Bruce Schneier

2 results arranged by date

Blog   |   CPJ, Ethiopia, Internet, Russia, Security, Thailand, Turkey, USA

No press freedom without Internet freedom

Four years ago, when CPJ launched its Internet Advocacy program, we were met with lots of encouragement, but also some skepticism.

"Why do you need a program to defend the Internet?" one supporter asked. "You don't have a special program to defend television, or radio, or newspapers."

But the Internet is different. Increasingly, when it comes to global news and information the Internet is not a platform. It is the platform.

Blog   |   Internet

More on certificate authority proliferation

Cryptographer Bruce Schneier linked to my Slate piece on rogue certificate authorities (CAs), which could allow governments like the UAE to monitor even the supposedly secure communications of journalists and others.

The smart comments include a link to this fascinating discussion at Mozilla that shows the procedures that browser-makers use when deciding which certificates to include in their root store (the list of certificates that the browser will assume are trustable). It looks like the root certificates are supposed to comply with a policy that subordinate CAs must only be used for internal purposes, but there's no way to enforce that.

One solution is to restrict subordinate CAs for use only in a selected set of domain names. That would mean that Etisalat or the Department of Homeland Security or Ford Motors could only use the power of their CA for their own use (and not maliciously to pretend to be Gmail or your bank) - but might be difficult to impose that retrospectively on the unknown number of universal CAs that are now out there.

2 results