWorld reports. 'The EEF, along with developers at the Tor Project and consulting firm iSec Partners, has updated its existing HTTPS Everywhere program with the ability to anonymously report every certificate encountered. The group will analyze the data so that it can detect any rogue certificates — and by extension, compromised authorities — its users encounter, says Peter Eckersley, technology projects director for the EFF.'"

22 of 35 comments (clear)

Min score:

Reason:

Sort:

We'll see by L1B3R4710N · 2011-09-21 08:50 · Score: 3, Insightful

Sounds really good on paper (or, for the literal ones here, on webpage), but we'll see how it works in practice. I hope it does what it hopes to do, but who knows?

--
"...the number of UNIX installations has grown to 10, with more expected..." - Dennis Ritchie/Ken Thompson, 1972
1. Re:We'll see by increment1 · 2011-09-21 09:26 · Score: 1
  
  Sounds really good on paper (or, for the literal ones here, on webpage), but we'll see how it works in practice.
  I think in practice that the people perpetuating the man in the middle attacks will now just have to man in the middle two connections, instead of just one.
  Unless the EFF has some magic special way of getting this data reported to them that isn't also susceptible to MITM attacks.
2. Re:We'll see by mrmeval · 2011-09-21 13:00 · Score: 1
  
  I clicked on the link then clicked on "URL:https://www.eff.org/files/https-everywhere-latest.xpi" and I get this
  
  This Connection is Untrusted
  Am I missing something here?
  
  --
  I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
3. Re:We'll see by flonker · 2011-09-21 14:05 · Score: 1
  
  Where would you get the public key from? And how would you know they aren't compromised?
4. Re:We'll see by tomtomtom · 2011-09-21 19:41 · Score: 1
  
  Yes. You probably distrusted the Comodo CA a while ago, which signs the EFF's certificate.
5. Re:We'll see by mrmeval · 2011-09-22 12:16 · Score: 1
  
  +1 to parent. Yes I did that. Thanks. I shall inquire if they are going to continue trusting them or not.
  
  --
  I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
HTTPS Everywhere by Hatta · 2011-09-21 08:53 · Score: 1

But only on Firefox.

--
Give me Classic Slashdot or give me death!
1. Re:HTTPS Everywhere by MetalliQaZ · 2011-09-21 09:01 · Score: 3, Insightful
  
  I know Firefox is unpopular lately, but among the major browsers it stands out for Add-on support. Please direct complaints to MS/Google/Opera/etc.
  I really love the HTTPS Everywhere tool, and I'm glad to see this news. Perhaps it can become popular enough to trigger "ports" to other browsers. EFF will also gladly accept your donations, long with which you could include a request for chrome/ie/opera support.
  
  --
  "Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
2. Re:HTTPS Everywhere by Richard_at_work · 2011-09-21 09:14 · Score: 1, Informative
  
  IE has had plugin support for a decade, how do you think the Google Toolbar works on IE?
3. Re:HTTPS Everywhere by Hatta · 2011-09-21 09:27 · Score: 1
  
  Why do you need add-on support to provide this functionality? Wouldn't an HTTP proxy on localhost be able to do the same thing? That would be completely browser agnostic.
  
  --
  Give me Classic Slashdot or give me death!
4. Re:HTTPS Everywhere by RulerOf · 2011-09-21 09:31 · Score: 2
  
  IE has had plugin support for a decade, how do you think the Google Toolbar works on IE?
  If it's anything like 99% of the plugins I find on most peoples' computers when I work on them, it's probably an absolute pile of shit :P
  
  Kidding aside, I almost cried a tear of joy when I read that Chrome actually can't support a toolbar.
  
  I felt the same way when I saw a Chrome extension inject Javascript into every web page on a computer to create a frame at the top with toolbar-like features. Oh well.
  
  --
  Boot Windows, Linux, and ESX over the network for free.
5. Re:HTTPS Everywhere by bill_mcgonigle · 2011-09-21 13:35 · Score: 1
  
  But only on Firefox.
  Paranoid security and open source browsers are a good match-up. Most people are wrong to be paranoid, but obviously some are right to be. I guess most people are wrong to buy fire insurance too, but erring on the side of paranoid there isn't quite so stigmatized. I bet in Iran secure browsing isn't stigmatized among the people either.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
6. Re:HTTPS Everywhere by Richard_at_work · 2011-09-22 00:18 · Score: 1
  
  Nice to see the mod tards out in force today - how the fuck is my post "redundant"?
Spelling by uigrad_2000 · 2011-09-21 09:01 · Score: 2

'The EEF, along with developers
I know that abbreviation is long and complex, but since this article is mostly about them, can't you at least get it right in the summary?

--
Free unix account: freeshell.org
1. Re:Spelling by Reason58 · 2011-09-21 16:49 · Score: 1
  
  That is a direct [sic] from the linked article.
Re:If only by MetalliQaZ · 2011-09-21 09:03 · Score: 2

Yes. They defend everyone's rights, including hackers and including you.

--
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
Re:LOL by Dthief · 2011-09-21 09:04 · Score: 1

so do the certificate issuers for the Certificate issuers for the certificate Issuers for the certificate issuers for the certificate issuers.........

--
www.RacquetUp.org - Helping Detroit Youth
So another certificate authority eh? by BitZtream · 2011-09-21 09:05 · Score: 1

The difference is that instead of issuing them, it will just copy them and verify them for others ...
So you get certdiff, which is useful, just like SSL certs themselves ... its useful right up until someone poisons the central authority.
Then what you do, is create another authority to watch the first authority who watches everyone elses authority so no one has any clue who is actually the authoritative source.
I see the idea, it has merit, but its just more of the same thing. You can't solve the problem by repeating the same non-functioning act over and over again. Its the definition of insanity you know.

--
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
1. Re:So another certificate authority eh? by Anonymous Coward · 2011-09-21 09:31 · Score: 1
  
  Except for by having two groups work on the same certificate, they would have to get both in order for you to have misplaced trust. Personally, I think this is a good idea so that there won't be a single point of failure.
Interesting associations by Anonymous Coward · 2011-09-21 09:25 · Score: 1

The Tor Project is heavily associated with Jacob Appelbaum, one of their core members and proponents (and also a major proponent of Wikileaks). Jacob was also part of the team that exploited the MD5 weakness of SSL and created their own rogue Certification Authority.
So at least they know what to look for. Information wants to be free, except when it doesn't.
classic CA system nearing death by Onymous+Coward · 2011-09-21 10:50 · Score: 1

This "decentralized SSL Observatory" idea is fantastic. The notaries paradigm we've been discussing (Perspectives, Convergence) requires multiple views for efficacy, the more the better (within certain parameters). I'd been imagining a system in which individuals could opt to be notaries/cert reporters, and this is a step in that direction. Now the EFF could turn into a nexus for thousands and thousands of views. Of course they'd aggregate those thousands of views into a single point of failure, but that's okay, you'd only be using the EFF as one notary in your council of many. There are plenty of other trustworthy organizations who could run their own notaries based on similar methods or otherwise effective methods. I expect even individuals will run their own notaries, much as they run Tor servers or even NTP or SMTP.
Use convergence.io by Artemis3 · 2011-09-21 14:53 · Score: 1

I think Convergence is better. The EFF should put up their own notary and just join Convergence instead of having their own separate way of doing the same...
I have already switched and added a bunch of random notaries. Everyone can just self sign and the notaries do the rest. Man in the Middle? Most notaries will warn your data differs. If a notary sucks, kick it and add another. Simple and clean.

--
Artix
Your Linux, your init.