Re: Fingerprint Firefox Plugin?
-Original Message- From: zooko [mailto:[EMAIL PROTECTED] Sent: 24 October 2007 06:52 To: Arcane Jill Cc: cryptography@metzdowd.com Subject: Re: Fingerprint Firefox Plugin? Please let us know how it works for you. My experience is very positive. It seems to be /exactly/ what I want, because I don't necessarily trust Verisign or Thwarte or any of the other hundreds of Root CAs which my browser trusts. I don't believe that every single one of them would say no if some government, or military, or corporation with enough money, asked/ordered them to issue a bogus certificate, but I do know that if that were to happen, the fingerprint would change, and Petname Tool would flag me a warning. It is an absolutely wonderful tool, as it moves trust from where it doesn't belong (a bunch of faceless organisations whom I have no more reason to trust than the websites I'm visiting) to where it does belong (in my own hands). I love it! I guess other people might want to know this, either because they need to adopt the same security principles (if they are sound), or to criticize it (if not). Arcane Jill - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Fingerprint Firefox Plugin?
Arcane Jill wrote: Can anyone tell me... is there a Firefox plugin which allows one to view the fingerprint of the SSL certificate of each page you visit (e.g. in the status bar or address bar or something)? Better still if it can learn which ones you trust, but just being able to view them without having to jump through hoops would be a good start. You could try TrustBar http://trustbar.mozdev.org/installation.html Regards, Igal Yoffe - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Fingerprint Firefox Plugin?
zooko wrote: Suppose you did have a convenient way to display the SSL certificate for every site whenever you loaded a page from the site. You probably wouldn't want to memorize all the certificates for the secure sites that you care about, so you might instead write some notes on a piece of paper next to your computer, for example writing down an SSL certificate and then next to it writing "bank", and then writing down another one and then next to it writing "mail", and so on. Then, whenever you load a page, you would look at the SSL certificate that is linked to that page and glance at your notepad to see which description it maps to. If you are looking at a random web site that you've never seen before, and the certificate doesn't appear on your notes, then no big deal. If you are looking at a page that appears to belong to your bank, and the certificate that came with that page doesn't appear on your notes, then this is a big red flag! Likewise, if you are looking at a page that appears to belong to your bank, and the certificate appears on your notes, but the note next to it doesn't say "bank", then this is a red flag, too! For example, it might be the certificate of your mail service, which appears on your paper along with the note "mail". Or it might just be a certificate that appears on your paper along with the note "joke site from Harry". Note that a system which classified certificates into "trusted" or "untrusted" categories might give you the green flag even when a certificate that you trust to serve up good jokes is serving up something that appears to be your bank account. So, the thing about writing down certificates and mapping them to short hand-written notes is what the Pet Name Toolbar automates for you: https://addons.mozilla.org/en-US/firefox/addon/957 the design point for certificates was first time communication between total strangers (aka the letters of credit/introduction from sailing ship days). certificates have also somewhat tried moving into no-value market segment for relying parties that had no (and/or couldn't cost justify) mechanism for recording information about other parties they were dealing with. by comparison pgp had assumed some mechanism for relying parties being able to record information about the parties that they had dealings with. huge number of infrastructures have had well entrenched infrastructures for recording information about parties that they dealt with ... it just has been that the authentication related information (for these infrastructures) have tended to be shared secrets. many of these infrastructures could have been upgraded from shared secrets to public key ... w/o having any impact on the business and/or trust models ... and furthermore by the very nature of the existing infrastructures, the paradigm behind digital certificates wasn't applicable (i.e. digital certificates being totally redundant and superfluous). recent thread/posting about it being much more natural for simple upgrade of kerberos infrastructure from shared secrets to public key ... w/o the exorbitant additional overhead and processing introduced by digital certificates. http://www.garlic.com/~lynn/2007q.html#2 Windows Live vs Kerberos http://www.garlic.com/~lynn/2007q.html#5 Windows Live vs Kerberos when we were called in to consult with this small client/server startup that wanted to do payment transactions on their server ... since then somewhat has come to be called electronic commerce http://www.garlic.com/~lynn/subnetwork.html#gateway one of the technologies they had invented was SSL ... and we had to do some work on applying SSL to real business processes and also do some end-to-end audits of the whole series of operations ... including these things that we calling themselves certification authorities one of the things that undermined original assumptions applying SSL to business processes was the whole "click" paradigm ... discussed in more detail in this recent post http://www.garlic.com/~lynn/2007q.html#30 and the assumptions about SSL as countermeasure and the related threat models. another aspect of SSL, certification authorities, digital certificates was the whole issue behind what is met by certification process ... and what certifications were represented by digital certificates. during the initial decade or so of electronic commerce something over 70 percent of the transactions were done by less than 100 websites (activity is highly skewed) These websites were both well known and also carried a lot of repeat business ... invalidating one of the original/primary justifications for having digital certificates. so a very few websites did majority of transactions and didn't need certification. by comparison, the vast majority of websites were only doing a very, very few electronic transactions (especially those involving large percentage of first interaction between complete strangers) ... and couldn'
Re: Fingerprint Firefox Plugin?
