Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

With HTTPS Everywhere, is Firefox now the most secure mobile browser?

Peter Eckersley Re:HTTPS Doesn't Make a Browser Secure (2 comments)

Agreed, provocative headline aside, the post specifies that the kind of security we can deliver is protection against dragnet surveillance.

Mobile phones in general are not yet in a position to offer much host security against targetted attacks; they have unauditable basedband chips and carrier-controlled update mechanisms and very slow security update cycles.

about 8 months ago
top

EFF's HTTPS Everywhere Detects and Warns About Cryptographic Vulnerabilities

Peter Eckersley Re:does it keep track.. ? (46 comments)

you know who's connected where?

Great question. If you have Torbutton installed, the Decentralized SSL Observatory will use Tor to submit the certs via an anonymized HTTPS POST, and warnings (if there are any) are sent back through the Tor network in response.

If you don't have Torbutton, you can still turn on the SSL Observatory, in which case the submission is direct. The server does not keep logs of which IPs certs are submitted from, though this is of course less secure than using Tor.

Before you can turn the Observatory on, we have a UI that tries to explain all of this elegantly and succinctly, in language that even not-super-technical users can understand.

The original design document is here: https://trac.torproject.org/projects/tor/wiki/doc/HTTPSEverywhere/SSLObservatorySubmission

more than 2 years ago
top

EFF Asks Verizon Whether Etisalat Deserves CA Trust

Peter Eckersley Re:I'm confused... (135 comments)

Is it possible for me to reject the Etisalat subCA cert without ever seeing it?

With Chrome/IE/Safari on OS X and Windows only, there is a way to block the Etisalat subordinate CA certs. First you have to fetch a copy (see for instance this site). Note that the Etisalat cert is also labelled "Comtrust". Then export the cert. Then on Windows, reimport them into "untrustuted certificates" store. On OS X, import the cert using the Keychain Application into "My Certificates", and disable it.

more than 4 years ago
top

EFF Releases Tool For Testing ISP Interference

Peter Eckersley Re:Dictionary words make bad project names (96 comments)

It is often a bad idea to select a project name that is a common dictionary word. It makes the project almost ungooglable and also dilutes the original meaning of the name -- I wonder if the nation of Switzerland wants to be associated with this piece of software. The global English dictionary namespace isn't running out yet, so we don't need to start reusing words.

Yes, this is a fair point and we talked about changing the name before launch for this reason. But despite a lot of brainstorming, we couldn't think of a better name. If you want to search for Switzerland, add a word like "eff" or "isp" or "packet" or "network" to your google search. Maybe if we're successful enough we'll end up on the first page of results for a simple "switzerland" search at some point.

more than 6 years ago

Submissions

top

With HTTPS Everywhere, is Firefox now the most secure mobile browser?

Peter Eckersley Peter Eckersley writes  |  about 8 months ago

Peter Eckersley (66542) writes "Over at EFF, we just released a version of our HTTPS Everywhere extension for Firefox for Android. HTTPS Everywhere upgrades your insecure web requests to HTTPS on many thousands of sites, and this means that Firefox on Android with HTTPS Everywhere is now by far the most secure browser against dragnet surveillance attacks like those performed by the NSA, GCHQ, and other intelligence agencies.

Android users should install the Firefox app and then add HTTPS Everywhere to it. iPhone and iPad users will unfortunately have to switch to Android to get this level of security because Apple has locked Mozilla Firefox out of their platforms."

Link to Original Source
top

Australian Networks Censoring Community University Website

Peter Eckersley Peter Eckersley writes  |  about a year and a half ago

Peter Eckersley (66542) writes "At the EFF we were recently contacted by the organisers of the Melbourne Free University (MFU), an Australian community education group, whose website had been unreachable from a number of Australian ISPs since the 4th of April.

It turns out that the IP address of MFU's virtual host has been black-holed by several Australian networks; there is suggestive but not conclusive evidence that this is a result of some sort of government request or order. It is possible that MFU and 1200 other sites that use that IP address are the victims of a block that was put in place for some other reason.

Further technical analysis and commentary is in our blog post."

Link to Original Source
top

Presidential campaigns leaking supporters' identities to online tracking firms?

Peter Eckersley Peter Eckersley writes  |  about 2 years ago

Peter Eckersley writes "Stanford privacy researcher Jonathan Mayer has published new research showing that websites of both the Obama and Romney presidential campaigns, which are used to communicate with and coordinate their volunteers, leak large amounts of private information to third-party online tracking firms. The Obama campaign site leaked names, usernames, zip codes and street addresses to up to ten companies. The Romney campaign site leaked names, zip codes and partial email addresses to up to thirteen firms."
Link to Original Source
top

EFF's HTTPS Everywhere Detects and Warns About Cryptographic Vulnerabilities

Peter Eckersley Peter Eckersley writes  |  more than 2 years ago

Peter Eckersley writes "EFF has released version 2 of the HTTPS Everywhere browser extension for Firefox, and a beta version for Chrome. The Firefox release has a major new feature called the Decentralized SSL Observatory. This optional setting submits anonymous copies of the HTTPS certificates that your browser sees to our Observatory database allowing us to detect attacks against the web's cryptographic infrastructure. It also allows us to send real-time warnings to users who are affected by cryptographic vulnerabilities or man-in-the-middle attacks. At the moment, the Observatory will send warnings if you connect to a device has a weak private key due to recently discoveredrandom number generator bugs, and we will be adding more such tests in the future."
Link to Original Source
top

