[HTTPS-Everywhere] Distributed Observatory detecting "bad" certificates

[Ondrej Mikle]

Hello,

I'd like to ask about (planned) feature of HTTPS Everywhere described here for
some time:

https://trac.torproject.org/projects/tor/wiki/doc/HTTPSEverywhere/SSLObservatorySubmission

It mentions that it should be able at some point "lets us warn you about
insecure connections or attacks on your browser". The DB schema outlined in the
torproject page contains fields like 'known_bad' or 'bad_cert_id'.

Though I haven't found a mention how the "bad" certificates are supposed to be
detected. I haven't seen any mention in any document or the mailinglist how it's
supposed to be implemented.


Some of the well-known methods I recollect:

- Perspectives (though doesn't work well with CDN hidden behind single IP)
- Convergence - similar problem with CDN hosts, solution is "if we ever had seen
that cert fingerprint for the given host, then it's good; false alarm when not
known"
- Certificate Patrol - does some heuristics based on when cert expires, checks
whether the CA is the same (char-by-char issuer comparison). It will get
confused in case when some hosts of a CDN have cert issued by different CA
(recent Facebook test cert signed by Verisign)
- separating CAs by country they should issue certs for (obviously deciding
between giants like Verising and GTE Cyber Trust is not of much use). Is there
any list of browser-trusted CA roots mapping CAs to countries they should issue
certs for? (I know EFF has list of countries with CAs, but no the actual map)
- CA/cert pinning - Chrome browser for selected Google services; (and DANE
perhaps years later)
- deriving issuing CAs for hosts from history (i.e. writing rulesets)

Note: there are at least hundreds CDN hosts serving different certs from behind
proxy with same IP/hostname


Out of curiosity: how many unique certs have been collected so far by
submissions from 2.0.devel version of HTTPS Everywhere?

Regards,
  Ondrej Mikle