Skip to main content
Podcast Episode: Open Source Beats Authoritarianism

Deeplinks Blog

Deeplinks Blog

EFF Award Winner: Alexandra Asanovna Elbakyan

In 1992 EFF presented our very first awards recognizing key leaders and organizations advancing innovation and championing digital rights. Now in 2023 we are continuing to celebrate the accomplishments of people working toward a better future for technology users with the EFF Awards!

Digital Rights Updates with EFFector 35.11

Summer break is over, so it's time to catch up on the latest news in digital freedoms! There's no better way to learn about what's happening with digital privacy and free expression than with EFF's EFFector newsletter. This latest issue goes over the terrible Protecting Kids on Social Media Act,...

Podcast Episode Rerelease: Securing the Vote

This episode was first published on May 24, 2022.U.S. democracy is at an inflection point, and how we administer and verify our elections is more important than ever. From hanging chads to glitchy touchscreens to partisan disinformation, too many Americans worry that their votes won’t count and that election results...

A multi-colored bullhorn icon surrounded by grey-blue hexagons

ISPs Should Not Police Online Speech—No Matter How Awful It Is.

Entrusting our speech to multiple different corporate actors is always risky. Yet given how most of the internet is currently structured, our online expression largely depends on a set of private companies ranging from our direct Internet service providers and platforms, to upstream ISPs (sometimes called Tier 2 and 3),...

China Spying

腾讯搜狗中文键盘的漏洞可实时泄露文本输入内容

Citizen Lab 的安全研究人员在腾讯公司旗下的搜狗输入法(目前中国最广泛使用的输入法)键盘软件中发现多个加密漏洞。享有特权网络地位的对手(如互联网服务提供商或可以访问上游路由器的任何人)可以通过这些漏洞在用户进行输入时实时读取用户在设备上输入的文本。强烈建议搜狗键盘用户将操作系统升级到修复此漏洞的补丁版本:Windows >= 版本 13.7Android >= 版本 11.26Android >= 版本 11.25报告显示,与 iOS 版本相比,Windows 和安卓系统容易被窃听。尤为值得一提的是,搜狗输入法在全球拥有约 4.5 亿月活跃用户。其用户不仅限于中国,在美国、日本和台湾也拥有广泛的用户。该漏洞是否已被发现或利用,目前尚不明确。然而,考虑到中国国内的网络访问水平以及国家机关所拥有的广泛权限,键盘用户(尤其是中国境内用户)的私人通信有可能已被泄露给中国政府。自制加密技术再度来袭研究人员发现,这一漏洞归因于使用了容易受到填充提示攻击的自定义加密技术。加密算法的实施是一项极不稳定的工作,需要格外严谨。即使做得相对较好,边信道攻击也会破坏这些算法本应提供的基本保障。最佳做法是不自行编码,而是使用系统提供的经过严格审查的加密库来避免这些攻击,并确保针对弱点提供与时俱进的保护。截至 2003 年,这一特定实施中的漏洞已经在 TLS 实施中得到修复。我们对安全研究人员 Jeffrey Knockel、Zoë Reichert 和 Mona Wang(曾任职于 EFF)所做的严谨密码分析和逆向工程工作表示赞赏。通过揭露这些漏洞,公共利益分析师起到了屏障的作用,防止当局秘密囤积漏洞并将其用作侵犯我们所有人隐私的间谍工具。只有负责任地披露和公布这些缺陷,才能修复这些缺陷,也才能让公众在知情的情况下决定今后要使用什么软件。

Pages

Back to top

JavaScript license information