Skip to main content
EFF TURNS 30 THIS YEAR! LEARN MORE ABOUT US, AND HOW YOU CAN HELP.
EFF TURNS 30 THIS YEAR!

Deeplinks Blog

Deeplinks Blog

shackled hands on keyboard, with Egypt flag

EFF Condemns Egypt's Latest Crackdown

We are quickly approaching the tenth anniversary of the Egyptian revolution, a powerfully hopeful time in history when—despite all odds—Egyptians rose up against an entrenched dictatorship and shook it from power, with the assistance of new technologies. Though the role of social media has been hotly debated and often overplayed,...

Victory! Court Protects Anonymity of Security Researchers Who Reported Apparent Communications Between Russian Bank and Trump Organization

Security researchers who reported observing Internet communications between the Russian financial firm Alfa Bank and the Trump Organization in 2016 can remain anonymous, an Indiana trial court ruled last week.The ruling protects the First Amendment anonymous speech rights of the researchers, whose analysis prompted significant media attention and...

Free Speech banner, an colorful graphic representation of a megaphone

ICANN Can Stand Against Censorship (And Avoid Another .ORG Debacle) by Keeping Content Regulation and Other Dangerous Policies Out of Its Registry Contracts

The Internet’s domain name system is not the place to police speech. ICANN, the organization that regulates that system, is legally bound not to act as the Internet’s speech police, but its legal commitments are riddled with exceptions, and aspiring censors have already used those exceptions in harmful ways. This...

Cover Your Tracks

Introducing Cover Your Tracks!

Today, we’re pleased to announce Cover Your Tracks, the newest edition and rebranding of our historic browser fingerprinting and tracker awareness tool Panopticlick. Cover Your Tracks picks up where Panopticlick left off. Panopticlick was about letting users know that browser fingerprinting was possible; Cover Your Tracks is about giving...

the standard apple logo in silver, with a cartoonish green worm poking through it on each side

macOS 操作系統泄漏软件使用信息,苹果公司面临重要抉择

翻译:开放文化基金会 Open Culture Foundation上周,苹果公司 macOS 操作系統的用户注意到,当连上互联网要开启非苹果的应用程序时,会有长时间的延迟,甚至导致无法开启。会造成这样的状况,是因为 macOS 的安保服务试图连上苹果 OCSP(Online Certificate Status Protocol ; 在线证书状态协议) 的服务器时,因内部错误造成无法连接。在安全研究人员深入了解向 OCSP 送出的请求内容后,他们发现这些请求包含了一段散列值(hash),来自正在运作之应用程序的开发者证书,这个散列值是苹果公司用来做安全检查用的[1] 。开发者证书包含对应用程序(例如 Adob​​e 或 Tor)进行编码的个人,公司或组织描述,以至于哪些开发者制作的应用程序正在被开启使用,也同时泄露给苹果公司。 进一步来说,向 OCSP 送出的请求并不是加密的,这表示任何监听器也可能知道macOS 用户正在打开哪个应用程序以及何时打开[2],至于得以通过这种方式取得攻击能力的对象包括:任何上游服务器供应商、Akamai、托管苹果公司 OCSP 服务的ISP ; 而攻击者也可能是跟你使用同一互联网的黑客,这样说好了,例如你常去的那间咖啡厅,有攻击者跟你同时间连接到该咖啡厅 Wifi。如果想知道更多细节的说明,请看这篇文章。伴随这个隐私外泄事件而来的另一个考量是,我们无法从用戶空间应用程序(如LittleSnitch)检测或阻止此流量,就算关闭 macOS 上这个重要的安保服务会带来风险,我们也鼓励苹果公司允许拥有系统管理员(power users)权限的人,得以自行选择信任的应用程序来控制他们的网络流量从哪边寄出。苹果公司很快发布了一个新的加密版协议来确认开发者证书,在这个加密版中,他们将允许用戶自行选择是否退出安全检查,不过这些修正在明年某个时间才会真正推出。然而,开发一个新的协议并在软件内安装执行完毕并不是一夜之间可以完成的事,因此要求苹果公司马上做改变修正也是不公平。那为什么苹果公司不能简单的先将 OCSP 这个功能关掉呢?要回答这个问题,我们要先来探讨 OCSP 的开发者证书检查的实质作用是什么,它主要是要防止有害或恶意软件在 macOS 机器上运行,如果苹果侦测到有一位开发者夹带恶意软件(使用窃取来的签名金钥或恶意使用自身金钥),他们可以撤销那位开发者的证书,当 macOS 下次要开启这个应用程序时,苹果的 OCSP 服务器将会回覆该请求(透过...

A voter seen through a veil of computer code

Elections Are Partisan Affairs. Election Security Isn't.

An Open Letter on Election SecurityVoting is the cornerstone of our democracy. And since computers are deeply involved in all segments of voting at this point, computer security is vital to the protection of this fundamental right. Everyone needs to be able to trust that the critical infrastructure systems we...

Pages

Back to top

JavaScript license information