Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

EFF System To Warn of Certificate Breaches

samzenpus posted more than 3 years ago | from the early-warning-system dept.

Security 35

snydeq writes "With its distributed SSL Observatory, the Electronic Frontier Foundation hopes to detect compromised certificate authorities and warn users about attacks, InfoWorld reports. 'The EEF, along with developers at the Tor Project and consulting firm iSec Partners, has updated its existing HTTPS Everywhere program with the ability to anonymously report every certificate encountered. The group will analyze the data so that it can detect any rogue certificates — and by extension, compromised authorities — its users encounter, says Peter Eckersley, technology projects director for the EFF.'"

Sorry! There are no comments related to the filter you selected.

We'll see (3, Insightful)

L1B3R4710N (2081304) | more than 3 years ago | (#37472620)

Sounds really good on paper (or, for the literal ones here, on webpage), but we'll see how it works in practice. I hope it does what it hopes to do, but who knows?

Re:We'll see (1)

increment1 (1722312) | more than 3 years ago | (#37473034)

Sounds really good on paper (or, for the literal ones here, on webpage), but we'll see how it works in practice.

I think in practice that the people perpetuating the man in the middle attacks will now just have to man in the middle two connections, instead of just one.

Unless the EFF has some magic special way of getting this data reported to them that isn't also susceptible to MITM attacks.

Re:We'll see (0)

Anonymous Coward | more than 3 years ago | (#37473578)

Am I missing something? Just encrypt the communication with their public key. There's no need for key handshake here, and so MITM is not possible.

Re:We'll see (1)

flonker (526111) | more than 3 years ago | (#37475448)

Where would you get the public key from? And how would you know they aren't compromised?

Re:We'll see (1)

mrmeval (662166) | more than 3 years ago | (#37474944)

I clicked on the link then clicked on "URL:https://www.eff.org/files/https-everywhere-latest.xpi" and I get this

This Connection is Untrusted

Am I missing something here?

Re:We'll see (1)

tomtomtom (580791) | more than 3 years ago | (#37477036)

Yes. You probably distrusted the Comodo CA a while ago, which signs the EFF's certificate.

Re:We'll see (1)

mrmeval (662166) | more than 3 years ago | (#37486484)

+1 to parent. Yes I did that. Thanks. I shall inquire if they are going to continue trusting them or not.

Whoa (0)

Anonymous Coward | more than 3 years ago | (#37472638)

Some people don't know?

HTTPS Everywhere (1)

Hatta (162192) | more than 3 years ago | (#37472664)

But only on Firefox.

Re:HTTPS Everywhere (3, Insightful)

MetalliQaZ (539913) | more than 3 years ago | (#37472762)

I know Firefox is unpopular lately, but among the major browsers it stands out for Add-on support. Please direct complaints to MS/Google/Opera/etc.

I really love the HTTPS Everywhere tool, and I'm glad to see this news. Perhaps it can become popular enough to trigger "ports" to other browsers. EFF will also gladly accept your donations, long with which you could include a request for chrome/ie/opera support.

Re:HTTPS Everywhere (0, Troll)

Anonymous Coward | more than 3 years ago | (#37472832)

I know Firefox is unpopular lately, but among the major browsers it stands out for Add-on support.

But not for long! With the upcoming fast release schedule, add-ons will be outdated and cannot run on the latest version of Firefox when they've been updated to support what was the current version of Firefox. Add-ons will be supported for the version of Firefox just before the current.

Yes, Firefox will move and make a new release just before devs fix their addons to support the old one!

Re:HTTPS Everywhere (1, Informative)

Richard_at_work (517087) | more than 3 years ago | (#37472904)

IE has had plugin support for a decade, how do you think the Google Toolbar works on IE?

Re:HTTPS Everywhere (2)

RulerOf (975607) | more than 3 years ago | (#37473082)

IE has had plugin support for a decade, how do you think the Google Toolbar works on IE?

If it's anything like 99% of the plugins I find on most peoples' computers when I work on them, it's probably an absolute pile of shit :P

Kidding aside, I almost cried a tear of joy when I read that Chrome actually can't support a toolbar.

I felt the same way when I saw a Chrome extension inject Javascript into every web page on a computer to create a frame at the top with toolbar-like features. Oh well.

