This in theory ensures that the connection between the user’s computer and the website is secure (by using encryption and certificates). Recent findings however have shown that it is possible to intercept those communications without breaking encryption by “using forged security certificates”.

To use [it], a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities — using money, blackmail or legal process — to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.

To make matters worse security researchers have shown last year how easy it is to trick a Certificate Authority into issuing a certificate.

Perspectives now is a Firefox add-on that can do things:

• If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
• It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.

Even if Perspective’s primary and most advertised aim is enabling SSH-style certificate “validation” for self-signed certificates (those not issued by an established certification authority), it can be configured to act a second validation layer for CA-signed certificates too, by checking their consistency from multiple internet nodes (called “Notaries”) and/or over time:

Perspectives can be downloaded from the School of Computer Science. It is compatible with Firefox 3.x.

This practically eliminates the danger of man-in-the-middle attacks because the attacker does not have a way to manipulate the traffic of the independent servers who get the important information as well.

Best of all, they have created a Firefox extension that protects the user’s system after installation. The Firefox extension provides two benefits over not using it. The first is something that users might have experienced already. If a user connects to a website with an untrusted certificate he has to manually allow the connection to the website by using exceptions.

Perspective can detect the validity of the certificate and automatically override the manual exception if it is a valid certificate. Perspective warns the user if an attacker has managed to trick a Certificate Authority into incorrectly issuing a certificate.

A valid site displays a green icon next to the Perspective name in the Firefox statusbar. I did not come up with any fake sites yet but I suppose they show up as a red cross.

The default setting of Perspectives is that it only reacts when a certificate comes up with a Firefox security error. This can be changed in the options to provide information for all https connections.