[sudoroom] SSL Observatory
Eddan Katz
eddan at eddan.com
Thu Dec 20 23:24:14 CET 2012
Following up on the conversation last night about door security that
turned to be about SSL and Certificate Authorities, I had mentioned
EFF's SSL Observatory Project (https://www.eff.org/observatory). A blurb
from the project description is below. If you want to join the mailing
list discussion of the project, that's at
https://mail1.eff.org/mailman/listinfo/observatory.
The EFF SSL Observatory is a project to investigate the certificates
used to secure all of the sites encrypted with HTTPS on the Web. We
have downloaded datasets of all of the publicly-visible SSL
certificates on the IPv4 Internet, in order to search for
vulnerabilities, document the practices of Certificate Authorities,
and aid researchers interested the web's encryption infrastructure.
...
We are particularly concerned about the role and practices of
Certificate Authorities (CAs), which are the organizations that can
sign cryptographic certificates trusted by browsers. These
certificates can contain statements like, "this public key belongs
to EFF.org", "this public key belongs to yahoo.com, paypal.com and
mozilla.com", or "this public key should be trusted to also act as a
CA, signing certificates for other domains".
Browsers trust a very large number of these CAs, and unfortunately,
the security of HTTPS is only as strong as the practices of the
least trustworthy/competent CA. Before publishing this data, we
attempted to notify administrators of all sites observed vulnerable
to the Debian weak key bug <http://wiki.debian.org/SSLkeys>; please
let us know if your analysis reveals other classes of
vulnerabilities so that we can notify affected parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.hackerspaces.org/pipermail/sudoroom/attachments/20121220/ac3bf2cd/attachment.html>
More information about the sudoroom
mailing list