EFF's HTTPS Everywhere Detects and Warns About Cryptographic Vulnerabilities

← Back to Stories (view on slashdot.org)

EFF's HTTPS Everywhere Detects and Warns About Cryptographic Vulnerabilities

Posted by samzenpus on Wednesday February 29, 2012 @09:28AM from the protect-ya-neck dept.

Peter Eckersley writes "EFF has released version 2 of the HTTPS Everywhere browser extension for Firefox, and a beta version for Chrome. The Firefox release has a major new feature called the Decentralized SSL Observatory. This optional setting submits anonymous copies of the HTTPS certificates that your browser sees to their Observatory database allowing them to detect attacks against the web's cryptographic infrastructure. It also allows us to send real-time warnings to users who are affected by cryptographic vulnerabilities or man-in-the-middle attacks. At the moment, the Observatory will send warnings if you connect to a device has a weak private key due to recently discovered random number generator bugs."

8 of 46 comments (clear)

Min score:

Reason:

Sort:

does it keep track.. ? by gl4ss · 2012-02-29 09:30 · Score: 4, Interesting

"It also allows us to send real-time warnings to users who are affected by cryptographic vulnerabilities or man-in-the-middle attacks."
so how does that work? you know who's connected where?

--
world was created 5 seconds before this post as it is.
1. Re:does it keep track.. ? by Anonymous Coward · 2012-02-29 10:10 · Score: 5, Informative
  
  so how does that work? you know who's connected where?
  When going to an SSL website, your browser submits a copy of the SSL certificate to the EFF's server.
  The EFF's server does some sanity checking on the certificate to see if it is from a weak key.
  The EFF's server compares the SSL certificate your browser submits with the SSL certificates for the same hostname that the EFF has on file from other users who submitted certificates (or maybe the EFF also tries to connect to the https server themselves).
  If the certificate your browser sees is different from what the EFF expects you to see, the browser plugin displays a nasty warning to the end user.
  Of course, I expect that 99% of end users will still click OK, let me connect anyways despite all the security problems!
2. Re:does it keep track.. ? by Peter+Eckersley · 2012-02-29 10:42 · Score: 5, Informative
  
  you know who's connected where?
  Great question. If you have Torbutton installed, the Decentralized SSL Observatory will use Tor to submit the certs via an anonymized HTTPS POST, and warnings (if there are any) are sent back through the Tor network in response.
  If you don't have Torbutton, you can still turn on the SSL Observatory, in which case the submission is direct. The server does not keep logs of which IPs certs are submitted from, though this is of course less secure than using Tor.
  Before you can turn the Observatory on, we have a UI that tries to explain all of this elegantly and succinctly, in language that even not-super-technical users can understand.
  The original design document is here: https://trac.torproject.org/projects/tor/wiki/doc/HTTPSEverywhere/SSLObservatorySubmission
  
  --
  Fixing copyright
Re:I'm confused by 19thNervousBreakdown · 2012-02-29 10:05 · Score: 4, Informative

No, they come with pre-trusted cert authorities. And any cert authority can issue a certificate for any domain. So, if somebody "convinces" Verisign to give them a cert for facebook.com, that's it, they are now facebook.com as far as every browser is concerned.
In fact, sites like Facebook and Google change their certs so often (probably due to load-balancing or the simple challenge of synchronizing a certificate over a global set of datacenters), it's practically a full-time job keeping track of whether this "new" cert is valid or not.

--
<xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
Donate. by metrometro · 2012-02-29 10:14 · Score: 4, Insightful

The list of people who both care about the non-commercial interests of an end user and are technically proficient to do something about it is pretty small.
Re:I'm confused by lgw · 2012-02-29 10:21 · Score: 4, Informative

Don't web browsers already come with pre-known public keys/certs to detect Man-In-The-Middle attacks?? I like the HTTPS everywhere part but I don't get why this is useful or needed as of today...
I've read of 3 successful attempts to get fake "Bank of America" certs. One was a cert for "Bank of America\0My Phishing Site", and browers would stop at the null and accept it. One was simply an email request with forged headers to the CA, who responded with a BoA cert without double-checking the origin of the request. One was signed by one of the now-bogus CAs while most browers hadn't yet updated with awareness of that bogosity.
And those are just the ones I've read about.
CAs are simply no longer the "trusted 3rd party" needed to prevent MitM attacks. EFF is trying to fill that void, and I'm sure that will work well for a while!

--
Socialism: a lie told by totalitarians and believed by fools.
Re:One more recipient of (part of) my browser hist by lgw · 2012-02-29 10:24 · Score: 4, Informative

The TOR browser bundle includes this change (because the HTTPS-everywhere addon auto-updates, IIRC). For those who opt in, the EFF will know far more about their browsing history then their ISP.
Of course, if you don't trust the EFF's claims that it will be anonymized, I'm not sure why you'd trust the anonymity of TOR, but that's a different topic.

--
Socialism: a lie told by totalitarians and believed by fools.
Re:Good by Anonymous Coward · 2012-02-29 10:32 · Score: 4, Insightful

I want a browser extension to record and track my connections into a centralized database. It's for my own benefit, you see.
Well, it's only the https connections, and your ISP and the TLAs already have that.
I would trust the EFF more than I would trust google, omniture, doubleclick, comscore (which slashdot uses), etc.