Internet Inventors Warn Against SOPA and PIPA

Peter Eckersley Peter Eckersley writes  |  more than 2 years ago

Peter Eckersley writes "This morning, a group of 83 prominent Internet engineers — including Vint Cerf, Paul Vixie, and many other pioneers who designed, specified, built, and debugged the network — sent a letter to the US Congress warning about the disastrous consequences that SOPA and PIPA, the two Internet blacklist censorship bills, would have for the reliability and security of the network. Unfortunately, these bills are perilously close to passing. EFF also has some suggestions on how Slashdot readers can take action against the bills."
Link to Original Source
top

Widespread hijacking of search traffic in the US

Peter Eckersley Peter Eckersley writes  |  more than 3 years ago

Peter Eckersley writes "The Netalyzr research project from the ICSI networking group has discovered that on a number of US ISPs' networks, search traffic for Bing, Yahoo! and sometimes Google is being redirected to proxy servers operated by a company called Paxfire.

In addition to posing a grave privacy problem, this server impersonation is being used to redirect certain searches away from the user's chosen search engine and to affiliate marketing programs instead. Further analysis in a post at EFF."

Link to Original Source
top

Widespread hijacking of search traffic in the US

Peter Eckersley Peter Eckersley writes  |  more than 3 years ago

Peter Eckersley writes "A research team at ICSI in Berkeley has discovered that on a number of US ISPs' networks, search traffic for Bing, Yahoo! and sometimes Google is being redirected to proxy servers operated by a company called Paxfire.

In addition to posing a grave privacy problem, this server impersonation is being used to redirect certain searches away from the user's chosen search engine and to affiliate marketing programs instead."

Link to Original Source
top

EFF to Verizon: Should Etisalat have a CA cert?

Peter Eckersley Peter Eckersley writes  |  more than 4 years ago

Peter Eckersley (66542) writes "Today EFF published an open letter to Verizon (NYTimes coverage), calling for investigation of whether Etisalat is really an appropriate party to be a trusted SSL Certificate Authority. Etisalat is a majority state-owned telecom of the United Arab Emirates with operations throughout the Middle East. You may remember that last year Etisalat installed malware on its subscribers' BlackBerry phones, and was recently pivotal in the UAE's threat to disconnect BlackBerry devices altogether if Research In Motion did not provide a backdoor for BES servers' crypto.

This company, which appears to be institutionally hostile to the existence and use of secure cryptosystems, is in possession of a master certificate for HTTPS, encrypted POP and IMAP, and other SSL-based security systems. Etisalat's CA certificate is not trusted directly by Mozilla and Microsoft, but was instead delegated as an Intermediate CA by Verizon. As a result, we are asking Verzion to investigate whether it is appropriate for Etisalat to continue holding this certificate, and to consider revoking it."

Link to Original Source
top

The HTTPS Everywhere Firefox Extension

Peter Eckersley Peter Eckersley writes  |  more than 4 years ago

Peter Eckersley (66542) writes "EFF and Tor have announced a public beta of HTTPS Everywhere, a Firefox plugin that automatically encrypts your Google searches as well as requests to several other sites, including Wikipedia, Twitter, Identica, Facebook, some major newspapers, and a number of smaller search engines. This plugin makes it much easier to use encryption with sites that support it, but not by default.

For us, this is part of an ongoing campaign to turn the unencrypted web of the past into the encrypted web of tomorrow."

Link to Original Source
top

Almost All Browsers are Uniquely Fingerprintable

Peter Eckersley Peter Eckersley writes  |  more than 4 years ago

Peter Eckersley (66542) writes "Earlier this year, a lot of Slashdot users participated in EFF's Panopticlick experiment to test whether browsers are can be tracked using only the version and configuration information that they share with websites. We have now published a paper reporting the statistical results of the experiment. It shows that 94% of browsers that run Flash or Java (and 84% of browsers generally) were completely unique in a sample of around half a million — almost all desktop browsers were uniquely fingerprintable. The report also studies how rapidly these fingerprints change, and what countermeasures can be taken against fingerprinting. But in summary, browser version and configuration information needs to be treated as identifying in much the same way that IP addresses, cookies, and supercookies are."
Link to Original Source
top

Tracking browsers without cookies or IP addresses?

Peter Eckersley Peter Eckersley writes  |  more than 4 years ago

Peter Eckersley (66542) writes "The EFF has launched a research project called Panopticlick, to determine whether seemingly innocuous browser configuration information (like User Agent strings, plugin versions and, fonts) may create unique fingerprints that allow web users to be tracked, even if they limit or delete cookies. Preliminary results indicate that the User Agent string alone has 10.5 bits of entropy, which means that for a typical Internet user, only one in about 1,500 (2 ^ 10.5) others will share their User Agent string.

If you visit Panopticlick, you can get an reading of how rare or unique your browser configuration is, as well as helping EFF to collect better data about this problem and how best to defend against it."

Link to Original Source

Journals

Peter Eckersley has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?