Browser Extension Defeats Internet Eavesdropping

Pickens writes to tell us that researchers at Carnegie Mellon University have created a simple system to help prevent man-in-the-middle attacks. Using a preset list of friendly sites called 'notaries,' the new 'Perspectives' system helps users to authenticate sites that require secure communications. Additionally this should help with the recently debated solution implemented by Firefox that has so many users frustrated and confused. "By independently querying the desired target site, the notaries can check whether each is receiving the same authentication information (a digital certificate), in response. If one or more notaries report authentication information that is different than that received by the browser or other notaries, a computer user would have reason to suspect that an attacker has compromised the connection."

Does not work if comprimised on site side

[TorKlingberg]

Interesting idea, but it will not work if the man-in-the-middle is hijacking the websites connection rather than the users.

But who trusts their notaries?

[querist]

The idea of "notaries" is essentially the same idea as having the Certificate Authorities: a third party who is considered trustworth and sufficiently dilligent that the third party would take the appropriate measures to verify something before signing off on it.

Who picks these people/companies?

Why not use a system like PGP, building a web of trust?

Disclaimer: I am a SC Notary Public.

Some many reasons this is a bad idea:

[keithadler]

1. Bringing down notaries would bring down all SSL/TLS traffic 2. Compromising the extension itself could allow for proxying of SSL traffic; exposing private information 3. Using the the notaries increases the footprint of SSL traffic; increasing the attack surface

Phishers Rejoice!

[Anonymous Coward]

"When Firefox users click on a Web site that uses a self-signed certificate, they get a security error message that leaves many people bewildered," says Andersen. Once Perspectives has been installed in the browser, however, it can automatically override the security error page without disturbing the user if the site appears legitimate.

Overriding the security error page just because the site has self-signed cert that appears legitimate? How do you determine legitimacy? Just because a site has a self-signed cert doesn't mean its legitimate, it just means it has a self-signed cert. In fact, I prefer to be warned if I'm connecting to a site with a self=signed cert so I can choose whether to connect to the site or not.

Nothing good can come from hiding important security information from the user. Make it unobtrusive as possible, but never hide it.

band aids

[jacquesm]

This will have some effect, but it really is a band aid. If the certificate authorities would be doing their jobs and browsers would be more strict about using 'bad' certificates then this problem would not exist in the first place.

The greed of the certificate issuers is what has devalued the security.

Multiple layers of such security are not the same as a real solution.

Re:But who trusts their notaries?

[Tom]

I think the point is that a large-enough number of candidates plus a random selection equals statistical trust - the larger the base, the less likely it is that there isn't at least one uncompromised notary in your random sample.
A CA will always have the single-point-of-failure problem. While infiltrating Thawte certainly isn't something your average chinese hacker kid can do, it is certainly within the abilities of the NSA, or the KGB. The "web of trust" approach and the "we pick someone at random from a large crowd" approach both make it prohibitively expensive to compromise the sources of trust.

If you pick 5 sources at random, even from a crowd where 50% have been compromised, you still have a 1-(0.5^5) ~= 97% chance of having at least one uncompromised trust source. That's a pretty good record against an enemy who could compromise half of what could be millions of candidates.

Re:But who trusts their notaries?

[Anonymous Coward]

The idea of "notaries" is essentially the same idea as having the Certificate Authorities

Nope.

By having several "Notaries" you can ask verification of you do not need to put all your trust in a single party: Ask multiple Notaries and only accept if all return the same info.

If you want to include the possibility that one of those notaries goes bad (wonky connection, hijacked or simply not doing its job) than accept the info if the majority agrees on it.

Personally I think a method like this (which spreads the risk) will be better than a single chain-linked organisation (where you dangle at the end of that chain).

Easy DoS Attack

[plsuh]

Folks,

Nice try, but this scheme is a bad idea. It opens up a really easy DoS attack. All the attacker has to do is present a bogus certificate or SSH host key to a quorum of the notaries. BAM -- the server is now blocked. In fact, if the attacker can do this over a sustained period, he can masquerade as the actual server.

There's a reason why PKI works the way it does. There's a reason why you should use certificates or key pairs for authentication. The proposed system doesn't really help. Given that you can get a real SSL certificate for $15/year these days, only laziness leads to the use of a self-signed certificate.

I read the darn paper (yeah, yeah, I know, this is Slashdot, I'm not supposed to do that). They have a DoS column in their table in the Security Analysis section but don't discuss DoS in the text at all. Notaries need to be well known and are thus obvious candidates for a DNS-based attack. Next!

--Paul

Re:band aids

[Atriqus]

I have to agree about CA greed. Whenever I see a site using a Mozilla approved CA, my initial thought is no longer whether my connection is secure, but rather an acknowledgment that the site paid protection to Verisign that year.

Just an extra hoop?

[k1e0x]

But in a MitM attack.. If the DNS can be intercepted and rerouted to a spoofed site.. or the cert can be intercepted on the fly and regenerated.. why can't the information sent back from the notary also be forged?

Seems like an extra hoop for hackers to jump through but not an impossible one.

Re:But who trusts their notaries?

[redbu11]

Trust isn't the key problem with CAs.
The key issue is that CAs like Thawte or Verisign do not scale. They manually verify each certificate request, a very expensive and labor-intensive process. A customer ordering an SSL certificate for https://www.acme.com/ [acme.com] must provide CA with legal documents showing that (a) ACME corp actually exists, (b) he really works for ACME, (c) he is authorized to request the certificate, and so on..
All submitted documents are manually verified by the CA (at least in theory). Sometimes, they look up the company in a phone directory and call the public phone number to check that the requester really works for the company, etc.
That's why CA-issued certificates are so expensive; for example, 1-year Thawte SSL cert costs US $249. The certificate alone costs more than what a shared hosting with php5 and mysql would cost, per year!
Expensive, manual verification process is the key problem with modern CAs and "notaries" provide excellent solution to it.

Re:Excellent!!

[mccabem]

I can see having multiple paths to your destination host (the server) will probably eliminate most MITM attacks under this system. However, our presumption of honesty is with the ISP's of course. If they decide to go "man in the middle" again (reaching a little for argument's sake) at the request of the government (or otherwise) are all bets still off? In other words, if all paths are considered to be compromised/under attack before the first use of the Notary system, can it still be considered effective in some way?

Thanks!
-Matt

Re:Excellent!!

[camperdave]

Self-signed certificates are useful only to indicate that you are having a conversation with an anonymous person, and NO assertions about the identity using the private key can be made.

Can you not, with reasonable certainty, be confident that the anonymous person you're dealing with now is the same anonymous person who was using the key last month? After all, the exchange of keys is supposed to take place over a secure channel.