Re:HTTPS Everywhere (0)

Anonymous Coward | more than 3 years ago | (#37473496)

I felt the same way when I saw a Chrome extension inject Javascript into every web page on a computer to create a frame at the top with toolbar-like features. Oh well.

LOL. Goddamn bloatware makers, they're unstoppable!

Re:HTTPS Everywhere (1)

Richard_at_work (517087) | more than 3 years ago | (#37478318)

Nice to see the mod tards out in force today - how the fuck is my post "redundant"?

Re:HTTPS Everywhere (1)

Hatta (162192) | more than 3 years ago | (#37473050)

Why do you need add-on support to provide this functionality? Wouldn't an HTTP proxy on localhost be able to do the same thing? That would be completely browser agnostic.

Re:HTTPS Everywhere (0)

Anonymous Coward | more than 3 years ago | (#37474790)

The KB SSL Enforcer extension for Chrome has had a bug for a long time that's awaiting this functionality to be possible in Chrome. As soon as HTTP(S) requests and the responses can be intercepted by an extension, then this will be possible. For now, you can blame Google, since we have as much as is possible currently.

Re:HTTPS Everywhere (1)

bill_mcgonigle (4333) | more than 3 years ago | (#37475216)

But only on Firefox.

Paranoid security and open source browsers are a good match-up. Most people are wrong to be paranoid, but obviously some are right to be. I guess most people are wrong to buy fire insurance too, but erring on the side of paranoid there isn't quite so stigmatized. I bet in Iran secure browsing isn't stigmatized among the people either.

If only (-1)

Anonymous Coward | more than 3 years ago | (#37472734)

If only the EFF wasn't an irrelevant group of freetards this might actually be meaningful. Do they really think that most people will trust a group that defends pirates and hackers?

Re:If only (2)

MetalliQaZ (539913) | more than 3 years ago | (#37472774)

Yes. They defend everyone's rights, including hackers and including you.

Spelling (2)

uigrad_2000 (398500) | more than 3 years ago | (#37472760)

'The EEF, along with developers

I know that abbreviation is long and complex, but since this article is mostly about them, can't you at least get it right in the summary?

Re:Spelling (0)

Anonymous Coward | more than 3 years ago | (#37472970)

I know the FFF would be appalled.

Re:Spelling (1)

Reason58 (775044) | more than 3 years ago | (#37476418)

That is a direct [sic] from the linked article.

LOL (0)

Anonymous Coward | more than 3 years ago | (#37472766)

lol, now the certificate issuers need certificate issuers.

Re:LOL (1)

Dthief (1700318) | more than 3 years ago | (#37472790)

so do the certificate issuers for the Certificate issuers for the certificate Issuers for the certificate issuers for the certificate issuers.........

Obligatory Xzibit (0)

Anonymous Coward | more than 3 years ago | (#37473460)

Sup DAWG, we heard you like to verify trust so we put a certificate authority on your certificate authority so you can verify trust while you verify trust.

So another certificate authority eh? (1)

BitZtream (692029) | more than 3 years ago | (#37472804)

The difference is that instead of issuing them, it will just copy them and verify them for others ...

So you get certdiff, which is useful, just like SSL certs themselves ... its useful right up until someone poisons the central authority.

Then what you do, is create another authority to watch the first authority who watches everyone elses authority so no one has any clue who is actually the authoritative source.

I see the idea, it has merit, but its just more of the same thing. You can't solve the problem by repeating the same non-functioning act over and over again. Its the definition of insanity you know.

Re:So another certificate authority eh? (1)

Anonymous Coward | more than 3 years ago | (#37473080)

Except for by having two groups work on the same certificate, they would have to get both in order for you to have misplaced trust. Personally, I think this is a good idea so that there won't be a single point of failure.

Just add more annoying UI to Firefox. (0)

Anonymous Coward | more than 3 years ago | (#37472860)

"Although this site's certificate is signed, and you approved the same certificate to be stored permanently about three years ago, the signing authority may have been compromised.

