We're going to provide a fingerprinting-only URL for Panopticlick 2 that works even for people with a NoScript + AdAway or NoScript + redirect blocking, will post a link on the site when it's ready.
We'll try to give site operators a configurable choice of multiple solutions -- certificates with multiple Subject Alternative Names (SANs); per-site certificates deployed using Server Name Indication (SNI); IPv4 addresses per site if you have enough; or IPv6 addresses per site.
All of these solutions have different problems and limitations:
Sophisticated hosting platforms may want to use all of these methods in combination.
Actually the US Department of Defense and dozens of other governments have their own CAs with which they could issue a certificate for your domain, if they wished to. Here's a map we made of them using our SSL Observatory datasets.
Nonetheless we should be able to use publication mechanisms such as Certificate Transparency to ensure that any compromise or compulsion of the Let's Encrypt CA could be quickly detected.
Agreed, provocative headline aside, the post specifies that the kind of security we can deliver is protection against dragnet surveillance.
Mobile phones in general are not yet in a position to offer much host security against targetted attacks; they have unauditable basedband chips and carrier-controlled update mechanisms and very slow security update cycles.
you know who's connected where?
Great question. If you have Torbutton installed, the Decentralized SSL Observatory will use Tor to submit the certs via an anonymized HTTPS POST, and warnings (if there are any) are sent back through the Tor network in response.
If you don't have Torbutton, you can still turn on the SSL Observatory, in which case the submission is direct. The server does not keep logs of which IPs certs are submitted from, though this is of course less secure than using Tor.
Before you can turn the Observatory on, we have a UI that tries to explain all of this elegantly and succinctly, in language that even not-super-technical users can understand.
The original design document is here: https://trac.torproject.org/projects/tor/wiki/doc/HTTPSEverywhere/SSLObservatorySubmission
"Consequences, Schmonsequences, as long as I'm rich." -- "Ali Baba Bunny" [1957, Chuck Jones]