Fingerprint Firefox Plugin?

2007-10-23 Thread Arcane Jill 
Can anyone tell me... is there a Firefox plugin which allows one to view the 
fingerprint of the SSL certificate of each page you visit (e.g. in the status 
bar or address bar or something)?


Better still if it can learn which ones you trust, but just being able to view 
them without having to jump through hoops would be a good start.


Arcane Jill

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Fingerprint Firefox Plugin?

2007-10-24 Thread Dave Howe 

Arcane Jill wrote:
Can anyone tell me... is there a Firefox plugin which allows one to 
view the fingerprint of the SSL certificate of each page you visit 
(e.g. in the status bar or address bar or something)?


  Never needed one. The hoops involved aren't THAT large, at least in
the version I use - click the padlock icon in the right hand side of the
navigation (address/url) box, then the "view" button on the page that
presents.

Better still if it can learn which ones you trust, but just being 
able to view them without having to jump through hoops would be a 
good start.


you can manually approve certificates of course, however there are a few 
tools I find useful.


https://addons.mozilla.org/en-US/firefox/addon/2131

this one remembers which certificates were (mistakenly) presented by 
which domains, so it won't ask you again. it also does something similar 
to allow already-expired certs to function.


the author has a blog here where he discusses aspects of the tool and 
related technologies:


http://www.andrewlucking.com/archives/category/remember-mismatched-domains/

currently he is blogging about a recently checked-in patch that will add 
similar functionality natively to Firefox, and changes to a host's cert 
that makes it redundant for Thunderbird.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Fingerprint Firefox Plugin?

2007-10-24 Thread zooko 

On Oct 23, 2007, at 12:46 AM, Arcane Jill wrote:

Can anyone tell me... is there a Firefox plugin which allows one to  
view the fingerprint of the SSL certificate of each page you visit  
(e.g. in the status bar or address bar or something)?


Better still if it can learn which ones you trust, but just being  
able to view them without having to jump through hoops would be a  
good start.


Suppose you did have a convenient way to display the SSL certificate  
for every site whenever you loaded a page from the site.  You  
probably wouldn't want to memorize all the certificates for the  
secure sites that you care about, so you might instead write some  
notes on a piece of paper next to your computer, for example writing  
down an SSL certificate and then next to it writing "bank", and then  
writing down another one and then next to it writing "mail", and so on.


Then, whenever you load a page, you would look at the SSL certificate  
that is linked to that page and glance at your notepad to see which  
description it maps to.  If you are looking at a random web site that  
you've never seen before, and the certificate doesn't appear on your  
notes, then no big deal.  If you are looking at a page that appears  
to belong to your bank, and the certificate that came with that page  
doesn't appear on your notes, then this is a big red flag!  Likewise,  
if you are looking at a page that appears to belong to your bank, and  
the certificate appears on your notes, but the note next to it  
doesn't say "bank", then this is a red flag, too!  For example, it  
might be the certificate of your mail service, which appears on your  
paper along with the note "mail".  Or it might just be a certificate  
that appears on your paper along with the note "joke site from Harry".


Note that a system which classified certificates into "trusted" or  
"untrusted" categories might give you the green flag even when a  
certificate that you trust to serve up good jokes is serving up  
something that appears to be your bank account.


So, the thing about writing down certificates and mapping them to  
short hand-written notes is what the Pet Name Toolbar automates for you:


https://addons.mozilla.org/en-US/firefox/addon/957

Please let us know how it works for you.

Regards,

Zooko


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Fingerprint Firefox Plugin?

2007-10-24 Thread Anne & Lynn Wheeler 

zooko wrote:
Suppose you did have a convenient way to display the SSL certificate for 
every site whenever you loaded a page from the site. You probably 
wouldn't want to memorize all the certificates for the secure sites that 
you care about, so you might instead write some notes on a piece of 
paper next to your computer, for example writing down an SSL certificate 
and then next to it writing "bank", and then writing down another one 
and then next to it writing "mail", and so on.


Then, whenever you load a page, you would look at the SSL certificate 
that is linked to that page and glance at your notepad to see which 
description it maps to. If you are looking at a random web site that 
you've never seen before, and the certificate doesn't appear on your 
notes, then no big deal. If you are looking at a page that appears to 
belong to your bank, and the certificate that came with that page 
doesn't appear on your notes, then this is a big red flag! Likewise, if 
you are looking at a page that appears to belong to your bank, and the 
certificate appears on your notes, but the note next to it doesn't say 
"bank", then this is a red flag, too! For example, it might be the 
certificate of your mail service, which appears on your paper along with 
the note "mail". Or it might just be a certificate that appears on your 
paper along with the note "joke site from Harry".