[Get me out of here] [I understand the risks, but fuck me with more dialogs because I need a refresher course in crypto]

[My name is Bruce Schneier; just show me the goddamned page]

[OK] [Cancel] [Apply] [Abort] [Revert] [Save]

Will they follow through? (0)

Anonymous Coward | more than 3 years ago | (#37472910)

Hopefully they have better follow-through on this than they did with TOSBack, which seems to have withered on the vine.

Interesting associations (1)

Anonymous Coward | more than 3 years ago | (#37473014)

The Tor Project [wikipedia.org] is heavily associated with Jacob Appelbaum [wikipedia.org] , one of their core members and proponents (and also a major proponent of Wikileaks). Jacob was also part of the team that exploited the MD5 weakness of SSL and created their own rogue Certification Authority [zdnet.com] .

So at least they know what to look for. Information wants to be free, except when it doesn't.

classic CA system nearing death (1)

Onymous Coward (97719) | more than 3 years ago | (#37473876)

This "decentralized SSL Observatory" idea is fantastic. The notaries paradigm we've been discussing (Perspectives, Convergence) requires multiple views for efficacy, the more the better (within certain parameters). I'd been imagining a system in which individuals could opt to be notaries/cert reporters, and this is a step in that direction. Now the EFF could turn into a nexus for thousands and thousands of views. Of course they'd aggregate those thousands of views into a single point of failure, but that's okay, you'd only be using the EFF as one notary in your council of many. There are plenty of other trustworthy organizations who could run their own notaries based on similar methods or otherwise effective methods. I expect even individuals will run their own notaries, much as they run Tor servers or even NTP or SMTP.

Why hardcodes in HOSTS files = great (-1)

Anonymous Coward | more than 3 years ago | (#37474902)

Simply because I am not going to be "suckered" by this in the first place because I do my fav sites where I spend 99% of my time online into my HOSTS file.

(I.E./E.G.-> I verify (triple verify) via pings, whois, and not only from my local machine, but others also later)

I also am NOT calling out to some DNS server that might be redirected (even for SSL sites) and stupid things like this can't "get to me" that way either when I visit my fav. 250 sites I have resolved locally inside my HOSTS file!

The "hosts file hardcoding" I do of my fav. 250 sites in my HOSTS file also resolves hosts-domain names to IP addresses for me, RELIABLY, & FAR faster than calling out to a potentially redirected/dns-poisoned DNS server as well!

(I.E.-> The speed of SSD access, virtually ZERO elapsed time, vs. 30-70 or so ms return time from external DNS servers).

APK

P.S.=> This particular attack's NOT going to get to me because of the above, and not others either (haven't been "infested online" since 1996 in fact), & MAINLY because for the MOST part (only 2-3 sites I use it on, ecommerce related), I don't use javascript @ all! It's a great tool, but like a razor or a gun, it can "backfire" on you & be misused by others unfortunately as you all most likely realize.

(Globally I don't activate javascript @ least, because Opera allows for "by site" setting on that, plugins, cookies, javascript & more)

Also, TLS 1.2 for SSL communique is active in Opera here (protecting vs. "THE BEAST" script -> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/page2.html [theregister.co.uk] that's been "raising hell" this week either)... apk

Re:Why hardcodes in HOSTS files = great (0)

Anonymous Coward | more than 3 years ago | (#37481052)

Why was post modded down? It shows SSL in Opera TLS 1.2, host can directly send you to a site concerned, and disabling javascript in Opera by site preferences prevents the latest attack in *beast* against SSL. The downmodder must have been the malware maker of the beast script I suspect who is upset that his script kiddie attack is useless against someone that knows what they're doing and is trying to bury it so others aren't made aware of how and why they can protect themselves versus it. The same poster did a better post today here on all of this which was very informative http://it.slashdot.org/comments.pl?sid=2439924&cid=37478006 [slashdot.org] [slashdot.org] in combination with what others there wrote in that conversation thread.

Use convergence.io (1)

Artemis3 (85734) | more than 3 years ago | (#37475714)

I think Convergence [convergence.io] is better. The EFF should put up their own notary and just join Convergence instead of having their own separate way of doing the same...

I have already switched and added a bunch of random notaries. Everyone can just self sign and the notaries do the rest. Man in the Middle? Most notaries will warn your data differs. If a notary sucks, kick it and add another. Simple and clean.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?