Let's encrypt: Learn about what new tech projects EFF is working on

From DevSummit
Jump to: navigation, search

EFF’s Let’s Encrypt

  • 1. New SSL Certificate Authority - joint venture with EFF, Mozilla, and others - give away free SSL certificates to those who request them
  • 2. New protocol called ACME, automated certificate management environment (client and server) https://github.com/letsencrypt/acme-spec
  • Allows easy and automatic request and setup of SSL certificates when setting up a server
  • Automatically configures HSTS (strict transport security) header that comes with response directing client to only use https, perfect forward secrecy, disabling SSLv3 (an older version with a security vulnerability), marking cookies as secure to encrypt them, etc
  • Announced yesterday, and released developer version, full release in 2015
  • There are still a lot of problems with the Certificate Authority system, but EFF feels that everyone having SSL certs is better than not

Certificate transparency

  • audit-able logs and provably not edited logs of every certificate that’s been issues (example if they issue a certificate for google.com, there’s obviously a big problem)
  • Who’s funding the (very expensive) annual CA auditing — the non-profit, who charges for organizations to get a seat on the board
  • To use this tool, it currently requires
    • using the ACME protocol
    • having ssh access to your server to use the command line tool
  • Concerns from other parties:
    • this will be used by malware sites to get ssl certificates. (EFF says that is if this helps more sites get SSL certificates, it will be harder for many malware distribution vectors over regular http)
    • creates a single point of failure (through this is true for every certificate authority, they are their own central point of failure)
    • the certificate system is broken, why “prop it up?” (it’s what we have, so we make it better, until we have a viable alternative)

Suggestions from participants

  • decouple getting a certificate, so that you don’t have to use the command line acme tool
  • create a front-end tool, in additional to command line, that can be used through cpanel/Plesk
  • this project needs swag (stickers, t-shirts, etc)

Review of a couple browser privacy tools

  • Ghostery works but 1) has blocking off by default and 2) sells your data to advertisers if you enable GhostRank
  • Privacy Badger is a great alternative from the EFF that 1) doesn’t use a blacklist, but tries to heuristically detect which third party services to block and 2) is open source and doesn’t collect data about you
  • Help develop privacy badger!
  • Panopticlick
    • shows you how uniquely identifiable you are, based on metrics like

user agent, time zone, window size, etc

    • corporations use this to uniquely identify you
  • HTTPS Everywhere
  • StartTLS Everywhere
    • goal to use email servers encrypting their connections to other email servers