<div dir="ltr">Hi Seth, Jacob,<br><div class="gmail_extra"><br></div><div class="gmail_extra">I'll explain my stance here. I am in the pilot because I'm curious about self<br>defense in such situations. I realize close to 100% of userbase will have their<br>endpoints controlled to the extent that they will not be able to do much about it.<br></div><div class="gmail_extra"><br>My curiosity here is: am I still able to detect eavesdropping or have I lost the game?<br><br><div class="gmail_quote">On Tue, May 23, 2017 at 6:59 PM, Seth David Schoen <span dir="ltr"><<a href="mailto:schoen@eff.org" target="_blank">schoen@eff.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
If HTTPS Everywhere did try to warn about every apparently-misissued<br>
certificate from a non-publicly-trusted root, it would have to warn about<br>
_every_ certificate from such roots, which means every user whose browser<br>
had added a root certificate would receive a warning about every site<br>
(even internal organizational sites, where the certificates are not, in<br>
fact, misissued or intended to facilitate interception). I'm not sure<br>
this feature would be very useful, but if you think that's what users may<br>
expect, we could consider changing how the options are described within<br>
the user interface.<span class="gmail-HOEnZb"><font color="#888888"><br></font></span></blockquote><div>Right, that is a valid concern. Maybe I was naive, but I was thinking that if<br></div><div>I'm a user under corporate surveillance I either:<br></div><div>a) connect to services legitimately setup by the company, where DNS names<br></div><div>wouldn't be public and you wouldn't have a publicly visible website with a certificate<br></div><div>on it<br></div><div>b) connect to services in the wild internet, where a trusted 3rd party (observatory)<br></div><div>could be checked for a second opinion.<br><br></div><div>In case of a) I wouldn't get a warning (nothing to compare to)<br></div><div>In case of b) I would get a valid warning.<br><br></div><div>Right now I can do it manually.<br></div><div>Check the issuer certificate. If it's the well known corporate host, it's doing MITM.<br></div><div>If not, it's very likely to be authentic. <br></div><div>I was expecting ssl observatory to do this check and say yes or no.<br><br></div><div>Maybe I'm missing something?<br></div><div></div><br><div>Best regards,<br></div><div>Maciej<br><br></div></div></div></div>