Skip to main content
EFF TURNS 30! LEARN MORE ABOUT US, AND HOW YOU CAN HELP.
EFF TURNS 30! LEARN MORE.

Deeplinks Blog

Deeplinks Blog

shackled hands on keyboard, with Egypt flag

العمل من أجل المدافعين المصريين عن حقوق الإنسان

تُدين المنظمات الموقعة أدناه بشدة اضطهاد الحكومة المصرية لموظفي المبادرة المصرية للحقوق الشخصية (EIPR) ومنظمات المجتمع المدني. ونحن نحث المجتمع الدولي وحكوماته على أن يفعل الشيء ذاته وأن ينضم إلينا في الدعوة إلى إطلاق سراح المدافعين عن حقوق الإنسان المحتجزين ووقف تشويه سمعة منظمات المجتمع المدني والمدافعين عن حقوق...

Podcast logo + Abi Hassan photo

Podcast Episode: From Your Face to Their Database

Episode 005 of EFF’s How to Fix the InternetAbi Hassen joins EFF hosts Cindy Cohn and Danny O’Brien as they discuss the rise of facial recognition technology, how this increasingly powerful identification tool is ending up in the hands of law enforcement, and what that means for the future of...

Green banner with pink "Power Up" text

Double the Impact of Every Donation

Power Up Your Donation Week has begun! EFF is calling on tech users everywhere to give today and instantly double their impact on Internet freedom while the world needs it most.Power UpDOnate today and get an automatic 2x match!For one week starting on #GivingTuesday, anyone who donates to EFF...

shackled hands on keyboard, with Egypt flag

EFF Condemns Egypt's Latest Crackdown

We are quickly approaching the tenth anniversary of the Egyptian revolution, a powerfully hopeful time in history when—despite all odds—Egyptians rose up against an entrenched dictatorship and shook it from power, with the assistance of new technologies. Though the role of social media has been hotly debated and often overplayed,...

Victory! Court Protects Anonymity of Security Researchers Who Reported Apparent Communications Between Russian Bank and Trump Organization

Security researchers who reported observing Internet communications between the Russian financial firm Alfa Bank and the Trump Organization in 2016 can remain anonymous, an Indiana trial court ruled last week.The ruling protects the First Amendment anonymous speech rights of the researchers, whose analysis prompted significant media attention and...

Free Speech banner, an colorful graphic representation of a megaphone

ICANN Can Stand Against Censorship (And Avoid Another .ORG Debacle) by Keeping Content Regulation and Other Dangerous Policies Out of Its Registry Contracts

The Internet’s domain name system is not the place to police speech. ICANN, the organization that regulates that system, is legally bound not to act as the Internet’s speech police, but its legal commitments are riddled with exceptions, and aspiring censors have already used those exceptions in harmful ways. This...

Cover Your Tracks

Introducing Cover Your Tracks!

Today, we’re pleased to announce Cover Your Tracks, the newest edition and rebranding of our historic browser fingerprinting and tracker awareness tool Panopticlick. Cover Your Tracks picks up where Panopticlick left off. Panopticlick was about letting users know that browser fingerprinting was possible; Cover Your Tracks is about giving...

the standard apple logo in silver, with a cartoonish green worm poking through it on each side

macOS 操作系統泄漏软件使用信息,苹果公司面临重要抉择

翻译:开放文化基金会 Open Culture Foundation上周,苹果公司 macOS 操作系統的用户注意到,当连上互联网要开启非苹果的应用程序时,会有长时间的延迟,甚至导致无法开启。会造成这样的状况,是因为 macOS 的安保服务试图连上苹果 OCSP(Online Certificate Status Protocol ; 在线证书状态协议) 的服务器时,因内部错误造成无法连接。在安全研究人员深入了解向 OCSP 送出的请求内容后,他们发现这些请求包含了一段散列值(hash),来自正在运作之应用程序的开发者证书,这个散列值是苹果公司用来做安全检查用的[1] 。开发者证书包含对应用程序(例如 Adob​​e 或 Tor)进行编码的个人,公司或组织描述,以至于哪些开发者制作的应用程序正在被开启使用,也同时泄露给苹果公司。 进一步来说,向 OCSP 送出的请求并不是加密的,这表示任何监听器也可能知道macOS 用户正在打开哪个应用程序以及何时打开[2],至于得以通过这种方式取得攻击能力的对象包括:任何上游服务器供应商、Akamai、托管苹果公司 OCSP 服务的ISP ; 而攻击者也可能是跟你使用同一互联网的黑客,这样说好了,例如你常去的那间咖啡厅,有攻击者跟你同时间连接到该咖啡厅 Wifi。如果想知道更多细节的说明,请看这篇文章。伴随这个隐私外泄事件而来的另一个考量是,我们无法从用戶空间应用程序(如LittleSnitch)检测或阻止此流量,就算关闭 macOS 上这个重要的安保服务会带来风险,我们也鼓励苹果公司允许拥有系统管理员(power users)权限的人,得以自行选择信任的应用程序来控制他们的网络流量从哪边寄出。苹果公司很快发布了一个新的加密版协议来确认开发者证书,在这个加密版中,他们将允许用戶自行选择是否退出安全检查,不过这些修正在明年某个时间才会真正推出。然而,开发一个新的协议并在软件内安装执行完毕并不是一夜之间可以完成的事,因此要求苹果公司马上做改变修正也是不公平。那为什么苹果公司不能简单的先将 OCSP 这个功能关掉呢?要回答这个问题,我们要先来探讨 OCSP 的开发者证书检查的实质作用是什么,它主要是要防止有害或恶意软件在 macOS 机器上运行,如果苹果侦测到有一位开发者夹带恶意软件(使用窃取来的签名金钥或恶意使用自身金钥),他们可以撤销那位开发者的证书,当 macOS 下次要开启这个应用程序时,苹果的 OCSP 服务器将会回覆该请求(透过...

Pages

Back to top

JavaScript license information