Of Flying Pigs and TOFU

So it looks like the Flying Pig Program has been forging digital certificates too. I hope nobody was surprised that a well-funded spy agency with unfettered access to the internet backbone would think to use the root CA attack vector. I’d be kind of surprised if they didn’t. In Web Server Authentication Is Still Broken, I …

Continue reading ‘Of Flying Pigs and TOFU’ »

Manually Verifying TLS Fingerprints

There are a few reasons your browser might present you with a warning like this: Usually it’s because the “secure” site you’re connecting to is presenting you with a certificate whose signature your browser doesn’t recognize. Unfortunately, because it happens so frequently, most people have been trained to find the “Confirm Security Exception” button as …

Continue reading ‘Manually Verifying TLS Fingerprints’ »

Web Server Authentication Is Still Broken

As mentioned in How Do You Know It’s Me?, HTTPS server authentication is only as strong as its weakest link, and in the name of convenience, web browsers today are subject to a staggering number of potentially-weak links. With a single signing key from any one of 650+ distinct organizations in the world, attackers can …

Continue reading ‘Web Server Authentication Is Still Broken’ »

How Do You Know It’s Me?

By looking at your address bar right now, you can see that you’re communicating with this site using HTTPS, so the connection between us is encrypted. That ensures confidentiality between this server and your computer, but what about authenticity? Encryption doesn’t do you much good unless you know you’re communicating with the intended party. So …

Continue reading ‘How Do You Know It’s Me?’ »

Why Browsers Need Encrypted-Only Mode

Recently I had a conversation with my uncle about his lack of computer use. He told me he doesn’t get online much, doesn’t “have a Facebook”, and has only sent a dozen or so emails. Ever. I was impressed. By avoiding online activity, he’s managed to escape a lot of the high-tech threats many of …

Continue reading ‘Why Browsers Need Encrypted-Only Mode’ »