Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Submission + - EFF needs your help to stop Congress dismantling Internet privacy protections! (eff.org)

Peter Eckersley writes: Last year the FCC passed rules forbidding ISPs (both mobile and landline) from using your personal data without your consent for purposes other than providing you Internet access. In other words, the rules prevent ISPs from turning your browsing history into a revenue stream to sell to marketers and advertisers. Unfortunately, members of Congress are scheming to dismantle those protections as early as this week. If they succeed, ISPs would be free to resume selling users' browsing histories, pre-loading phones with spyware, and generally doing all sorts of creepy things to your traffic.

The good news is, we can stop them. We especially need folks in the key states of Alaska, Colorado, Maine, Montana, Nevada, Ohio, and Pennsylvania to call their senators this week and tell them not to kill the FCC's Broadband Privacy Rules.

Together, we can stop Congress from undermining these crucial privacy protections.

Submission + - Anouncing Certbot: EFF's client for Let's Encrypt (eff.org)

Peter Eckersley writes: EFF has just launched Certbot, which is the next iteration of the Let's Encrypt client. It's a powerful tool for obtaining TLS/SSL certificates from Let's Encrypt, and (if you wish) automatically installing them to enable and tune HTTPS on your website. It's extensible, and supports a rapidly-growing range of server software. Install Certbot, and help us encrypt the Web today!

Comment Re:doesn't work without javascript (Score 3, Informative) 63

Yes our simulation of third party tracking involves visiting three synthetic first party domains that share a third party tracker. That works if you have various types of blockers installed, or if JavaScript is disabled. But if you have a browser that both blocks JS and blocks redirects or blocks absolutely all loads of tracking domains (eg via an /etc/hosts blacklister like AdAway), the test won't work. Congratulations, you have pretty good protections in place :)

We're going to provide a fingerprinting-only URL for Panopticlick 2 that works even for people with a NoScript + AdAway or NoScript + redirect blocking, will post a link on the site when it's ready.

Submission + - Is your browser safe from Web tracking? (eff.org)

Peter Eckersley writes: Today EFF has launched Panopticlick 2.0. In addition to measuring whether your browser exposes unique — and therefore trackable — settings and configuration to websites, the site can now test if you have correctly configured ad- and tracker-blocking software. Think you have correctly configured tracker-blocking software? Visit Panopticlick to test if you got it right.

Submission + - Let's Encrypt is now in Public Beta (eff.org)

Peter Eckersley writes: As of today, Let's Encrypt is in Public Beta. If you're comfortable running beta software that may have a few bugs and rough edges, you can use it to instantly obtain and install certificates for any HTTPS website or TLS service. You can find installation instructions here.

Comment Re:Shared hosting... (Score 1) 212

We'll try to give site operators a configurable choice of multiple solutions -- certificates with multiple Subject Alternative Names (SANs); per-site certificates deployed using Server Name Indication (SNI); IPv4 addresses per site if you have enough; or IPv6 addresses per site.

All of these solutions have different problems and limitations:

  • If mutliple-SAN certs get too large, they cause performance problems, and some clients may not be able to handle them
  • SNI isn't supported by Safari and older IE on Windows XP, or more alarmingly by Android below 4.x
  • IPv4 addresses are scarce and costly
  • Many clients still can't route IPv6

  Sophisticated hosting platforms may want to use all of these methods in combination.

Comment Re:quick question (Score 5, Informative) 212

Actually the US Department of Defense and dozens of other governments have their own CAs with which they could issue a certificate for your domain, if they wished to. Here's a map we made of them using our SSL Observatory datasets.

Nonetheless we should be able to use publication mechanisms such as Certificate Transparency to ensure that any compromise or compulsion of the Let's Encrypt CA could be quickly detected.

Submission + - Launching 2015: a new Certificate Authority to Encrypt the Entire Web (eff.org)

Peter Eckersley writes: Today EFF, Mozilla, Cisco and Akamai announced a forthcoming project called Let's Encrypt. Let's Encrypt will be a certificate authority that issues free certificates to any website, using automated protocols (demo video here). Launching in summer 2015, we believe this will be the missing piece that deprecates the woefully insecure HTTP protocol in favor of HTTPS.

Submission + - EFF begins a Campaign for Secure and Usable Cryptography (eff.org)

Peter Eckersley writes: Over at EFF we just launched our Secure Messaging Scorecard, which is the first phase in a campaign to promote the development of communications protocols that are genuinely secure and usable by ordinary people. The Scorecard evaluates communications software against critical minimum standards for what a secure messaging app should look like; subsequent phases are planned to examine real world usability, metadata protection, protocol openness, and involve a deeper look at the security of the leading candidates. Right now, we don't think the Internet has any geninely usable, genuinely secure messaging protocols — but we're hoping to encourage tech companies and the open source community to starting closing that gap.

Comment Re:HTTPS Doesn't Make a Browser Secure (Score 1) 2

Agreed, provocative headline aside, the post specifies that the kind of security we can deliver is protection against dragnet surveillance.

Mobile phones in general are not yet in a position to offer much host security against targetted attacks; they have unauditable basedband chips and carrier-controlled update mechanisms and very slow security update cycles.

Submission + - With HTTPS Everywhere, is Firefox now the most secure mobile browser? (eff.org) 2

Peter Eckersley writes: Over at EFF, we just released a version of our HTTPS Everywhere extension for Firefox for Android. HTTPS Everywhere upgrades your insecure web requests to HTTPS on many thousands of sites, and this means that Firefox on Android with HTTPS Everywhere is now by far the most secure browser against dragnet surveillance attacks like those performed by the NSA, GCHQ, and other intelligence agencies.

Android users should install the Firefox app and then add HTTPS Everywhere to it. iPhone and iPad users will unfortunately have to switch to Android to get this level of security because Apple has locked Mozilla Firefox out of their platforms.

Submission + - Australian Networks Censoring Community University Website (eff.org)

Peter Eckersley writes: At the EFF we were recently contacted by the organisers of the Melbourne Free University (MFU), an Australian community education group, whose website had been unreachable from a number of Australian ISPs since the 4th of April.

It turns out that the IP address of MFU's virtual host has been black-holed by several Australian networks; there is suggestive but not conclusive evidence that this is a result of some sort of government request or order. It is possible that MFU and 1200 other sites that use that IP address are the victims of a block that was put in place for some other reason.

Further technical analysis and commentary is in our blog post.


Submission + - Presidential campaigns leaking supporters' identities to online tracking firms? (webpolicy.org)

Peter Eckersley writes: "Stanford privacy researcher Jonathan Mayer has published new research showing that websites of both the Obama and Romney presidential campaigns, which are used to communicate with and coordinate their volunteers, leak large amounts of private information to third-party online tracking firms. The Obama campaign site leaked names, usernames, zip codes and street addresses to up to ten companies. The Romney campaign site leaked names, zip codes and partial email addresses to up to thirteen firms."

Slashdot Top Deals

Your computer account is overdrawn. Please see Big Brother.