“HTTPS Now” Campaign Unfortunately Does Not Fix the Problem

EFF activist Eva Galperin in quoted in a ReadWriteWeb article introducing their new campaign:

“HTTPS provides the minimum level of security for websites. Without it, no site can make any meaningful security or privacy guarantees to its users.”

Well, wouldn’t that be nice! Particularly if HTTPS actually were providing that security.

For a counter-point, read the (highly detailed) technical analysis on the blog of the Tor project of the recently found fake HTTP certificates. I cannot independently assert the validity of the points being made in that post, but highly doubt that they are false. The essence:

… this is where even a single attack really causes the entire CA trust model to fall apart.

“HTTP Now” can clearly keep the low-level crooks out. However, it does nothing other than create a sense of false security that makes life easier for more professional crooks because “HTTP Now” supposedly had made us “secure”.

Dear EFF, we need a step two: fix HTTPS!