[HTTPS-Everywhere] Intercepting proxy - Does SSL Observatory work?

Maciej Soltysiak maciej at soltysiak.com
Tue May 23 13:14:26 PDT 2017 

Hi Seth, Jacob,

I'll explain my stance here. I am in the pilot because I'm curious about
self
defense in such situations. I realize close to 100% of userbase will have
their
endpoints controlled to the extent that they will not be able to do much
about it.

My curiosity here is: am I still able to detect eavesdropping or have I
lost the game?

On Tue, May 23, 2017 at 6:59 PM, Seth David Schoen <schoen at eff.org> wrote:

> If HTTPS Everywhere did try to warn about every apparently-misissued
> certificate from a non-publicly-trusted root, it would have to warn about
> _every_ certificate from such roots, which means every user whose browser
> had added a root certificate would receive a warning about every site
> (even internal organizational sites, where the certificates are not, in
> fact, misissued or intended to facilitate interception).  I'm not sure
> this feature would be very useful, but if you think that's what users may
> expect, we could consider changing how the options are described within
> the user interface.
>
Right, that is a valid concern. Maybe I was naive, but I was thinking that
if
I'm a user under corporate surveillance I either:
a) connect to services legitimately setup by the company, where DNS names
wouldn't be public and you wouldn't have a publicly visible website with a
certificate
on it
b) connect to services in the wild internet, where a trusted 3rd party
(observatory)
could be checked for a second opinion.

In case of a) I wouldn't get a warning (nothing to compare to)
In case of b) I would get a valid warning.

Right now I can do it manually.
Check the issuer certificate. If it's the well known corporate host, it's
doing MITM.
If not, it's very likely to be authentic.
I was expecting ssl observatory to do this check and say yes or no.

Maybe I'm missing something?

Best regards,
Maciej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20170523/a1591c39/attachment.html>

More information about the HTTPS-Everywhere mailing list