[HTTPS-Everywhere] Distributed Observatory detecting "bad" certificates
Peter Eckersley
pde at eff.org
Thu Oct 20 16:02:22 PDT 2011
On Tue, Oct 11, 2011 at 11:31:48PM +0200, Ondrej Mikle wrote:
> Hello,
>
> I'd like to ask about (planned) feature of HTTPS Everywhere described here for
> some time:
>
> https://trac.torproject.org/projects/tor/wiki/doc/HTTPSEverywhere/SSLObservatorySubmission
>
> It mentions that it should be able at some point "lets us warn you about
> insecure connections or attacks on your browser". The DB schema outlined in the
> torproject page contains fields like 'known_bad' or 'bad_cert_id'.
>
> Though I haven't found a mention how the "bad" certificates are supposed to be
> detected. I haven't seen any mention in any document or the mailinglist how it's
> supposed to be implemented.
The first things we're implementing are automatic flagging of certs with
known private keys as "bad", and human-in-the-loop examingation of
domains for which multiple CAs are issuing certs.
>
> Out of curiosity: how many unique certs have been collected so far by
> submissions from 2.0.devel version of HTTPS Everywhere?
About 35K unique certs from ~6M submissions. This is pretty good considering
that only people running the development branch with Torbutton installed
currently get the popup offering to turn it on.
--
Peter Eckersley pde at eff.org
Technology Projects Director Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list