HTTPS is finally getting adopted all over the place – including Gmail, Twitter, Facebook, Google Search, and Wikipedia – as people realize that packet sniffing is easy and credit cards aren’t the only sensitive information we send over the Internet. At the same time, a new series of attacks and scandals have shown that TLS is rather fragile. SSL stripping lets attackers bypass sites’ HTTPS-only policies; a series of scandals over the past two years has renewed skepticism of certificate authorities’ role and the security of the global public-key infrastructure. More and more people are wondering who those strange organizations are, what they’re doing in our browsers, whether anyone knows if they’re doing a good job, and even how to pronounce some of their names. And recent evidence suggests some CAs may be inept – or cooperating with national governments.
Seth will explain the push to increase HTTPS deployment to protect privacy and fight Internet censorship, but also make its protections more meaningful and robust. He’ll describe the work on Firefox plugins that change the browser security model, and ideas on information sources that can supplement the certificate authorities. The talk will also include a look at SSL Observatory, which aims to collect data to catch rogue CAs in the act.