Re: Fingerprint Firefox Plugin?
On Oct 23, 2007, at 12:46 AM, Arcane Jill wrote: Can anyone tell me... is there a Firefox plugin which allows one to view the fingerprint of the SSL certificate of each page you visit (e.g. in the status bar or address bar or something)? Better still if it can learn which ones you trust, but just being able to view them without having to jump through hoops would be a good start. Suppose you did have a convenient way to display the SSL certificate for every site whenever you loaded a page from the site. You probably wouldn't want to memorize all the certificates for the secure sites that you care about, so you might instead write some notes on a piece of paper next to your computer, for example writing down an SSL certificate and then next to it writing bank, and then writing down another one and then next to it writing mail, and so on. Then, whenever you load a page, you would look at the SSL certificate that is linked to that page and glance at your notepad to see which description it maps to. If you are looking at a random web site that you've never seen before, and the certificate doesn't appear on your notes, then no big deal. If you are looking at a page that appears to belong to your bank, and the certificate that came with that page doesn't appear on your notes, then this is a big red flag! Likewise, if you are looking at a page that appears to belong to your bank, and the certificate appears on your notes, but the note next to it doesn't say bank, then this is a red flag, too! For example, it might be the certificate of your mail service, which appears on your paper along with the note mail. Or it might just be a certificate that appears on your paper along with the note joke site from Harry. Note that a system which classified certificates into trusted or untrusted categories might give you the green flag even when a certificate that you trust to serve up good jokes is serving up something that appears to be your bank account. So, the thing about writing down certificates and mapping them to short hand-written notes is what the Pet Name Toolbar automates for you: https://addons.mozilla.org/en-US/firefox/addon/957 Please let us know how it works for you. Regards, Zooko - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Elcomsoft trying to patent faster GPU-based password cracker
From: http://www.elcomsoft.com/EDPR/gpu_en.pdf Moscow, Russia - October 22, 2007 - ElcomSoft Co. Ltd. has discovered and filed for a US patent...Using the brute force technique of recovering passwords, it was possible, though time-consuming, to recover passwords from popular applications. For example...Windows Vista uses NTLM hashing by default, so using a modern dual-core PC you could test up to 10,000,000 passwords per second, and perform a complete analysis in about two months. With ElcomSoft's new technology, the process would take only three to five days..Today's [GPU] chips can process fixed-point calculations. And with as much as 1.5 Gb of onboard video memory and up to 128 processing units, these powerful GPU chips are much more effective than CPUs in performing many of these calculations...Preliminary tests using Elcomsoft Distributed Password Recovery product to recover Windows NTLM logon passwords show that the recovery speed has increased by a factor of twenty, simply by hooking up with a $150 video card's onboard GPU. -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fingerprint Firefox Plugin?
zooko wrote: Suppose you did have a convenient way to display the SSL certificate for every site whenever you loaded a page from the site. You probably wouldn't want to memorize all the certificates for the secure sites that you care about, so you might instead write some notes on a piece of paper next to your computer, for example writing down an SSL certificate and then next to it writing bank, and then writing down another one and then next to it writing mail, and so on. Then, whenever you load a page, you would look at the SSL certificate that is linked to that page and glance at your notepad to see which description it maps to. If you are looking at a random web site that you've never seen before, and the certificate doesn't appear on your notes, then no big deal. If you are looking at a page that appears to belong to your bank, and the certificate that came with that page doesn't appear on your notes, then this is a big red flag! Likewise, if you are looking at a page that appears to belong to your bank, and the certificate appears on your notes, but the note next to it doesn't say bank, then this is a red flag, too! For example, it might be the certificate of your mail service, which appears on your paper along with the note mail. Or it might just be a certificate that appears on your paper along with the note joke site from Harry. Note that a system which classified certificates into trusted or untrusted categories might give you the green flag even when a certificate that you trust to serve up good jokes is serving up something that appears to be your bank account. So, the thing about writing down certificates and mapping them to short hand-written notes is what the Pet Name Toolbar automates for you: https://addons.mozilla.org/en-US/firefox/addon/957 the design point for certificates was first time communication between total strangers (aka the letters of credit/introduction from sailing ship days). certificates have also somewhat tried moving into no-value market segment for relying parties that had no (and/or couldn't cost justify) mechanism for recording information about other parties they were dealing with. by comparison pgp had assumed some mechanism for relying parties being able to record information about the parties that they had dealings with. huge number of infrastructures have had well entrenched infrastructures for recording information about parties that they dealt with ... it just has been that the authentication related information (for these infrastructures) have tended to be shared secrets. many of these infrastructures could have been upgraded from shared secrets to public key ... w/o having any impact on the business and/or trust models ... and furthermore by the very nature of the existing infrastructures, the paradigm behind digital certificates wasn't applicable (i.e. digital certificates being totally redundant and superfluous). recent thread/posting about it being much more natural for simple upgrade of kerberos infrastructure from shared secrets to public key ... w/o the exorbitant additional overhead and processing introduced by digital certificates. http://www.garlic.com/~lynn/2007q.html#2 Windows Live vs Kerberos http://www.garlic.com/~lynn/2007q.html#5 Windows Live vs Kerberos when we were called in to consult with this small client/server startup that wanted to do payment transactions on their server ... since then somewhat has come to be called electronic commerce http://www.garlic.com/~lynn/subnetwork.html#gateway one of the technologies they had invented was SSL ... and we had to do some work on applying SSL to real business processes and also do some end-to-end audits of the whole series of operations ... including these things that we calling themselves certification authorities one of the things that undermined original assumptions applying SSL to business processes was the whole click paradigm ... discussed in more detail in this recent post http://www.garlic.com/~lynn/2007q.html#30 and the assumptions about SSL as countermeasure and the related threat models. another aspect of SSL, certification authorities, digital certificates was the whole issue behind what is met by certification process ... and what certifications were represented by digital certificates. during the initial decade or so of electronic commerce something over 70 percent of the transactions were done by less than 100 websites (activity is highly skewed) These websites were both well known and also carried a lot of repeat business ... invalidating one of the original/primary justifications for having digital certificates. so a very few websites did majority of transactions and didn't need certification. by comparison, the vast majority of websites were only doing a very, very few electronic transactions (especially those involving large percentage of first interaction between complete strangers) ... and couldn't cost justify