The EFF has released a new version of its HTTPS Everywhere browser extension, and users can now turn on a feature that will send the EFF copies of digital certificates that the browser encounters, allowing the organization to look for flawed, fake or expired certificates.
The new capability is major change for the plug-in, and could help discover and publicize a lot of problematic certificates. HTTPS Everywhere enables users to connect to a predetermined set of Web sites over SSL by default. The Firefox version has been available for some time, and the EFF this week also released a new beta version for Google Chrome. The original version of the extension only supported a small handful of sites, but version 2.01 now supports more than 400.
“Firefox users will find a number of improvements in version 2.0. In addition to support for four hundred more sites, a crisper user interface, and translation into a dozen languages, there is a new optional feature called the Decentralized SSL Observatory. It detects and warns about security vulnerabilities as you browse the Web. Firefox users can turn on this setting from theTools->HTTPS Everywhere->SSL Observatory Preferences menu, or from the HTTPS Everywhere toolbar button,” Peter Eckersley of the EFF wrote in a blog post.
“If you turn on this feature, it will send anonymous copies of certificates for HTTPS websites to EFF’s SSL Observatory database, which will allow us to study them and detect problems with the web’s cryptographic and security infrastructure. The Decentralized SSL Observatory is also capable of giving real-time warnings about these problems.”
The new version of HTTPS Everywhere also has the ability to detect weak or duplicate public keys in devices such as routers or VPNs, an issue that researchers discovered last month.
Fraudulent certificates, bad keys and other problems have become major issues in the last couple of years, including serious attacks on several certificate authorities.