[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How evil is TLS cert collection?

On Sun, Mar 20, 2011 at 5:58 PM, Mike Perry <mikeperry@xxxxxxxxxx> wrote:
> I've spent some time working with the EFF recently to build a
> distributed version of the SSL Observatory
> (https://www.eff.org/observatory) to be included with HTTPS
> Everywhere. The draft API and design sketch is here:
> https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission


> The brief summary is that it will be submitting rare TLS certificates
> through Tor to EFF for analysis and storage. We will also leverage the
> database of certificates to provide notification in the event of
> targeted MITM attacks**.
> I am trying to decide if this is a bad thing to enable by default for
> users.

if EFF was presented with a national security letter or other legal
demand under seal demanding the existence of a given certificate not
be exposed, would they be bound to not present a MITM alert for that

(said another way, could this potentially be a false sense of
security, if all trust for anomaly notification was placed in the EFF
tor-talk mailing list