EFF builds system to warn of certificate breaches

With its distributed SSL Observatory, the Electronic Frontier Foundation hopes to detect compromised certificate authorities and warn users about attacks

The detection of rogue certificates has generally relied on luck. In the case of DigiNotar, intruders had control of systems for more than two months, and Google discovered the issue only because its Chrome browser includes hard-coded copies of its certificates and a user reported an attack. The Electronic Frontier Foundation, a digital rights group, aims to change all that with a new detection system.

The EEF, along with developers at the Tor Project and consulting firm iSec Partners, has updated its existing HTTPS Everywhere program with the ability to anonymously report every certificate encountered. The group will analyze the data so that it can detect any rogue certificates -- and by extension, compromised authorities -- its users encounter, says Peter Eckersley, technology projects director for the EFF.

"Even if there is an attack that, say, only happens in Syria, if someone in Syria has turned on the [feature] we'll get a copy of the certificate that has been used to attack them and we can study that," Eckersley says. "We will also be able to send back a warning to them, if we have been able to work out that it is an attack."

The feature builds upon the EFF's SSL Observatory project, which maps the web of SSL certificates that forms an online network of trust. The survey found that more than 650 organizations act as certificate authorities.

The SSL Observatory gathers data using a single vantage point on the Internet. The new feature, dubbed the decentralized SSL Observatory, allows every user of HTTPS Everywhere to act as an ad hoc sensor.

The EFF will not track users, and if the users have the Tor client installed, the program will use that network to send data anonymously.

"We don't want to know who you are or what sites you are looking at," Eckersley says. "We just want to know what certificates are out there … especially the ones that are being used for malicious purposes."

The EFF has soft-launched the feature, including it only in the development version of HTTPS Everywhere. While there are more than a million users of the production version, only 65,000 are using the development version and less than 10,000 have turned on the decentralized SSL Observatory, says Eckersley.

"Once it gets out of alpha, we will have a million people with the option on their browser," he says.

Meanwhile, the breach at DigiNotar and the failure of trust in the company's digital certificates came to a conclusion this week as DigiNotar filed for bankruptcy in Dutch court.

This story, "EFF builds system to warn of certificate breaches," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform