[HTTPS-Everywhere] HTTPS Everywhere makes interception easier.

Maxim Nazarenko nz.phone at mail.ru
Fri Dec 5 04:44:05 PST 2014 

Hello,

I am no security expert, but I fail to see to how encrypting traffic
between one's browser and CDN servers could possible decrease
security. A website using a CDN already trusts it, no matter what
protocol is used. HTTPS can't make the situation any worse than it
already is.

Best regards,
Maxim Nazarenko

On 4 December 2014 at 23:29, John Nagle <nagle at sitetruth.com> wrote:
>    "HTTPS Everywhere" forces some changes in the way the Web works that
> reduce security.  It creates the illusion of security, not the reality.
> While it seems a good concept, there's a dark side.
>
>    Here's the problem. If everything is encrypted end to end, caching
> by ISPs and content delivery networks won't work.  Those services
> are needed to make high-traffic sites work effectively.
> For those services to continue to work, they have to break the security,
> act as a man-in-the middle, decrypt the content, cache it, and use
> deceptive SSL certificates to re-encrypt it. That's what they're doing.
>
>    The largest content delivery networks which act as a
> man-in-the-middle are Cloudflare, Incapsula, and Edgecast.  Security
> from browser to site ends at the CDN's servers. Data is in
> the clear at the CDN, and may be in the clear between the CDN
> and the host server, even if the connection from user to CDN
> is encrypted.  Cloudflare calls this "Flexible SSL".
>
>    We have a white paper on this, "Who am I Talking To?
> Ambiguities in secure certificates for web commerce":
>
> http://john-nagle.github.io/certscan/whoamitalkingto04.pdf
>
> This has names and numbers for MITM sites, obtained from a scan
> of all SSL certificates on the Web.
>
>    Cloudflare alone has over 36,000 domains for which Cloudflare
> holds the SSL keys. This centralizes interception and makes it
> easier.  Cloudflare, Inc. is fighting Government gag orders, and
> their CEO is angry about it.
> (http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/12/cloudflare-ceo-says-insane-nsa-gag-order-is-costing-u-s-tech-firms-customers/)
> So we have to assume they're being forced to help with interception.
>
>    As with most security theater, overdoing security leads to
> workarounds which, in the end, result in less security.
>
>                         John Nagle
>                         SiteTruth
>
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere

More information about the HTTPS-Everywhere mailing list