Why You Should Install Perspectives For Firefox Right Now - gHacks Tech News

Why You Should Install Perspectives For Firefox Right Now

Maybe you have already read the news that it is possible to subvert SSL which encrypts the connection to sites supporting it.

Financial sites like PayPal and Bank of America, shopping sites like eBay or Amazon and government sites use SSL which is indicated in the web browser by displaying https in the browser's address bar instead of http.

There are other indicators including a closed padlock that, when clicked on, displays additional information about the website including the issued certificate.

This in theory confirms to the user that the connection between the user's computer and the website is secure (by using encryption and certificates). Recent findings however have shown that it is possible to intercept those communications without breaking encryption by "using forged security certificates".

To use [it], a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities — using money, blackmail or legal process — to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.

To make matters worse, security researchers have shown last year how easy it is to trick a Certificate Authority into issuing a certificate.

Perspectives

perspectives firefox

Perspectives is a Firefox add-on that validates secure connections the browser makes, and informs you of any issues encountered. Also, it does the following:

  • If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
  • It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.

Even if Perspective’s primary and most advertised aim is enabling SSH-style certificate “validation” for self-signed certificates (those not issued by an established certification authority), it can be configured to add a second validation layer for CA-signed certificates too, by checking their consistency from multiple internet nodes (called “Notaries”) and/or over time:

Perspectives can be downloaded from the Mozilla Add-ons repository.

Update: You need to move the Perspectives icon to one of Firefox's toolbars using the browser's customize screen.

When you click on it you find several options including checking all notary results or forcing a notary check. In addition, it is possible to report an attack, add a site to the whitelist or open the certificate store from the context menu.

Verdict

Perspectives adds options to the Firefox web browser to verify the authenticity of certificates of sites supporting https. It checks the validity automatically and warns you if things don't add up. Additionally, it provides you with tools to run manual checks as well, and bypass self-signed certificates error messages for trusted sites.

Summary
software image
Author Rating
1star1star1star1star1star
no rating based on 0 votes
Software Name
Perspectives
Software Category
Browser
Landing Page

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Jojo said on March 30, 2010 at 10:56 am
    Reply

    Very interesting. Thanks…

  2. Turkey said on March 30, 2010 at 6:46 pm
    Reply

    This brings back memories of the whole Comodo CA and Firefox issue last year. The solution is simple, any company selling bogus certs should be out of business and any company (Mozilla) to greedy to remove said supplier from it’s authorized list should be too. You’re better off doing your bank stuff through Internet Explorer or a browser who’s profits aren’t made from CA’s.

  3. Common Sense said on March 30, 2010 at 9:48 pm
    Reply

    Hi! Thanks for the info. My question: Is this addon also quite similar to Certificate Patrol, another firefox addon:

    https://addons.mozilla.org/en-US/firefox/addon/6415

    @ Turkey: What are you talking about? Please be much more clearer and let us not forget that if you depend completely on one browser (does not matter which one it is!), you’re inviting trouble:)

  4. Crodol said on March 31, 2010 at 4:48 am
    Reply

    Thanks Martin and thanks Common Sense!

    In the description to the Certificate Patrol add-on you mentioned it actually says the following:
    “6. In case of doubt install the Perspectives add-on to make further
    checks on the credibility of a certificate.”

    So, looks like Certificate Patrol is the first step and Perspective for the extra careful ones or if you are suspicious that something is fishy.

  5. Common Sense said on March 31, 2010 at 7:47 am
    Reply

    @ Turkey: Don’t we also have an option to go to the certificate and delete it?:)…Yeah, I know that most of the average joes don’t even know about it. The same can be done in any browser, not just Firefox.

    if you don’t “trust” the certificate, just delete it!

    And anyone can create a certificate and “trick” you! You’ve blamed Mozilla and Comodo. What about the others?

    Read this article from Ars Technica:

    http://arstechnica.com/security/news/2010/03/govts-certificate-authorities-conspire-to-spy-on-ssl-users.ars

    The weak link here is that if a CA could be persuaded to issue a certificate to, say, Amazon to someone who wasn’t actually from Amazon, then all the protections fall apart. Anyone connecting to the person with that certificate would think that they were connecting to the real Amazon. Moreover, if the person could intercept traffic between would-be customers and the real Amazon, they could do the decryption/re-encryption trick to listen in on any traffic sent to and from the company.

    Ah we live in such a nice world!

  6. Turkey said on March 31, 2010 at 9:35 pm
    Reply

    @Common Sense
    I wouldn’t delete the Certs but edit the trust settings. Deleting them will cause more problems than changing them from always allow to notify.

    “Persuasion” is not the weak link, there are standards in place to prevent this, a vetting process if you will, however CA’s are saving money by issuing to third party resellers and cutting corners. Comodo’s actions were blatant and illegal yet they’ve not been punished, this encourages others to do the same. Mozilla had a chance to nip this in the butt by revoking their “trust” status, sending a message to all others, but for fear of losing a cash cow and ending up in court they didn’t. So, here we are awaiting the flood. As far as Comodo and Mozilla goes they are just examples but early examples not from some obscure vendors but the big boys. Also, look at the amount of Certs automatically trusted by Mozilla and Chromium vs IE. This all proves the practice of profit for issuing trust status to a CA is a failure (for security on the internet that is). This problem is serious yet fixable but a band-aid isn’t the solution.

    As for your link, this is not “tricking” but “forcing” and is a much spookier topic.

    I applaud Martin for the post, and feel this issue is front page headline news worthy.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.