Sat 22 Nov 2008
Search
RSS Feed

RSS Feed

Edited by Paul Hales

Published by Incisive Media Investments Ltd.

Terms and Conditions of use.

To advertise in Europe e-mail here

To advertise in Asia email here.

To advertise in North America email here.

Join the INQbot Mail List for a weekly guide to our news stories:

Subscribe

Firefox gets better site ID

New ideas

By Nick Farrell: Thursday, 28 August 2008, 9:05 AM

BOFFINS FROM Carnegie Mellon University have built an add-on for Firefox which is designed to test if a site is authentic.

While most browsers already alert users when a site appears bogus, most users do not know what to do when they get a warning about a bad certificate.

Despite the warning, some click on the site going on to malicious areas that steal their personal information. Others panic and skip over harmless sites that used cheap, "self-signed" certificates.

Boffins David Andersen Adrian Perrig and Dan Wendlandt have penned a program that taps into a network of publicly accessible servers that have been programmed to ping Web sites and record changes in the encryption keys they use to secure data.

Any discrepancy can be a sign that hackers are rerouting traffic through machines under their control.

The new program either overrides the security warning if a site is deemed legitimate, or throws up another warning if the subsequent probes reveal more red flags. µ

L'Inq
Carnegie Mellon

Comments

Self-signed: exactly what it says on the tin

A self-signed certificate is one which is signed by that same certificate. It can be generated by anyone at any time (with access to appropriate software). Cheap? Try free.

Root certificates are self-signed because they have no-one else to be signed by. Self-signing does at least assure that none of the other details have been modified by someone else. However, I could easily generate a self-signed certificate claiming that I was Google and using other attacks, intercept traffic for GMail and persuade people to log in to my server with their account details. That is, if the browser didn't warn users that my claim wasn't corroborated by anyone else.

SSL certificates cost money simply because someone is checking that you are who you say you are. This ranges from checking that the person applying is one of the contacts in Whois for the domain, up to full Companies House checks. It's not flawless - VeriSign issued some code-signing certificates in Microsoft's name to an attacker at one stage - but gives some reassurance.

There's nothing stopping alternate CAs setting up in business to issue SSL certificates, but not being on the default list of root CAs means that you have to persuade visitors to install and trust your root certificate so they can then trust all the certificates you've signed.
posted by : Mike Dimmick, 28 August 2008

Well...

I should hope people skip over self signed certificates, they're as reliable as as asking me what my name is! (on a Friday night, just after the pub has closed!).
posted by : Steve, 28 August 2008

Genius

So an addon can override certificate security warnings, how wonderful, did MS at any point advise the mozilla people on design?
posted by : W.-, 29 August 2008
IThound
Search for solutions, reports & analysis

Newsletter signup



 

Top INQ Stories