Monday, April 29, 2013

httpsnow.org has a certificate problem

I'm still undecided on whether or not the Electronic Frontier Foundation are doing this to be funny.  You may know that the EFF have a project to advocate for universal use of TLS for web traffic, in support of user privacy.  They've also released a tool, HTTPS Everywhere, to provide a means for encrypted access to unencrypted websites.  One of their particularly interesting projects is the SSL Observatory, which looks at issued certificates in use on the web and evaluates them for vulnerabilities and for certificate issuance practice at certification authorities.

If you go to their TLS advocacy website, https://www.httpsnow.org, you may see something like this:



Given what the EFF is doing with HTTPS advocacy and its investigations of shoddy CA practices, I found this very surprising.  Unfortunately, however, it's common for there to be problems with web server certs, and that's the case here (i.e. it's not that there was a compromise).

What happened here is that the subject name/subject alt name is ... "*.eff.org".  So, aside from points lost for the use of a wildcard cert, the EFF are using a certificate from what's essentially, for the purpose  of certificate validation, an unrelated and incorrect certificate.