As the debate rages over Mozilla Corp.'s decision to not display sites with expired or self-signed SSL digital certificates in Firefox 3, researchers at Carnegie Mellon University will release a free plug-in on Monday that may ease some of that angst.
The plug-in is part of a system called Perspectives, developed by professors Dave Anderson and Adrian Perrig and Ph.D. student Dan Wendlandt. Perspectives works off a series of servers that monitor website connections, recording public encryption keys for a period of time. The servers amortize these requests, Anderson said, and if they can authenticate that the same key has been returned for a requested site for a pre-determined length of time, Perspectives will override Firefox 3's default block on the site and spate of warning pop-ups, and allow the user to proceed.
"Our ability to monitor these keys over a long period of time allows us to tell the client, for example, if a key changed 30 minutes ago and that maybe you should call the sysadmin, that something is up," Anderson said.
Currently, Firefox 3 will not display a self-signed site, but does present the user with the option of adding an exception rule to the browser. That process requires four steps. Anderson told Information Security that he believes users aren't likely to jump through these hoops, and added that a study of Firefox 3 users conducted by his students revealed that a significant number stopped using it because of this impediment.
Mike Beltzner, director of user experience at Mozilla, says he was apprehensive about the decision to block self-signed certificates by default. But the growing plague of man-in-the-middle attacks--where browser sessions are hijacked and data sniffed without the user's knowledge--presenting themselves via a self-signed certificate went a long way in making the decision to block by default. Belzner, however, admits that some of the criticisms of Firefox 3's stringent security have been valid, in particular in the user interface.
"In Firefox 2, we put up a message that was incomprehensible to users about trust chains and so forth. We also gave users a 'whatever' button which essentially allows the user to ignore the security warning," Belzner said. "But the warning is valid and users should adhere it. We decided to default block self-signed and untrusted certificates. Users can add exceptions, and make them permanent if they want to."
Carnegie Mellon's Anderson said the five servers that make up the Perspectives system monitor and record keys of 10,000 Web servers daily. The plug-in, if everything checks out, displays a note that the user was taken to the site and that key has been seen for x-number of days by the system. If something is amiss, a strong warning appears.
"Instead of the normal Firefox page, we tell you something weird is going on here and you're likely to get hacked. We know it," Anderson said. "It allows us to push the warnings to be much stronger, instead of presenting the user with an innocuous 'Should-I-trust-this" type of thing."
Anderson said the monitoring servers have been running for close to a year, but only this summer have they tuned and made the system stable. A paper on Perspectives was also presented at the USENIX Security Symposium in San Jose in July.
Anderson added that Perspectives is effective in fending off man-in-the-middle attacks.
"It's easy for someone to convince you to go through their computer when making connections through public Wi-Fi," Andersen said. "A user who thinks he is linked to an airport or coffee shop hotspot, for instance, might actually be linked to a laptop of someone just a few seats away. A lot of people wouldn't even know they've been attacked."
Larger online presences, meanwhile, such as financial services organizations or online banking services, are likely to have the funds to purchase and maintain an SSL certificate. Many smaller organizations, such as universities, academic sites, archived mailing lists and other resources are dependent on self-signed certificates. Having those sites monitored by a system such as Perspectives makes Web usage much more convenient, Anderson said.
"I run it and have been running it for the last couple of months; you want to run this plug-in. It makes the Web so much more usable," Anderson said.
The free plug-in is available for download online.