Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF's HTTPS Everywhere Detects and Warns About Cryptographic Vulnerabilities

Posted by samzenpus on from the protect-ya-neck dept.

Peter Eckersley writes "EFF has released version 2 of the HTTPS Everywhere browser extension for Firefox, and a beta version for Chrome. The Firefox release has a major new feature called the Decentralized SSL Observatory. This optional setting submits anonymous copies of the HTTPS certificates that your browser sees to their Observatory database allowing them to detect attacks against the web's cryptographic infrastructure. It also allows us to send real-time warnings to users who are affected by cryptographic vulnerabilities or man-in-the-middle attacks. At the moment, the Observatory will send warnings if you connect to a device has a weak private key due to recently discovered random number generator bugs."

2 of 46 comments (clear)

  1. Re:does it keep track.. ? by Anonymous Coward · · Score: 5, Informative

    so how does that work? you know who's connected where?

    When going to an SSL website, your browser submits a copy of the SSL certificate to the EFF's server.

    The EFF's server does some sanity checking on the certificate to see if it is from a weak key.

    The EFF's server compares the SSL certificate your browser submits with the SSL certificates for the same hostname that the EFF has on file from other users who submitted certificates (or maybe the EFF also tries to connect to the https server themselves).

    If the certificate your browser sees is different from what the EFF expects you to see, the browser plugin displays a nasty warning to the end user.

    Of course, I expect that 99% of end users will still click OK, let me connect anyways despite all the security problems!

  2. Re:does it keep track.. ? by Peter+Eckersley · · Score: 5, Informative

    you know who's connected where?

    Great question. If you have Torbutton installed, the Decentralized SSL Observatory will use Tor to submit the certs via an anonymized HTTPS POST, and warnings (if there are any) are sent back through the Tor network in response.

    If you don't have Torbutton, you can still turn on the SSL Observatory, in which case the submission is direct. The server does not keep logs of which IPs certs are submitted from, though this is of course less secure than using Tor.

    Before you can turn the Observatory on, we have a UI that tries to explain all of this elegantly and succinctly, in language that even not-super-technical users can understand.

    The original design document is here: https://trac.torproject.org/projects/tor/wiki/doc/HTTPSEverywhere/SSLObservatorySubmission

    --
    Fixing copyright