EFF in the News
An audit of the public keys used to protect HTTPS connections, based on digital certificate data from the Electronic Frontier Foundation's SSL Observatory project, found that tens of thousands of cryptography keys offer "effectively no security" due to weak random-number generation algorithms.
Katitza Rodriguez es la Directora internacional de Derechos Humanos de la Electronic Frontier Foundation, una organización que se ocupa de la defensa de la libertad de expresión y la privacidad en el mundo digital. Es peruana, vive en San Francisco.
"This comes as an unwelcome warning that underscores the difficulty of key generation in the real world," researcher James P. Hughes told the New York Times, which along with the Electronic Frontier Foundation was the first to report the discovery.
The researchers did not speculate on the cause of the lack of randomness. At the moment, there is little the average person can do about the problem.
Using data from the Electronic Frontier Foundation's (EFF) SSL Observatory project, researchers led by Arjen Lenstra at the Ecole Polytechnique Federale de Lausanne (EPFL) found that while "the vast majority of public keys work as intended," about 2 out of every 1,000 RSA moduli - an algorithm for public-key cryptography - "offer no security."
The Electronic Frontier Foundation’s SSL Observatory has found that thousands of SSL certificates used to authenticate HTTPS sites are effectively useless, owing to weak algorithms used to generate the random numbers that are needed for encryption.
"This is an extremely serious cryptographic vulnerability caused by the use of insufficiently good random numbers when generating private keys" for HTTPS, SSL and TSL servers, said Peter Eckersley, senior technologist at the Electronic Frontier Foundation. The EFF contributed data for the research.
Join Rebecca MacKinnon and Jillian York, two internet theorists on the forefront of this debate, for a discussion the complex power dynamics amongst governments, corporations and citizens in cyberspace.
The Electronic Frontier Foundation's SSL Observatory is a research project that gathers and analyzes the cryptographic certificates used to secure Internet connections, systematically cataloging them and exposing their database for other scientists, researchers and cryptographers to consult.
According to the Electronic Frontier Foundation, ACTA would not only allow for foreign e-commerce sites to easily shutdown its competitors in the U.S., it would also grant the government the ability to track and record your Internet activity through a mechanism called the Universal Internet ID.
To perform their study, the researchers used several databases of public keys, including one at the Massachusetts Institute of Technology and another created by the Electronic Frontier Foundation, a Internet privacy rights group. The foundation’s database results from a project, known as the SSL Observatory, originally intended to investigate the security of the digital certificates that are used to protect encrypted data transmitted between Internet users and Web sites.