CMU announces free Firefox add-on to increase browser security against DNS flaw and digital signature problems

Carnegie-Mellon University is making available a free add-on for Firefox 3.0 that’s intended to increase browser security.

The Firefox add-on was developed at the university’s School of Computer Science and College of Engineering and is available for free download. The Perspectives software not only protects Firefox users against attacks that might occur because of the recently disclosed software flawin the DNS, but it also defends against some digital certificate problems.

The extension provides two primary benefits:

  1. If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
  2. It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.

* The same is true for HTTPS sites with certificates that contain mismatched domain names (e.g., www.gmail.com uses a certificate for mail.google.com) or certificates that are expired.

Because of the API used, the code only works in Firefox 3.x, not Firefox 2.x.

How it works, from the CMU web page:

“Perspectives is a new approach to help clients securely identify Internet servers in order to avoid “man-in-the-middle” attacks. Perspectives is simple and cheap compared to existing approaches because it automatically builds a robust database of network identities using lightweight network probing by “network notaries” located in multiple vantage points across the Internet.”

Original Source: networkworld.com

Leave a Reply

Your email address will not be published. Required fields are marked *