"HTTPS Everywhere" forces some changes in the way the Web works that reduce security. It creates the illusion of security, not the reality. While it seems a good concept, there's a dark side.
Here's the problem. If everything is encrypted end to end, caching by ISPs and content delivery networks won't work. Those services are needed to make high-traffic sites work effectively. For those services to continue to work, they have to break the security, act as a man-in-the middle, decrypt the content, cache it, and use deceptive SSL certificates to re-encrypt it. That's what they're doing. The largest content delivery networks which act as a man-in-the-middle are Cloudflare, Incapsula, and Edgecast. Security from browser to site ends at the CDN's servers. Data is in the clear at the CDN, and may be in the clear between the CDN and the host server, even if the connection from user to CDN is encrypted. Cloudflare calls this "Flexible SSL". We have a white paper on this, "Who am I Talking To? Ambiguities in secure certificates for web commerce": http://john-nagle.github.io/certscan/whoamitalkingto04.pdf This has names and numbers for MITM sites, obtained from a scan of all SSL certificates on the Web. Cloudflare alone has over 36,000 domains for which Cloudflare holds the SSL keys. This centralizes interception and makes it easier. Cloudflare, Inc. is fighting Government gag orders, and their CEO is angry about it. (http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/12/cloudflare-ceo-says-insane-nsa-gag-order-is-costing-u-s-tech-firms-customers/) So we have to assume they're being forced to help with interception. As with most security theater, overdoing security leads to workarounds which, in the end, result in less security. John Nagle SiteTruth _______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
