[HTTPS-Everywhere] The forthcoming Decentralized SSL Observatory

Peter Eckersley pde at eff.org
Wed Jul 6 16:56:23 PDT 2011 

A major new feature just landed in the HTTPS Everywhere git master.  It offers
users the option of opting-in to use EFF's Decentralized SSL Observatory,
which anonymously collects X.509 certificates and will be able to warn users
about certain kinds of insecure certs and man-in-the-middle attacks in real
time.

The code in master is pre-release.  While it has been slightly tested, it
could theoretically contain all kinds of bugs and weirdnesses.  If you aren't
okay with that, and are running builds from git, please be careful turning
this feature on while it stabilises for a future development release.

ABOUT THE SSL OBSERVATORY

As some of you may know, EFF (working with iSec Partners and supported by the
NLNet Foundation) has had a project called the SSL Observatory to collect data
on the security of the X.509 certificates that authenticate parties in HTTPS
and other forms of SSL/TLS:

https://www.eff.org/observatory

That project used centralised scanning of IPv4 address spaces to look
man-in-the-middle attacks, insecure certificates, and noteworthy practices by
Certificate Authorities.

ABOUT THE DECENTRALIZED OBSERVATORY

For several reasons, we believe we can better detect and protect against
attacks if we see the certificates that are actually shown to browsers in the
real world in addition to the ones we can see by port scanning from a data
center.

We have been working with the Tor Project to build a client that will send
anonymized submissions of certs to a database where we can examine them for
signs of various vulnerabilities, and make them available to the security
community for research.  This feature is opt-in, and if you have Tor/Tor
Button installed, it will use that to perform comparatively strong
anonymization.  The design docs for this feature are here:

https://trac.torproject.org/projects/tor/wiki/doc/HTTPSEverywhere/SSLObservatorySubmission


-- 
Peter Eckersley                            pde at eff.org
Senior Staff Technologist         Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

More information about the HTTPS-everywhere mailing list