New toy: SSLbar
It's a toolbar for Mozilla (and related web browsers) that automatically displays the SHA1 or MD5 fingerprint of the SSL certificate when you visit an SSL secured web site. You could of course click the little padlock icon and dig through a couple of dialogs to see it, but it's much easier when it's right there in front of you on the toolbar. So, what's the point? If you look at the fingerprint of an SSL certificate, and compare this against a fingerprint that you obtain from the site's owner via another channel (IIP, email, PGP-signed web page, etc.) you can be absolutely certain that the certificate is legitimate, and that you are exchanging encrypted data with the persons(s) you intended to. A more engaging description of the above - as well as SSLbar itself - can be found at https://194.109.142.142:1984/redirect.php?url=http%3A%2F%2Fsslbar.metropipe.nethttp://sslbar.metropipe.net Enjoy. A Jobless Recovery is like a Breadless Sandwich. -- Steve Schear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Mozilla tool to self-verify HTTPS site
http://sslbar.metropipe.net/ Fantastic news: coders are starting to work on the failed security model of secure browsing and improve it where it matters, in the browser. This plugin for Mozilla shows the SSL certificate's fingerprint on the web browser's toolbar. It's a small step for the user, but a giant leap for userland security. It means that someone is thinking about solving the hacks against secure browsing. Caching and distributing techniques for certificates can't be that far off... -- iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: New toy: SSLbar
It's a toolbar for Mozilla (and related web browsers) that automatically displays the SHA1 or MD5 fingerprint of the SSL certificate when you visit an SSL secured web site. You could of course click the little padlock icon and dig through a couple of dialogs to see it, but it's much easier when it's right there in front of you on the toolbar. So, what's the point? If you look at the fingerprint of an SSL certificate, and compare this against a fingerprint that you obtain from the site's owner via another channel (IIP, email, PGP-signed web page, etc.) you can be absolutely certain that the certificate is legitimate, and that you are exchanging encrypted data with the persons(s) you intended to. Please don't take this personally -- I'm speaking in general terms here, rather than casting aspersions on anyone in particular. I've deliberately deleted any personal names from this reply, to underscore that point. From a security point of view, why should anyone download any plug-in from an unknown party? In this very specific case, why should someone download a a plug-in that by its own description is playing around in the crypto arena. How do we know it's not going to steal keys? Is the Mozilla API strong enough that it can't possibly do that? Is it implemented well enough that we trust it? (I see that in this case, the guts of the plug-in are in Javascript. Given how often Javascript has played a starring role in assorted security flaws, that doesn't reassure me. But I do appreciate open source.) --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Mozilla tool to self-verify HTTPS site
On Tue, 24 Jun 2003, Ian Grigg wrote: http://sslbar.metropipe.net/ Fantastic news: coders are starting to work on the failed security model of secure browsing and improve it where it matters, in the browser. This plugin for Mozilla shows the SSL certificate's fingerprint on the web browser's toolbar. How many users can remember MD5 checksums??? If they were rendered into something pronounceable via S/Key like dictionaries it might be more useful... -- Viktor. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Mozilla tool to self-verify HTTPS site
[EMAIL PROTECTED] wrote: How many users can remember MD5 checksums??? If they were rendered into something pronounceable via S/Key like dictionaries it might be more useful... You forgot this bit: It's a small step for the user, but a giant leap for userland security. It means that someone is thinking about solving the hacks against secure browsing. Caching and distributing techniques for certificates can't be that far off... -- iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]