Perspectives: Extension to change how Firefox handles SSL Certificates
There has been plenty of debate lately about how Firefox handles self-signed SSL Certificates. Instead of just whining about it, some researchers at Carnegie Mellon have released a white-paper titled "Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing".
As part of this research they have released a Firefox extension that changes how Firefox handles SSL Certificates. This is what they have to say about it on their website:
We have developed an extension to the popular Firefox browser that contacts network notaries whenever your browser connects an HTTPS website.
For an overview of how Perspectives works, see our main page .
The extension provides two primary benefits:
- If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
- It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.
* The same is true for HTTPS sites with certificates that contain mismatched domain names (e.g., www.gmail.com uses a certificate for mail.google.com) or certificates that are expired.
They also explain their method of authenticating called "Trust on First Use":
“The popularity of “Trust-on-first-use” (TOFU) authentication, used by SSH and HTTPS with self-signed certificates, demonstrates significant demand for host authentication that is low-cost and simple to deploy. While TOFU-based applications are a clear improvement over completely insecure protocols, they can leave users vulnerable to even simple network attacks.
Our system, Perspectives, thwarts many of these attacks by using a collection of “notary” hosts that observes a server’s public key via multiple network vantage points (detecting localized attacks) and keeps a record of the server’s key over time (recognizing short-lived attacks). Clients can download these records on-demand and compare them against an unauthenticated key, detecting many common attacks.
Perspectives explores a promising part of the host authentication design space: Trust-on-first-use applications gain significant attack robustness without sacrificing their ease-of-use. We also analyze the security provided by Perspectives and describe our experience building and deploying a publicly available implementation.”
How Perspectives works
Perspectives consists of three distinct components: the notary authority, notary servers, and notary clients. In order to understand the process, let’s take a look at each individual component:
The notary authority is the overall controller that determines which notary servers are authorized to service notary clients. The notary authority creates a daily listing of authorized notary servers and their public keys. This listing is signed using the notary authority’s private key and pushed out to all of the notary servers that it’s responsible for.
The notary server consists of two components – a probing module and a database storage module:
- The probing module constantly monitors the Internet; looking for services that use certificates. If one is found the probing module pretends to be a client wanting to set up a secure link. The probing module takes the connection setup only to the point of where it receives the service’s public key. At that point, the probing module drops the connection, since it has the information it needs.
- The database storage module is a repository containing signed (notary server’s private key) entries for each service that the probing module is monitoring. Each entry consists of certificate information, the type of protocol used, and ways to contact the service. After time, the entry builds a history of observed parameters.
The notary client is a Web browser add-on that contacts the notary server for one of two reasons. The certificate for the contacted Web site isn’t in the Web browser’s database or it doesn’t match an existing certificate.
The following diagram (courtesy of the Carnegie Mellon researchers) depicts the interaction between the notary client and the notary server as well as the interaction between the probing module and network services such as Web sites that use SSL.
Though this method has some advantages over the current method, it suffers from some of the same problems and also has several drawbacks. The authors admitted weakness about one issue:
So in sum, the issue of legitimate key change is a tough one for perspectives. I think we can handle it pretty well, but in the end if you're the kind of site that needs extremely high uptimes, you're likely better off using a root-signed cert.
I see the main value of perspectives as allowing any site to use HTTPS with out the server owner paying the cost (in dollars and management complexity) of participating in a PKI. I still think that major websites will (and should) continue using root-signed certs, with perspectives then acting as a second layer of security to prevent
Originally posted on Mon Sep 1, 2008