Honoring Peter Eckersley, Who Made the Internet a Safer Place for Everyone:
With deep sadness, EFF mourns the loss of our friend, the technologist, activist, and cybersecurity expert Peter Eckersley. Peter worked at EFF for a dozen years and was EFF's Chief Computer Scientist for many of those. Peter was a tremendous force in making the internet a safer place. He was recently diagnosed with colon cancer and passed away suddenly on Friday.
The impact of Peter's work on encrypting the web cannot be overstated. The fact that transport layer encryption on the web is so ubiquitous that it's nearly invisible is thanks to the work Peter began. [...]
While encrypting the web would have been enough, Peter played a central role in many groundbreaking projects to create free, open source tools that protect the privacy of users' internet experience by encrypting communications between web servers and users. Peter's work at EFF included privacy and security projects such as Panopticlick, HTTPS Everywhere, Switzerland, Certbot, Privacy Badger, and the SSL Observatory.
His most ambitious project was probably Let's Encrypt, the free and automated certificate authority, which entered public beta in 2015. [...]
By 2017 it had issued 100 million certificates; by 2021, about 90% of all web page visits use HTTPS. As of today it has issued over a billion certificates to over 280 million websites.
[...] Peter left EFF in 2018 to focus on studying and calling attention to the malicious use of artificial intelligence and machine learning. He founded AI Objectives Institute, a collaboration between major technology companies, civil society, and academia, to ensure that AI is designed and used to benefit humanity.
Related Stories
The Atlantic Council has published a policy report entitled "Avoiding the success trap: Toward policy for open-source software as infrastructure". It addresses the idea of Open Source Software (OSS) as essential infrastructure. OSS differs from physical infrastructure yet supports critical functions, provides dependable services, offers subtle and often unseen service delivery, and functions through decentralized control.
This report aims to develop tangible example policies for the United States and European Union to support OSS as infrastructure and point policymakers toward existing policy vehicles that government can readily modify and adopt to better support and engage with the OSS ecosystem. The report does not seek to make definitive statements about what open source is or is not through these analogies. Rather the goal is to capture a snapshot of its most essential features and most consequential participants. Any of the analogies can be extended far past usefulness, and policymakers should approach each keeping in mind the essential truth that, while all models are wrong, some (including, we believe, these) are useful, nonetheless. Before diving into the analogies though, this report looks to discuss the open-source ecosystem as it is, highlighting key principles and addressing common misconceptions.
[...] None of this report reflects a belief that OSS is inherently insecure, but rather that it is uniquely central to modern digital systems and that relationships with the OSS community are necessarily, and substantively, different than those government has grown accustomed to with industry and industry within itself. Sustainable use emphasizes the user responsibility for much of the risk associated with software use, including OSS, and addresses OSS-specific features of development and contribution possibly only with open-source code. Addressing systemic risk is an important step for policy efforts to support the security and sustainability of OSS projects with an accurate picture of the considerable interdependency between code bases. Finally, governments must step up to support OSS as the infrastructure that it is. These resources should come alongside expanded private sector support and can manifest in targeted formats as well as a more general support model, the OSS Trust. OSS is infrastructure, and the provision of support for it as such will permit more rapid adoption and considerable innovation in even critical domains of economic and government activity.
So it seems that the establishment continues to turn its jaundiced eye towards software development.
Previously:
(2023) Opinion: FOSS Could be an Unintended Victim of EU Security Crusade
(2022) Honoring Peter Eckersley, Who Made the Internet a Safer Place for Everyone
(2022) Open Source Community Sets Out Path to Secure Software
(Score: 3, Informative) by Anonymous Coward on Friday September 09 2022, @03:00AM
While I never looked to see who wrote it, I've enjoyed Privacy Badger for many years. Not quite the same as an ad blocker, it blocks pages with trackers. In general everything "just works" for my browsing and only a limited number of adds and other annoyances get through.
(Score: -1, Troll) by Anonymous Coward on Friday September 09 2022, @07:03AM
And quite easily too.
"Without Peter's work, billions would have died from the grey goo apocalypse."
"Peter's work has eliminated cyber-crime everywhere in the solar system."
"The work that Peter has done saved just one company Click here to see which one! [dewey-cheatham-howe.com] USD$500 Trillion, let alone the other 800 million corporations that have each saved at least USD$40 Billion."
I could go on, but one gets the point, no?
(Score: 2, Interesting) by Anonymous Coward on Friday September 09 2022, @05:39PM
So none of that TLS, HTTPS everywhere or Let's Encrypt stuff would have helped. And do you really want to bet that that applied only to Google?
Thus I'd say Snowden did more to improve actual security if Google etc really secured things vs the NSA etc as a result of his leaks.
Secondly most of the popular browsers by default still don't warn you about CA changes for a site's cert. Yes there's stuff like HSTS but I prefer a solution that is under my control - not involuntarily forced onto my browser. And also the browsers keep doing scary warnings over self-signed certs. The fact is self-signed certs can actually be safer. After all the same concept works for SSH - you can check the cert fingerprint of your ssh server or bank website and if it's OK you could tell your SSH client, web browser - this cert is OK, just warn me if it ever changes in the future. And that's actually safer than the current system where random CAs could be tricked into signing fake bank cert and your browser might trust it and never warn you.
That said I am grateful for Let's Encrypt since it makes whitewashing security much cheaper - e.g. people don't get scary warnings on their browsers when they visit my sites. Makes putting on the show much cheaper. Those "security" people say 1 year certs are more secure than 2 year certs and force everyone to no longer support 2 year and longer certs, so using their logic it means Let's Encrypt's 90 day certs are even safer than 1 year certs ;). Go think about that on whether the industry is really about security or it's about something else.
(Score: 0) by Anonymous Coward on Friday September 09 2022, @11:41PM
Wonderful. I'm going to found an institute to ensure tools are only used to benefit humanity. Words too. Send donations asap.