Why You Should Install Perspectives For Firefox Right Now
Maybe you have already read the news that it is possible to subvert SSL which encrypts the connection to sites supporting it.
Financial sites like PayPal and Bank of America, shopping sites like eBay or Amazon and government sites use SSL which is indicated in the web browser by displaying https in the browser's address bar instead of http.
There are other indicators including a closed padlock that, when clicked on, displays additional information about the website including the issued certificate.
This in theory confirms to the user that the connection between the user's computer and the website is secure (by using encryption and certificates). Recent findings however have shown that it is possible to intercept those communications without breaking encryption by "using forged security certificates".
To use [it], a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities — using money, blackmail or legal process — to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.
To make matters worse, security researchers have shown last year how easy it is to trick a Certificate Authority into issuing a certificate.
Perspectives
Perspectives is a Firefox add-on that validates secure connections the browser makes, and informs you of any issues encountered. Also, it does the following:
- If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
- It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.
Even if Perspective’s primary and most advertised aim is enabling SSH-style certificate “validation†for self-signed certificates (those not issued by an established certification authority), it can be configured to add a second validation layer for CA-signed certificates too, by checking their consistency from multiple internet nodes (called “Notariesâ€) and/or over time:
Perspectives can be downloaded from the Mozilla Add-ons repository.
Update: You need to move the Perspectives icon to one of Firefox's toolbars using the browser's customize screen.
When you click on it you find several options including checking all notary results or forcing a notary check. In addition, it is possible to report an attack, add a site to the whitelist or open the certificate store from the context menu.
Verdict
Perspectives adds options to the Firefox web browser to verify the authenticity of certificates of sites supporting https. It checks the validity automatically and warns you if things don't add up. Additionally, it provides you with tools to run manual checks as well, and bypass self-signed certificates error messages for trusted sites.
@Common Sense
I wouldn’t delete the Certs but edit the trust settings. Deleting them will cause more problems than changing them from always allow to notify.
“Persuasion” is not the weak link, there are standards in place to prevent this, a vetting process if you will, however CA’s are saving money by issuing to third party resellers and cutting corners. Comodo’s actions were blatant and illegal yet they’ve not been punished, this encourages others to do the same. Mozilla had a chance to nip this in the butt by revoking their “trust” status, sending a message to all others, but for fear of losing a cash cow and ending up in court they didn’t. So, here we are awaiting the flood. As far as Comodo and Mozilla goes they are just examples but early examples not from some obscure vendors but the big boys. Also, look at the amount of Certs automatically trusted by Mozilla and Chromium vs IE. This all proves the practice of profit for issuing trust status to a CA is a failure (for security on the internet that is). This problem is serious yet fixable but a band-aid isn’t the solution.
As for your link, this is not “tricking” but “forcing” and is a much spookier topic.
I applaud Martin for the post, and feel this issue is front page headline news worthy.
@ Turkey: Don’t we also have an option to go to the certificate and delete it?:)…Yeah, I know that most of the average joes don’t even know about it. The same can be done in any browser, not just Firefox.
if you don’t “trust” the certificate, just delete it!
And anyone can create a certificate and “trick” you! You’ve blamed Mozilla and Comodo. What about the others?
Read this article from Ars Technica:
http://arstechnica.com/security/news/2010/03/govts-certificate-authorities-conspire-to-spy-on-ssl-users.ars
The weak link here is that if a CA could be persuaded to issue a certificate to, say, Amazon to someone who wasn’t actually from Amazon, then all the protections fall apart. Anyone connecting to the person with that certificate would think that they were connecting to the real Amazon. Moreover, if the person could intercept traffic between would-be customers and the real Amazon, they could do the decryption/re-encryption trick to listen in on any traffic sent to and from the company.
Ah we live in such a nice world!
Thanks Martin and thanks Common Sense!
In the description to the Certificate Patrol add-on you mentioned it actually says the following:
“6. In case of doubt install the Perspectives add-on to make further
checks on the credibility of a certificate.”
So, looks like Certificate Patrol is the first step and Perspective for the extra careful ones or if you are suspicious that something is fishy.
@Common Sense next time I suggest a search engine.
Comodo Certs
http://www.dslreports.com/forum/r21634814-REMOVE-Comodo-Certificates-from-FireFox-Opera
CNNIC Certs
http://yro.slashdot.org/story/10/02/02/202238/Mozilla-Accepts-Chinese-CNNIC-Root-CA-Certificate
Hi! Thanks for the info. My question: Is this addon also quite similar to Certificate Patrol, another firefox addon:
https://addons.mozilla.org/en-US/firefox/addon/6415
@ Turkey: What are you talking about? Please be much more clearer and let us not forget that if you depend completely on one browser (does not matter which one it is!), you’re inviting trouble:)
This brings back memories of the whole Comodo CA and Firefox issue last year. The solution is simple, any company selling bogus certs should be out of business and any company (Mozilla) to greedy to remove said supplier from it’s authorized list should be too. You’re better off doing your bank stuff through Internet Explorer or a browser who’s profits aren’t made from CA’s.
Very interesting. Thanks…