Agreed, provocative headline aside, the post specifies that the kind of security we can deliver is protection against dragnet surveillance.
Mobile phones in general are not yet in a position to offer much host security against targetted attacks; they have unauditable basedband chips and carrier-controlled update mechanisms and very slow security update cycles.
you know who's connected where?
Great question. If you have Torbutton installed, the Decentralized SSL Observatory will use Tor to submit the certs via an anonymized HTTPS POST, and warnings (if there are any) are sent back through the Tor network in response.
If you don't have Torbutton, you can still turn on the SSL Observatory, in which case the submission is direct. The server does not keep logs of which IPs certs are submitted from, though this is of course less secure than using Tor.
Before you can turn the Observatory on, we have a UI that tries to explain all of this elegantly and succinctly, in language that even not-super-technical users can understand.
The original design document is here: https://trac.torproject.org/projects/tor/wiki/doc/HTTPSEverywhere/SSLObservatorySubmission
Is it possible for me to reject the Etisalat subCA cert without ever seeing it?
With Chrome/IE/Safari on OS X and Windows only, there is a way to block the Etisalat subordinate CA certs. First you have to fetch a copy (see for instance this site). Note that the Etisalat cert is also labelled "Comtrust". Then export the cert. Then on Windows, reimport them into "untrustuted certificates" store. On OS X, import the cert using the Keychain Application into "My Certificates", and disable it.
Intel CPUs are not defective, they just act that way. -- Henry Spencer
