Skip to main content
EFF TURNS 30! LEARN MORE ABOUT US, AND HOW YOU CAN HELP.
EFF TURNS 30! LEARN MORE.

Computer security and the lack of computer security is a fundamental issue that underpins much of how the Internet does (and doesn't) function. Many of the policy issues that EFF works on are linked to security in deep ways including privacy and anonymity, DRM, censorship, and network neutrality.

EFF works directly on a wide range of security issues including increased deployment of cryptographic protocols through projects like HTTPS Everywhere and Certbot; improving the security of those protocols with the SSL Observatory; offering legal assistance to researchers through our Coders' Rights Project; offering practical security advice to activists through the surveillance self-defense project; directly auditing open source codebases; and working on the development of new security standards.

Security Highlights

Encrypting the Web

The web is in the middle of a massive change from non-secure HTTP to the more secure HTTPS protocol. All web servers use one of these two protocols to get web pages from the server to your browser. HTTP has serious problems that make it vulnerable to eavesdropping and content...

Coders' Rights Project

EFF's Coders' Rights Project protects programmers and developers engaged in cutting-edge exploration of technology. Security and encryption researchers help build a safer future for all of us using digital technologies, but too many legitimate researchers face serious legal challenges that prevent or inhibit their work. These challenges come from laws...

Security Updates

Raid on COVID Whistleblower in Florida Shows the Need to Reform Overbroad Computer Crime Laws and the Risks of Over-Reliance on IP Addresses

The armed Florida Department of Law Enforcement raid on Monday on the Tallahassee Florida home of data scientist and COVID whistleblower Rebekah Jones was shocking on many levels. This incident smacks of retaliation against someone claiming to provide the public with truthful information about the most pressing issue facing both...

Dark Caracal

Dark Caracal: You Missed a Spot

Security researchers at EFF have tracked APTs (Advanced Persistent Threats) targeting civil society for many years now. And while in many cases, the “advanced” appellation is debatable, “persistent” is not. Since 2015, EFF has tracked the cyber-mercenaries known as Dark Caracal, a threat actor who has carried out digital...

the standard apple logo in silver, with a cartoonish green worm poking through it on each side

macOS 操作系統泄漏软件使用信息,苹果公司面临重要抉择

翻译:开放文化基金会 Open Culture Foundation上周,苹果公司 macOS 操作系統的用户注意到,当连上互联网要开启非苹果的应用程序时,会有长时间的延迟,甚至导致无法开启。会造成这样的状况,是因为 macOS 的安保服务试图连上苹果 OCSP(Online Certificate Status Protocol ; 在线证书状态协议) 的服务器时,因内部错误造成无法连接。在安全研究人员深入了解向 OCSP 送出的请求内容后,他们发现这些请求包含了一段散列值(hash),来自正在运作之应用程序的开发者证书,这个散列值是苹果公司用来做安全检查用的[1] 。开发者证书包含对应用程序(例如 Adob​​e 或 Tor)进行编码的个人,公司或组织描述,以至于哪些开发者制作的应用程序正在被开启使用,也同时泄露给苹果公司。 进一步来说,向 OCSP 送出的请求并不是加密的,这表示任何监听器也可能知道macOS 用户正在打开哪个应用程序以及何时打开[2],至于得以通过这种方式取得攻击能力的对象包括:任何上游服务器供应商、Akamai、托管苹果公司 OCSP 服务的ISP ; 而攻击者也可能是跟你使用同一互联网的黑客,这样说好了,例如你常去的那间咖啡厅,有攻击者跟你同时间连接到该咖啡厅 Wifi。如果想知道更多细节的说明,请看这篇文章。伴随这个隐私外泄事件而来的另一个考量是,我们无法从用戶空间应用程序(如LittleSnitch)检测或阻止此流量,就算关闭 macOS 上这个重要的安保服务会带来风险,我们也鼓励苹果公司允许拥有系统管理员(power users)权限的人,得以自行选择信任的应用程序来控制他们的网络流量从哪边寄出。苹果公司很快发布了一个新的加密版协议来确认开发者证书,在这个加密版中,他们将允许用戶自行选择是否退出安全检查,不过这些修正在明年某个时间才会真正推出。然而,开发一个新的协议并在软件内安装执行完毕并不是一夜之间可以完成的事,因此要求苹果公司马上做改变修正也是不公平。那为什么苹果公司不能简单的先将 OCSP 这个功能关掉呢?要回答这个问题,我们要先来探讨 OCSP 的开发者证书检查的实质作用是什么,它主要是要防止有害或恶意软件在 macOS 机器上运行,如果苹果侦测到有一位开发者夹带恶意软件(使用窃取来的签名金钥或恶意使用自身金钥),他们可以撤销那位开发者的证书,当 macOS 下次要开启这个应用程序时,苹果的 OCSP 服务器将会回覆该请求(透过...

Pages

Back to top

JavaScript license information