[HTTPS-Everywhere] what can we do to help protect against MITM attacks?

yan yan at mit.edu
Sat Oct 11 15:08:14 PDT 2014 

Great question! Some ideas:

1. Inject HSTS headers on some sites that we are enforcing HTTPS on so
that Chrome and Firefox will hard-fail when TLS cert validation fails
(meaning you can't click through the cert warning). This would have been
useful in the recent attacks from China against Hong Kong, since the
forged certs were self-signed [1,2].

2. Site owners should be able to request reports of the valid cert
chains observed for their site by SSL Observatory. They can then tell
EFF which of those chains are fraudulent if any. Then if any of the
fraudulent chains are observed in the wild, SSL Observatory can pop up a
warning to the user. (This is similar to pinning with a blacklist
instead of whitelist, but site owners are often reluctant to roll out
pinning until they can be sure that it won't break their site. It might
be useful for them to try out this psuedo-pinning mechanism on HTTPS
Everywhere users first.)

3. Certificate Transparency [3] is about to be required in Chrome for
all Extended Validation certs. The problem is that some sites don't use
EV certs but would still like their users to have the benefits of CT if
they are attacked. So if a site owner promises EFF to submit all of
their certs to a CT log, HTTPS Everywhere can enforce CT for all of
their certs, not just EV ones.


[1]
http://www.netresec.com/?page=Blog&month=2014-09&post=Analysis-of-Chinese-MITM-on-Google
[2]
http://www.netresec.com/?page=Blog&month=2014-10&post=Verifying-Chinese-MITM-of-Yahoo
[3] http://www.certificate-transparency.org/

On 10/10/2014 10:52 PM, Vijay P wrote:
> Related to this article:
> http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks-of-internet-traffic-researchers-warn/
> 
> Are there things (e.g. cert pinning) that we can help with in the
> extension that we're not already doing?
> 
> Vijay
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere
>

More information about the HTTPS-Everywhere mailing list