Maybe you have already read the news that it is possible to subvert SSL which encrypts the connection to sites supporting it.
Financial sites like PayPal and Bank of America, shopping sites like eBay or Amazon and government sites use SSL which is indicated in the web browser by displaying https in the browser’s address bar instead of http.
There are other indicators including a closed padlock that, when clicked on, displays additional information about the website including the issued certificate.
This in theory confirms to the user that the connection between the user’s computer and the website is secure (by using encryption and certificates). Recent findings however have shown that it is possible to intercept those communications without breaking encryption by “using forged security certificates”.
To use [it], a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities — using money, blackmail or legal process — to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.
To make matters worse, security researchers have shown last year how easy it is to trick a Certificate Authority into issuing a certificate.
Perspectives
Perspectives is a Firefox add-on that validates secure connections the browser makes, and informs you of any issues encountered. Also, it does the following:
- If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
- It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.
Even if Perspective’s primary and most advertised aim is enabling SSH-style certificate “validation” for self-signed certificates (those not issued by an established certification authority), it can be configured to add a second validation layer for CA-signed certificates too, by checking their consistency from multiple internet nodes (called “Notaries”) and/or over time:
Perspectives can be downloaded from the Mozilla Add-ons repository.
Update: You need to move the Perspectives icon to one of Firefox’s toolbars using the browser’s customize screen.
When you click on it you find several options including checking all notary results or forcing a notary check. In addition, it is possible to report an attack, add a site to the whitelist or open the certificate store from the context menu.
Verdict
Perspectives adds options to the Firefox web browser to verify the authenticity of certificates of sites supporting https. It checks the validity automatically and warns you if things don’t add up. Additionally, it provides you with tools to run manual checks as well, and bypass self-signed certificates error messages for trusted sites.