- Saturday, 28 November 2009
- INQ Mobile
- RSS
Americans adore me, and will go on adoring me, until I say something nice about them - GBS
Firefox gets better site ID
BOFFINS FROM Carnegie Mellon University have built an add-on for Firefox which is designed to test if a site is authentic.
While most browsers already alert users when a site appears bogus, most users do not know what to do when they get a warning about a bad certificate.
Despite the warning, some click on the site going on to malicious areas that steal their personal information. Others panic and skip over harmless sites that used cheap, "self-signed" certificates.
Boffins David Andersen Adrian Perrig and Dan Wendlandt have penned a program that taps into a network of publicly accessible servers that have been programmed to ping Web sites and record changes in the encryption keys they use to secure data.
Any discrepancy can be a sign that hackers are rerouting traffic through machines under their control.
The new program either overrides the security warning if a site is deemed legitimate, or throws up another warning if the subsequent probes reveal more red flags. ยต
L'Inq
Carnegie Mellon
Share this:
ShareBusiness Intelligence Software
Customer Relationship Management (CRM)
Enterprise Accounting Software
Enterprise Resource Planning (ERP)
Enterprise Systems Management
A self-signed certificate is one which is signed by that same certificate. It can be generated by anyone at any time (with access to appropriate software). Cheap? Try free.

Root certificates are self-signed because they have no-one else to be signed by. Self-signing does at least assure that none of the other details have been modified by someone else. However, I could easily generate a self-signed certificate claiming that I was Google and using other attacks, intercept traffic for GMail and persuade people to log in to my server with their account details. That is, if the browser didn't warn users that my claim wasn't corroborated by anyone else.

SSL certificates cost money simply because someone is checking that you are who you say you are. This ranges from checking that the person applying is one of the contacts in Whois for the domain, up to full Companies House checks. It's not flawless - VeriSign issued some code-signing certificates in Microsoft's name to an attacker at one stage - but gives some reassurance.

There's nothing stopping alternate CAs setting up in business to issue SSL certificates, but not being on the default list of root CAs means that you have to persuade visitors to install and trust your root certificate so they can then trust all the certificates you've signed.
I should hope people skip over self signed certificates, they're as reliable as as asking me what my name is! (on a Friday night, just after the pub has closed!).
So an addon can override certificate security warnings, how wonderful, did MS at any point advise the mozilla people on design?