Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

EFF Launches Security Vulnerability Disclosure Program for "Let's Encrypt", "HTTPS Everywhere", Etc.

posted by janrinok on Saturday December 05 2015, @02:39AM   Printer-friendly
from the got-the-T-shirt dept.

takyon writes:

The Electronic Frontier Foundation has announced a Security Vulnerability Disclosure Program to deal with bugs in its recent major projects as well as with the software the organization uses:

At EFF we put security and privacy first. This means working hard at keeping our members and site visitors safe, as well as the people who use the software we develop. We also dedicate staff time to advising security researchers, maintaining resources like our Coders' Rights Project, and helping groups like Facebook improve their bug reporting policies.

Today we're following our own advice by announcing EFF's own Security Vulnerability Disclosure Program. The Disclosure Program is a set of guidelines on how to report bugs in software EFF develops, like HTTPS Everywhere or Let's Encrypt, as well as the software we use to run our sites and services. The scope of the bugs we're looking for is detailed on the Security Vulnerability Disclosure Program page, but we're not just looking for bugs in our code. Security vulnerabilities created by the specific configuration of software on EFF servers are also within the scope of this program.

Forget about cash bounties. You're looking at acknowledgment, t-shirts, complimentary EFF memberships, opportunities to meet EFF staff (based in San Francisco), and "complimentary tickets to EFF events like the Pioneer Awards for especially severe vulnerabilities."

Original Submission

 
This discussion has been archived. No new comments can be posted.
EFF Launches Security Vulnerability Disclosure Program for "Let's Encrypt", "HTTPS Everywhere", Etc. | Log In/Create an Account | Top | 3 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by TheRaven on Saturday December 05 2015, @10:51AM

    by TheRaven (270) on Saturday December 05 2015, @10:51AM (#272138) Journal
    The problem with Lets Encrypt is that it allows anyone who has control over an IP address that corresponds to a DNS entry to get an SSL certificate for that domain that is valid for three months. That's going to make it incredibly easy to use botnets to harvest certificates - compromise any service that allows you to listen for an incoming connection and you can now issue certificates. It's also therefore trivial for any backbone operator to fake - as long as the request is going to go over your network then you can redirect it and get the signed cert yourself. If you clean up quickly, then no one who isn't running a decent IDS will know that their machine has been compromised and you have three months to use the cert for phishing. I would not be surprised to see Lets Encrypt certs used for the majority of phishing scams within a year.
    --
    sudo mod me up
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2, Informative) by sigterm on Saturday December 05 2015, @01:27PM

    by sigterm (849) on Saturday December 05 2015, @01:27PM (#272154)

    >The problem with Lets Encrypt is that it allows anyone who has control over
    >an IP address that corresponds to a DNS entry to get an SSL certificate for
    >that domain that is valid for three months.

    That's pretty much how existing RA procedures work, except when you acquire a certificate from any other vendor it will be valid for at least a year.