Note that a system which classified certificates into "trusted" or 
"untrusted" categories might give you the green flag even when a 
certificate that you trust to serve up good jokes is serving up 
something that appears to be your bank account.


So, the thing about writing down certificates and mapping them to short 
hand-written notes is what the Pet Name Toolbar automates for you:


https://addons.mozilla.org/en-US/firefox/addon/957



the design point for certificates was first time communication between total
strangers (aka the letters of credit/introduction from sailing ship days).

certificates have also somewhat tried moving into no-value market segment for 
relying
parties that had no (and/or couldn't cost justify) mechanism for recording 
information
about other parties they were dealing with. 

by comparison pgp had assumed some mechanism for relying parties being able to 
record information about the parties that they had dealings with. huge number of

infrastructures have had well entrenched infrastructures for recording 
information
about parties that they dealt with ... it just has been that the authentication
related information (for these infrastructures) have tended to be shared 
secrets.
many of these infrastructures could have been upgraded from shared secrets
to public key ... w/o having any impact on the business and/or trust models
... and furthermore by the very nature of the existing infrastructures,
the paradigm behind digital certificates wasn't applicable (i.e. digital
certificates being totally redundant and superfluous).

recent thread/posting about it being much more natural for simple upgrade 
of kerberos infrastructure from shared secrets to public key ... w/o the

exorbitant additional overhead and processing introduced by digital
certificates. 
http://www.garlic.com/~lynn/2007q.html#2 Windows Live vs Kerberos

http://www.garlic.com/~lynn/2007q.html#5 Windows Live vs Kerberos

when we were called in to consult with this small client/server startup
that wanted to do payment transactions on their server ... since then
somewhat has come to be called electronic commerce
http://www.garlic.com/~lynn/subnetwork.html#gateway

one of the technologies they had invented was SSL ... and we had
to do some work on applying SSL to real business processes and also
do some end-to-end audits of the whole series of operations ... including
these things that we calling themselves certification authorities

one of the things that undermined original assumptions applying
SSL to business processes was the whole "click" paradigm ... discussed
in more detail in this recent post
http://www.garlic.com/~lynn/2007q.html#30 


and the assumptions about SSL as countermeasure and the related
threat models.

another aspect of SSL, certification authorities, digital certificates
was the whole issue behind what is met by certification process ... and
what certifications were represented by digital certificates. 


during the initial decade or so of electronic commerce something over
70 percent of the transactions were done by less than 100 websites
(activity is highly skewed) These websites were both well known and 
also carried a lot of repeat business ... invalidating one of the 
original/primary justifications  for having digital certificates. 
so a very few websites did majority of transactions and didn't 
need certification. by comparison, the vast majority of websites

were only doing a very, very few electronic transactions
(especially those involving large percentage of first interaction
between complete strangers) ... and couldn'

Re: Fingerprint Firefox Plugin?

2007-10-25 Thread Igal Yoffe 

Arcane Jill wrote:
Can anyone tell me... is there a Firefox plugin which allows one to view 
the fingerprint of the SSL certificate of each page you visit (e.g. in 
the status bar or address bar or something)?


Better still if it can learn which ones you trust, but just being able 
to view them without having to jump through hoops would be a good start.


You could try TrustBar
http://trustbar.mozdev.org/installation.html

Regards,
Igal Yoffe


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Fingerprint Firefox Plugin?

2007-10-29 Thread Arcane Jill 



-Original Message-
From: zooko [mailto:[EMAIL PROTECTED]
Sent: 24 October 2007 06:52
To: Arcane Jill
Cc: cryptography@metzdowd.com
Subject: Re: Fingerprint Firefox Plugin?


Please let us know how it works for you.


My experience is very positive. It seems to be /exactly/ what I want, because I
don't necessarily trust Verisign or Thwarte or any of the other hundreds of
Root CAs which my browser trusts. I don't believe that every single one of them
would say no if some government, or military, or corporation with enough money,
asked/ordered them to issue a bogus certificate, but I do know that if that
were to happen, the fingerprint would change, and Petname Tool would flag me a
warning. It is an absolutely wonderful tool, as it moves trust from where it
doesn't belong (a bunch of faceless organisations whom I have no more reason to
trust than the websites I'm visiting) to where it does belong (in my own
hands). I love it!

I guess other people might want to know this, either because they need to adopt
the same security principles (if they are sound), or to criticize it (if not).

Arcane Jill

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]