Re: Mozilla tool to self-verify HTTPS site

[Ian Grigg]

[EMAIL PROTECTED] wrote:

> How many users can remember MD5 checksums??? If they were rendered into
> something pronounceable via S/Key like dictionaries it might be more
> useful...

You forgot this bit:

> It's a small step for the user, but a giant leap
> for userland security.  It means that someone is
> thinking about solving the hacks against secure
> browsing.  Caching and distributing techniques
> for certificates can't be that far off...

-- 
iang

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Mozilla tool to self-verify HTTPS site

[Victor . Duchovni]

On Tue, 24 Jun 2003, Ian Grigg wrote:

> http://sslbar.metropipe.net/
>
> Fantastic news:  coders are starting to work
> on the failed security model of secure browsing
> and improve it where it matters, in the browser.
>
> This plugin for Mozilla shows the SSL certificate's
> fingerprint on the web browser's toolbar.
>

How many users can remember MD5 checksums??? If they were rendered into
something pronounceable via S/Key like dictionaries it might be more
useful...

-- 
Viktor.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: New toy: SSLbar

[Steven M. Bellovin]

>It's a toolbar for Mozilla (and related web browsers) that automatically 
>displays the SHA1 or MD5 fingerprint of the SSL certificate when you visit 
>an SSL secured web site. You could of course click the little padlock icon 
>and dig through a couple of dialogs to see it, but it's much easier when 
>it's right there in front of you on the toolbar.
>
>So, what's the point?
>
>If you look at the fingerprint of an SSL certificate, and compare this 
>against a fingerprint that you obtain from the site's owner via another 
>channel (IIP, email, PGP-signed web page, etc.) you can be absolutely 
>certain that the certificate is legitimate, and that you are exchanging 
>encrypted data with the persons(s) you intended to.
>
>

Please don't take this personally -- I'm speaking in general terms 
here, rather than casting aspersions on anyone in particular.  I've
deliberately deleted any personal names from this reply, to underscore 
that point.

>From a security point of view, why should anyone download any plug-in 
from an unknown party?  In this very specific case, why should someone 
download a a plug-in that by its own description is playing around in 
the crypto arena.  How do we know it's not going to steal keys?  Is the 
Mozilla API strong enough that it can't possibly do that?  Is it 
implemented well enough that we trust it?  (I see that in this case, 
the guts of the plug-in are in Javascript.  Given how often Javascript 
has played a starring role in assorted security flaws, that doesn't 
reassure me.  But I do appreciate open source.)


--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Mozilla tool to self-verify HTTPS site

[Ian Grigg]

http://sslbar.metropipe.net/

Fantastic news:  coders are starting to work
on the failed security model of secure browsing
and improve it where it matters, in the browser.

This plugin for Mozilla shows the SSL certificate's
fingerprint on the web browser's toolbar.

It's a small step for the user, but a giant leap
for userland security.  It means that someone is
thinking about solving the hacks against secure
browsing.  Caching and distributing techniques
for certificates can't be that far off...

-- 
iang

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

New toy: SSLbar

[Steve Schear]

It's a toolbar for Mozilla (and related web browsers) that automatically 
displays the SHA1 or MD5 fingerprint of the SSL certificate when you visit 
an SSL secured web site. You could of course click the little padlock icon 
and dig through a couple of dialogs to see it, but it's much easier when 
it's right there in front of you on the toolbar.

So, what's the point?

If you look at the fingerprint of an SSL certificate, and compare this 
against a fingerprint that you obtain from the site's owner via another 
channel (IIP, email, PGP-signed web page, etc.) you can be absolutely 
certain that the certificate is legitimate, and that you are exchanging 
encrypted data with the persons(s) you intended to.

A more engaging description of the above - as well as SSLbar itself - can 
be found at 
http://sslbar.metropipe.net

Enjoy.

"A Jobless Recovery is like a Breadless Sandwich."
-- Steve Schear 
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

DIMACS Tutorial on Applied Cryptography and Network Security: NJ, Aug 4-7

[Amir Herzberg]

During August 4-7, I'll give, together with Markus Jakobsson, Angelos 
Keromytis, Hugo Krawczyk, and Rebecca Wright, a `crash course on 
cryptography and its applications to secure networking and electronic 
commerce`, in DIMACS (located in Piscataway, central New Jersey). For 
details, program etc. see 
http://dimacs.rutgers.edu/Workshops/ComputerSecurity/.

This is a non-profit operation and indeed fees are very reasonable (regular 
250$, and 125$ discount for students, post-docs, etc.; and this includes 
lunch etc.), and they even say they may give financial aid when necessary. 
I hope we  made a good program (much of it based on my lectures/foils, see 
at http://amir.herzberg.name/book.html), and that this would be a nice 
opportunity for people to refresh themselves on some of the fundamentals 
and see some new perspectives, or simply to get a quick introduction to the 
areas of applied cryptography and secure communication and commerce. So 
please consider joining us, and forward to forums or individuals that may 
be interested.


Amir Herzberg
http://amir.herzberg.name
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]