On Oct 23, 2007, at 12:46 AM, Arcane Jill wrote: Can anyone tell me... is there a Firefox plugin which allows one to view the fingerprint of the SSL certificate of each page you visit (e.g. in the status bar or address bar or something)? Better still if it can learn which ones you trust, but just being able to view them without having to jump through hoops would be a good start. Suppose you did have a convenient way to display the SSL certificate for every site whenever you loaded a page from the site. You probably wouldn't want to memorize all the certificates for the secure sites that you care about, so you might instead write some notes on a piece of paper next to your computer, for example writing down an SSL certificate and then next to it writing "bank", and then writing down another one and then next to it writing "mail", and so on. Then, whenever you load a page, you would look at the SSL certificate that is linked to that page and glance at your notepad to see which description it maps to. If you are looking at a random web site that you've never seen before, and the certificate doesn't appear on your notes, then no big deal. If you are looking at a page that appears to belong to your bank, and the certificate that came with that page doesn't appear on your notes, then this is a big red flag! Likewise, if you are looking at a page that appears to belong to your bank, and the certificate appears on your notes, but the note next to it doesn't say "bank", then this is a red flag, too! For example, it might be the certificate of your mail service, which appears on your paper along with the note "mail". Or it might just be a certificate that appears on your paper along with the note "joke site from Harry". Note that a system which classified certificates into "trusted" or "untrusted" categories might give you the green flag even when a certificate that you trust to serve up good jokes is serving up something that appears to be your bank account. So, the thing about writing down certificates and mapping them to short hand-written notes is what the Pet Name Toolbar automates for you: https://addons.mozilla.org/en-US/firefox/addon/957 Please let us know how it works for you. Regards, Zooko - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Fingerprint Firefox Plugin?
Arcane Jill wrote: Can anyone tell me... is there a Firefox plugin which allows one to view the fingerprint of the SSL certificate of each page you visit (e.g. in the status bar or address bar or something)? Never needed one. The hoops involved aren't THAT large, at least in the version I use - click the padlock icon in the right hand side of the navigation (address/url) box, then the "view" button on the page that presents. Better still if it can learn which ones you trust, but just being able to view them without having to jump through hoops would be a good start. you can manually approve certificates of course, however there are a few tools I find useful. https://addons.mozilla.org/en-US/firefox/addon/2131 this one remembers which certificates were (mistakenly) presented by which domains, so it won't ask you again. it also does something similar to allow already-expired certs to function. the author has a blog here where he discusses aspects of the tool and related technologies: http://www.andrewlucking.com/archives/category/remember-mismatched-domains/ currently he is blogging about a recently checked-in patch that will add similar functionality natively to Firefox, and changes to a host's cert that makes it redundant for Thunderbird. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Fingerprint Firefox Plugin?
Can anyone tell me... is there a Firefox plugin which allows one to view the fingerprint of the SSL certificate of each page you visit (e.g. in the status bar or address bar or something)? Better still if it can learn which ones you trust, but just being able to view them without having to jump through hoops would be a good start. Arcane Jill - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]