[HTTPS-Everywhere] Intercepting proxy - Does SSL Observatory work?
Maciej Soltysiak
maciej at soltysiak.com
Tue May 23 13:14:26 PDT 2017
Hi Seth, Jacob,
I'll explain my stance here. I am in the pilot because I'm curious about
self
defense in such situations. I realize close to 100% of userbase will have
their
endpoints controlled to the extent that they will not be able to do much
about it.
My curiosity here is: am I still able to detect eavesdropping or have I
lost the game?
On Tue, May 23, 2017 at 6:59 PM, Seth David Schoen <schoen at eff.org> wrote:
> If HTTPS Everywhere did try to warn about every apparently-misissued
> certificate from a non-publicly-trusted root, it would have to warn about
> _every_ certificate from such roots, which means every user whose browser
> had added a root certificate would receive a warning about every site
> (even internal organizational sites, where the certificates are not, in
> fact, misissued or intended to facilitate interception). I'm not sure
> this feature would be very useful, but if you think that's what users may
> expect, we could consider changing how the options are described within
> the user interface.
>
Right, that is a valid concern. Maybe I was naive, but I was thinking that
if
I'm a user under corporate surveillance I either:
a) connect to services legitimately setup by the company, where DNS names
wouldn't be public and you wouldn't have a publicly visible website with a
certificate
on it
b) connect to services in the wild internet, where a trusted 3rd party
(observatory)
could be checked for a second opinion.
In case of a) I wouldn't get a warning (nothing to compare to)
In case of b) I would get a valid warning.
Right now I can do it manually.
Check the issuer certificate. If it's the well known corporate host, it's
doing MITM.
If not, it's very likely to be authentic.
I was expecting ssl observatory to do this check and say yes or no.
Maybe I'm missing something?
Best regards,
Maciej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20170523/a1591c39/attachment.html>
More information about the HTTPS-Everywhere
mailing list