Hi Seth, Jacob, I'll explain my stance here. I am in the pilot because I'm curious about self defense in such situations. I realize close to 100% of userbase will have their endpoints controlled to the extent that they will not be able to do much about it.
My curiosity here is: am I still able to detect eavesdropping or have I lost the game? On Tue, May 23, 2017 at 6:59 PM, Seth David Schoen <[email protected]> wrote: > If HTTPS Everywhere did try to warn about every apparently-misissued > certificate from a non-publicly-trusted root, it would have to warn about > _every_ certificate from such roots, which means every user whose browser > had added a root certificate would receive a warning about every site > (even internal organizational sites, where the certificates are not, in > fact, misissued or intended to facilitate interception). I'm not sure > this feature would be very useful, but if you think that's what users may > expect, we could consider changing how the options are described within > the user interface. > Right, that is a valid concern. Maybe I was naive, but I was thinking that if I'm a user under corporate surveillance I either: a) connect to services legitimately setup by the company, where DNS names wouldn't be public and you wouldn't have a publicly visible website with a certificate on it b) connect to services in the wild internet, where a trusted 3rd party (observatory) could be checked for a second opinion. In case of a) I wouldn't get a warning (nothing to compare to) In case of b) I would get a valid warning. Right now I can do it manually. Check the issuer certificate. If it's the well known corporate host, it's doing MITM. If not, it's very likely to be authentic. I was expecting ssl observatory to do this check and say yes or no. Maybe I'm missing something? Best regards, Maciej
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
