Great question! Some ideas: 1. Inject HSTS headers on some sites that we are enforcing HTTPS on so that Chrome and Firefox will hard-fail when TLS cert validation fails (meaning you can't click through the cert warning). This would have been useful in the recent attacks from China against Hong Kong, since the forged certs were self-signed [1,2].
2. Site owners should be able to request reports of the valid cert chains observed for their site by SSL Observatory. They can then tell EFF which of those chains are fraudulent if any. Then if any of the fraudulent chains are observed in the wild, SSL Observatory can pop up a warning to the user. (This is similar to pinning with a blacklist instead of whitelist, but site owners are often reluctant to roll out pinning until they can be sure that it won't break their site. It might be useful for them to try out this psuedo-pinning mechanism on HTTPS Everywhere users first.) 3. Certificate Transparency [3] is about to be required in Chrome for all Extended Validation certs. The problem is that some sites don't use EV certs but would still like their users to have the benefits of CT if they are attacked. So if a site owner promises EFF to submit all of their certs to a CT log, HTTPS Everywhere can enforce CT for all of their certs, not just EV ones. [1] http://www.netresec.com/?page=Blog&month=2014-09&post=Analysis-of-Chinese-MITM-on-Google [2] http://www.netresec.com/?page=Blog&month=2014-10&post=Verifying-Chinese-MITM-of-Yahoo [3] http://www.certificate-transparency.org/ On 10/10/2014 10:52 PM, Vijay P wrote: > Related to this article: > http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks-of-internet-traffic-researchers-warn/ > > Are there things (e.g. cert pinning) that we can help with in the > extension that we're not already doing? > > Vijay > _______________________________________________ > HTTPS-Everywhere mailing list > [email protected] > https://lists.eff.org/mailman/listinfo/https-everywhere > _______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
