Deeplinks Blog posts about Encrypting the Web
When we look back at 2015, we will remember this as the year we launched our most ambitious technology project to date. EFF, Mozilla, and our partners gave the world the Let's Encrypt certificate authority. Certificates became available to the public on December 3.
Let's Encrypt makes getting a digital certificate for an Internet site fast, free, and easy, so sites can easily enable HTTPS encryption (and some other encrypted protocols). We think this is a vital step in getting Web connections routinely encrypted, by reducing the cost and difficulty of getting a certificate that browsers require when making secure connections.
Earlier this year it was revealed that Lenovo was shipping computers preloaded with software called Superfish, which installed its own HTTPS root certificate on affected computers. That in and of itself wouldn't be so bad, except Superfish's certificates all used the same private key. That meant all the affected computers were vulnerable to a “man in the middle” attack in which an attacker could use that private key to eavesdrop on users' encrypted connections to websites, and even impersonate other websites.
For years, EFF has been working to protect the Web from surveillance and censorship by making encryption ubiquitous. Fixing problems with the Internet's certificate infrastructure has been at the top of that list.
Last night, that campaign took a major step forward when the Let's Encrypt Certificate Authority, which we've been building in collaboration with teams at Mozilla and ISRG (and a lot of help from Akamai, Cisco, and others) received a cross-signature from IdentTrust. As a result, Let's Encrypt certificates are now valid and trusted by all modern Web browsers. You can see our very first cert in action at helloworld.letsencrypt.org.
On Friday, Google reported on its online security blog the faulty issuance of a certificate for google.com and www.google.com by Symantec, a prominent Certificate Authority. This misissuance is significant not only because it represents a breach in the core Internet trust mechanism; it was also the first of its kind with regards to the type of certificate issued (Extended Validation) as well as the mechanism by which the certificate was discovered (Certificate Transparency).
Popular Dating Site Has No Love for Strong Security
Back in 2012, EFF first called out OKCupid for failing to safeguard user data by not implementing HTTPS site-wide.
Three years later, OKCupid still hasn’t fixed the problem. For users who haven’t upgraded to paid accounts, their emails, chat sessions, searches, clicked links, pages viewed, and usernames are transmitted over the Internet in unencrypted plaintext, where they can be intercepted and read by anyone on the network.
Pages
Subscribe to EFF Updates
Deeplinks Archives
Deeplinks Topics
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- Innovation
- International
- Know Your Rights
- Privacy
- Trade Agreements and Digital Rights
- Security
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anonymity
- Anti-Counterfeiting Trade Agreement
- Biometrics
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- CALEA
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- CyberSLAPP
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA
- DMCA Rulemaking
- Do Not Track
- DRM
- E-Voting Rights
- EFF Europe
- Encrypting the Web
- Export Controls
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2015 Copyright Review Process
- FTAA
- Genetic Information Privacy
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- ICANN
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- OECD
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- Patents
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Printers
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- RFID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student and Community Organizing
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trans-Pacific Partnership Agreement
- Travel Screening
- TRIPS
- Trusted Computing
- Video Games
- Wikileaks
- WIPO
- Transparency
- Uncategorized
eff.org/nsa-spying
