[HTTPS-Everywhere] what does HTTPS-Everywhere consider a "valid" X.509 certificate? [was: Re: Custom rules]
Chris Palmer
chris at eff.org
Tue Oct 19 11:51:17 PDT 2010
On Oct 19, 2010, at 11:33 AM, Eitan Adler wrote:
> That is impossible. You can make the bar very high - but it never
> possible to make something 100% secure.
The discipline is to never let the perfect be the enemy of the good, while at the same time aiming no lower than the top.
> You seem to be misinterpreting my enthusiasm for opportunistic
> encryption as a be all and end all. I do not view it that way. For the
> same reason that locks on a car are better than no locks more
> encryption is better than none.
It is not better if it engenders a false sense of security, or if it complicates the already-extremely-hard problem of communicating the security guarantee to users.
> The biggest problem with security today are the users themselves and
No, users are fine. The problem is engineers. For example, engineers denigrate users, leading inevitably to their failure to understand users and users' needs and capabilities.
> we need to find better ways to inform users of what is going on.
Which is why we must not complicate the user story with jibber-jabber.
> My proposal is for browsers to show "http" in the toolbar (or httpE if
> not saying anything is a problem), don't display a lock, don't
> indicate any security whatsoever - but when possible make a https
> request even if the certificate is self signed.
This scheme is vulnerable to a trivial downgrade attack, arguably worse than the trivial downgrade attacks we already suffer.
Stated another way, all our locks are bump-keyable. Here's your bump key:
http://www.thoughtcrime.org/software/sslstrip/
--
Chris Palmer
Technology Director, Electronic Frontier Foundation
More information about the HTTPS-everywhere
mailing list