With HTTPS Everywhere, Is Firefox Now the Most Secure Mobile Browser? 279
Peter Eckersley writes "Over at EFF, we just released a version of our HTTPS Everywhere extension for Firefox for Android. HTTPS Everywhere upgrades your insecure web requests to HTTPS on many thousands of sites, and this means that Firefox on Android with HTTPS Everywhere is now by far the most secure browser against dragnet surveillance attacks like those performed by the NSA, GCHQ, and other intelligence agencies. Android users should install the Firefox app and then add HTTPS Everywhere to it. iPhone and iPad users will unfortunately have to switch to Android to get this level of security because Apple has locked Mozilla Firefox out of their platforms."
HTTPS is secure? (Score:5, Informative)
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
Re:NSA has the ssl keys (Score:5, Informative)
The NSA likely has keys from all the major SSL cert vendors, rendering this "spamvertisement" moot. HTTPS does not mean that you're secure from everybody. It means you've added a layer of security that will thwart MOST prying eyes, but those that really want to know what you're doing WILL know what you're doing.
Having the keys from multiple SSL cert vendors does not help a bit (and having the keys from many vendors isn't much better than having the keys of a single vendor). It does NOT magically allow you to decrypt SSL traffic from servers whose host key was signed against that cert vendor's certificate!
To decrypt traffic of multiple SSL websites requires you to obtain the private part of the SSL host keys from all the web-servers themselves. Note that web server host keys are signed via signing requests that do not contain a copy of the private key, so even when the cert vendors (CAs) are hacked, you cannot directly listen in on SSL communication. When the servers implement Perfect Forward Secrecy [wikipedia.org], then even obtaining a copy of the server's host key won't help as each connection uses a temporary key that's exchanged via Diffie Hellman Key Exchange [wikipedia.org], a method that generates a key shared between two hosts, that (somewhat counter-intuitively) cannot be deduced by sniffing the traffic between those two participants.
What you can still do is to set up a MITM attack [wikipedia.org]: you set up your own intermediate server with its own host key and sign your host key(s) using one of the SSL vendor's certs that you obtained. Then you redirect all traffic to the servers that interest you via your server (i.e. proxying all SSL connections) and then obviously in the process you obtain the cleartext of all SSL sessions running via your server.
However, the MITM attack is much more difficult to deploy and scale than simple monitoring and recording IP data. Also skilled users will easily detect the MITM attack, as the host key's public part of the servers in question will suddenly change. There are firefox extensions to check for these signs of a MITM. Even SSL Everywhere has a checker built in (via the SSL Observatory). Or try Certificate Patrol [mozilla.org].
Re:Not perfect, but it's a start... (Score:5, Informative)
I see a few problems with this approach:
1)Not all content is provided over both HTTP and HTTPS. For multiple reasons, one being performance. Which leads us to the second problem...
True, which is why HTTPS Everywhere only enables HTTPS on sites that support it (they are specifically whitelisted by the extension devs).
2)A HTTPS session incurs a significant overhead for encryption. Which may be no problem for someone like Google. But for someone hosting his/her own (moderately successful) website on a small server, it might just overload said server.
While HTTPS does incur some overhead, it's surprisingly small for modern servers. Google, for example, was able to add SSL/TLS to all Gmail connections with no new hardware, no additional servers, and SSL/TLS accounts for only about 1% of their CPU time (see here [imperialviolet.org] for details).
Pretty much any server will reach other bottlenecks before the slight overhead of SSL/TLS becomes an issue. Using Perfect Forward Secrecy is important for security and using DHE-based ciphers do incur a moderate overhead compared to non-DHE ciphers (a factor of about 3). Using ECDHE instead makes the increase in overhead only about 15% rather than 300%. See here [bernat.im] for details.
3)Quite possibly the biggest problem with HTTPS is the fact that users have been trained over many years to just click "accept/install certificate" on self-signed certs. Not knowing that if you do this you are no longer secure.
And the more we keep forcing HTTPS, the more webmasters will use self-signed certs. Not many people want to go through the hassle of obtaining (and maintaining!) a valid SSL certificate for every single website they run, even if that cert is free. Which will only exacerbate the problem...
[citation needed] Getting a domain-validated SSL cert from publicly-available CAs is the work of a few minutes and, as you point out, often available for free or very low cost. Many hosts will automate the generation of a private key and CSR, making the process one of copy-paste for the customer. Other hosts handle the entire process of generating a private key, getting it signed by a CA, and configuring things correctly.
Sure, some sites use self-signed certs, but these are usually for personal or internal corporate purposes and not for the general public. The scary warnings in browsers aren't likely to go away anytime soon, so I doubt that any webmaster of a website meant for public use is going to be using self-signed certs (other than those catering to specific, tech-savvy audiences).
Re:Depends on the threat model, doesn't it? (Score:5, Informative)
No amount of snooping on the network would compromise a private key, which never leaves the server in the first place. Thus the only way you could possibly compromise the certificate, would be if you put an invalid public key in the certificate in the first place. Since that would be immediately obvious to any server owner paying enough attention, it is safe to assume that compromising all certificates cannot be done without being detected. If they literally compromised all of them, it would only take one single security aware server administrator to notice it.
This is why we should focus much more on protocols that are secure against passive attacks, but not against active attacks. Systematic passive attacks can be pulled off without detection. Systematic active attacks cannot. Protection against active attacks is much harder and is the reason we have the CA system. It is not that protecting against active attacks is a bad idea, it is just that it is so hard that much communication isn't protected. Opportunistic encryption with security against active attacks could be done without needing certificates. If on top of that you do perform certificate validation on the most critical sites after you have established a connection with only the opportunistic protection, then you do get protection against active attacks. In order for this to make sense, it is important that until you do perform an active attack, you cannot know if the connection has been secured against active attacks.
Both types of connections will benefit by being indistinguishable from the other to a passive adversary.
The connections with only passive security benefits because it is now easier to do encryption, and moreover being indistinguishable from the minority of connections with active security protects you from systematic active attacks. This is because systematic attacks are bound to hit protected connections once in a while, so they cannot go undetected.
The connections with the full active security also benefits because they are now attracting less attention. They will be a minor fraction of a much larger amount of encrypted connections. A passive adversary cannot know which of the connections have active security and are likely to contain the juicy stuff.
Re:HTTPS is secure? (Score:5, Informative)
It's not secure if they target you, but it massively increases the cost of monitoring you. Rather than just passively hoovering everything up they have to actually attack. If everyone does it their job gets hardware and more costly.