New Firefox Extension Thwarts MITM Attacks

New Perspectives system from Carnegie Mellon

by Karl Bode Tuesday 26-Aug-2008 tags: security · software

Researchers at Carnegie Mellon University's School of Computer Science and College of Engineering say they have devised a low-cost system that aims to protect user privacy and improve the security of private online communications. The system, dubbed Perspectives, targets man in the middle attacks by employing the help of friendly sites or "notaries" that aid in authenticating websites used in secure transactions. From the researchers:

By independently querying the desired target site, the notaries can check whether each is receiving the same authentication information, called a digital certificate, in response. If one or more notaries report authentication information that is different than that received by the browser or other notaries, a computer user would have reason to suspect that an attacker has compromised the connection.

Perspectives is available as a free Firefox extension, and can be downloaded here. More detailed security analysis of the system can be found in this academic paper (pdf).

Forums >

New Firefox Extension Thwarts MITM Attacks

view: topics flat text

Romney2012
Defeat Obama 2012-Chg we can believe in
Premium
join:2002-03-03
USA
kudos:4

1 edit

Must have Firefox 3 to try it out

Anyone wanting to test this add-on, it is for Firefox 3 only. If you have Firefox 2, it won't install.

It will install on 32 bit & 64 bit Linux. And on 32 bit version of Windows. And on the Intel versions of OS X.

See here to pick your download:
»www.cs.cmu.edu/~perspectives/

P.S.> it only checks web sites that use HTTPS and not HTTP like BBR. If you want to play around and check out PERSPECTIVES options, you can go to »mail.google.com to test.
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk?

permalink · 2008-08-26 10:03:47 · Print ·

RARPSL

join:1999-12-08
Suffern, NY

Re: Must have Firefox 3 to try it out

said by Romney2012:

Anyone wanting to test this add-on, it is for Firefox 3 only. If you have Firefox 2, it won't install.

I'd love to upgrade to FF3 but every week or so when I bring it up to test, I get a long list of FF Extensions that still have not been made compatible with FF3 (or have a separate FF3 version). Once the list shrinks to only list those that I have installed but do not use, I will make the switch. Until then, I must stay with FF2 if I need the extension.

permalink · 2008-08-26 15:49:03 · Print ·

ISurfTooMuch join:2007-04-23 Tuscaloosa, AL	Although there is a 64-bit Linux version, it is still experimental and must be downloaded and installed manually. So I guess my Ubuntu 64-bit install will have to wait a bit to get this extension.
	permalink · 2008-08-26 16:22:24 · ·

uid1307457
Premium
join:2005-12-30
Tempe, AZ

3 edits

said by Romney2012:

Anyone wanting to test this add-on, it is for Firefox 3 only. If you have Firefox 2, it won't install.

It will install on 32 bit & 64 bit Linux. And on 32 bit version of Windows. And on the Intel versions of OS X.

See here to pick your download:
»www.cs.cmu.edu/~perspectives/

P.S.> it only checks web sites that use HTTPS and not HTTP like BBR. If you want to play around and check out PERSPECTIVES options, you can go to »mail.google.com to test.

»www.cs.cmu.edu/~perspectives/Per···ives.xpi

select open file, set program (xpi extension) to open file type as firefox

permalink · 2008-08-26 17:54:08 · Print ·

DrModem Premium join:2006-10-19 USA kudos:1	Another reason FF > All
	permalink · 2008-08-26 10:05:33 · ·

BinaryXtreme join:2004-04-20 Sparks, NV	Re: Another reason ^ What that guy said. \| \|
	permalink · 2008-08-26 10:44:03 · ·

ebubman join:2002-01-17 Mechanicsburg, PA	?? longtime ff user on multiple machines. is this something that the average guy can install/use/understand? thanks, bub
	permalink · 2008-08-26 10:47:10 · ·

Romney2012
Defeat Obama 2012-Chg we can believe in
Premium
join:2002-03-03
USA
kudos:4

Re: ??

said by ebubman:

longtime ff user on multiple machines. is this something that the average guy can install/use/understand? thanks, bub

I installed it in about 1 minute. The default options are fine. And if you want to experiment and modify options, that is very easy to do.

But this is a set & forget add-on. Once installed, it will only alert you to a problem if something is wrong when you connect to a HTTPS web site where you have been subject to a MITM attack or where the web site has been hijacked by a DNS attack. So most likely, most people will never see this addon do anything.
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk?

permalink · 2008-08-26 10:57:39 · Print ·

Morac

join:2001-08-30
Riverside, NJ
kudos:1

Reviews:

·Comcast

Not sure how useful this really is

This is only really useful if you go to publicly accessible » (SSL) pages with self signed certificates. I can count the number of these I've seen over the last 10 years on one hand.

The vast majority of encrypted pages are from large corporations (banks, credit cards, Google, Yahoo, etc) and they can afford to have valid certificates.
--

The Comcast Disney Avatar has been retired.

permalink · 2008-08-26 11:04:13 · Print ·

cdru Go Colts Premium,MVM join:2003-05-14 Fort Wayne, IN kudos:5	Am I missing something? So how does having this "notary" prevent a man in the middle attack? If there is a man in the middle between me and my bank, for instance, why can't that same man be between this notary and my bank?
	permalink · 2008-08-26 11:23:07 · ·

Romney2012
Defeat Obama 2012-Chg we can believe in
Premium
join:2002-03-03
USA
kudos:4

Re: Am I missing something?

said by cdru:

So how does having this "notary" prevent a man in the middle attack? If there is a man in the middle between me and my bank, for instance, why can't that same man be between this notary and my bank?

See pages 7 thru 9 of their paper where they discuss the statistical odds against pulling off a MITM attack against the client and also against the MULTIPLE notaries at the same time.
»www.cs.cmu.edu/~perspectives/per···ix08.pdf
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk?

permalink · 2008-08-26 11:38:52 · Print ·

knightmb
Everybody Lies

join:2003-12-01
Franklin, TN

It's based on the system of "how have things been" and "how have thing changed".

If your bank has always used the same certificate that doesn't expire for 8 years and one day at a coffee shop, the certificate has completely changed, but still "valid" as a MITM attack would do, it throws up an alert. I won't protect you from a MITM attack on the first ever visit to your banking website, only those afterward.

It's part of the problem computers have that humans tend to be better at. That's complete trust of strangers. If things look fishy, we get suspicious. Computers, they don't care, if 2 > 1, then they are happy. For us, when we see 2 > 1.5 we ask why 1.5 instead 1 like before?
--
Fight NebuAD and the like:
Click Here to pollute their data

permalink · 2008-08-26 11:40:50 · Print ·

Viper007Bond Premium join:2002-09-26 Portland, OR	Re: Am I missing something? Actually, it would protect you on the first connect assuming someone else has connected to the site before. The trusted servers keep a history of known certs over time.
	permalink · 2008-08-26 22:18:44 · ·

your comment..

Forums > New Firefox Extension Thwarts MITM Attacks

New Firefox Extension Thwarts MITM Attacks

Must have Firefox 3 to try it out

Re: Must have Firefox 3 to try it out

Another reason

Re: Another reason

??

Re: ??

Not sure how useful this really is

Am I missing something?

Re: Am I missing something?

Re: Am I missing something?