[HTTPS-Everywhere] HTTPS Everywhere makes interception easier.
John Nagle
nagle at sitetruth.com
Thu Dec 4 12:29:54 PST 2014
"HTTPS Everywhere" forces some changes in the way the Web works that
reduce security. It creates the illusion of security, not the reality.
While it seems a good concept, there's a dark side.
Here's the problem. If everything is encrypted end to end, caching
by ISPs and content delivery networks won't work. Those services
are needed to make high-traffic sites work effectively.
For those services to continue to work, they have to break the security,
act as a man-in-the middle, decrypt the content, cache it, and use
deceptive SSL certificates to re-encrypt it. That's what they're doing.
The largest content delivery networks which act as a
man-in-the-middle are Cloudflare, Incapsula, and Edgecast. Security
from browser to site ends at the CDN's servers. Data is in
the clear at the CDN, and may be in the clear between the CDN
and the host server, even if the connection from user to CDN
is encrypted. Cloudflare calls this "Flexible SSL".
We have a white paper on this, "Who am I Talking To?
Ambiguities in secure certificates for web commerce":
http://john-nagle.github.io/certscan/whoamitalkingto04.pdf
This has names and numbers for MITM sites, obtained from a scan
of all SSL certificates on the Web.
Cloudflare alone has over 36,000 domains for which Cloudflare
holds the SSL keys. This centralizes interception and makes it
easier. Cloudflare, Inc. is fighting Government gag orders, and
their CEO is angry about it.
(http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/12/cloudflare-ceo-says-insane-nsa-gag-order-is-costing-u-s-tech-firms-customers/)
So we have to assume they're being forced to help with interception.
As with most security theater, overdoing security leads to
workarounds which, in the end, result in less security.
John Nagle
SiteTruth
More information about the HTTPS-Everywhere
mailing list