Browser

Perspectives: better than CAs?

Check out the Perspectives extension for Firefox to improve validation of HTTPS encrypted session certificates.

Check out the Perspectives extension for Firefox to improve validation of HTTPS encrypted session certificates.


Last Tuesday, Sterling Camden (of TechRepublic's IT Consultant Weblog and his own Chip's Tips development Weblog) contributed an article to Geeks Are Sexy about Perspectives, the new independent SSL/TLS certificate verification system created by researchers at Carnegie Mellon University's CyLab. The article, titled Perspectives extension for Firefox gives second opinion on security, is an introduction to how the Firefox extension works and what it does for the user, and provides a good review of Perspectives in actual use.

I won't provide a review of how it works. Not only has Sterling already done an admirable job at GAS, but there isn't a Perspectives extension for Firefox compatible with my OS platform of choice (FreeBSD) yet. My experience with it is necessarily limited by the fact I can only use it on a secondary system -- essentially in a testing environment -- and as such I couldn't easily offer a more in-depth review than Sterling's at this time.

Perspectives is designed to provide some warning in case of attempted man-in-the-middle attacks and other threats to your security that may manifest as certificates that don't match the certificates issued to other site visitors. Rather than attempting to validate certificates by acting as a third party registration authority, Perspectives checks the certificate you receive against those others receive to determine whether what you're getting is out of the ordinary -- and, therefore, suspicious.

When I first read about Perspectives, my first thought was about the social engineering aspects of its effect on security. My second was about what its social engineering effects on security say about the entire Certification Authority model of encryption certificate validation.

The problem with the CA model is that it inspires a false sense of security. End users in general are often predisposed to trust any sufficiently large organization that sets itself up as an "authority" to honestly and effectively serve as a replacement for the end user's own power of reason.

It's reasonable to expect to be able to, in effect, hire an expert to help you make informed decisions, of course. We can't all be experts in everything -- there just isn't enough time in the day to maintain comprehensive expertise in everything we do. Getting guidance from an expert working on your behalf is not the same as trusting a CA to make your decisions for you, however.

The entire CA business model is predicated upon the sale of CA-signed certificates. This "signature" is meant to serve as a means of validating the certificate for the period before its expiration date, indicating your encrypted connection has been established with the site you expect -- rather than some other site that has inserted itself between your browser and the target Webserver. Many people assume this validation means the Website from which their browsers downloaded the certificate is safe, because they simply don't understand that all it is meant to guarantee is that you're talking to the "right" people.

While it has the potential to offer a decent means of validating that your encrypted connection is directly established with the right domain, this depends on your browser interface's handling of certificate validation. Many browsers only tell you anything at all about browser validation if the target domain and the certificate you receive do not match. If they do match, you see nothing to indicate whether you're actually connected to the right Website or just a victim of DNS spoofing.

These CA-signed certificates don't tell you anything about the domain's registrants other than the fact they can afford the CA's fees and are willing to provide (possibly fraudulent) identifying information. There are of course mechanisms used by CAs to disallow fraudulently identified people or organizations from getting certificates, but only enough to make the CAs feel they've sufficiently protected themselves from legal action or significant damage to their reputations.

By contrast, the Perspectives extension for Firefox doesn't care whether anyone has paid a third party to sign an encryption certificate. It works just as well for self-signed certificates as for those signed by a Certification Authority. What it does care about is whether the certificate a site offers to other visitors is the same certificate your browser just receives. It is a more directly effective, and less limited, approach to certificate validation.

At least at present, Perspectives should provide users with an alternative validation model that is more universally effective at protecting the security of the end user than the CA model. It alone does not make your online activities via encrypted connections entirely secure any more than simply trusting a CA signing model of certificate validation, however. If the Website to which you've connected does not properly implement a secure encrypted connection, if the Webserver is not properly secured against direct compromise, or if the people who run that Webserver are themselves simply not trustworthy, you have no more guarantee of security in either case than if your connect is not encrypted at all.

The Perspectives extension can be configured to either check every certificate against Notary servers -- the validation servers against which Perspectives checks certificates -- or only those that produce an error. If you choose the latter, you are essentially telling the Perspectives extension that you trust all CA signed certificates that haven't expired and match the domain to which your browser has connected. I think of that approach as the "greater convenience" approach, which saves the user from having to think about some certificate errors produced by the browser by making some of those warnings go away. If you choose the former, checking every single certificate against Notary servers regardless of who signed it, you have a means of improving certificate validation across the board because it double-checks even the certificates signed by a CA.

That's how I recommend using it. The OpenSSH client may also provide a means to improve security when establishing encrypted sessions on remote SSH servers.

Overall, the Perspectives approach to certificate and encryption key validation is a good one in principle. The Firefox extension interface works smoothly and stays out of the user's way, and adding Perspectives validation to your encrypted session clients certainly won't hurt security. Perspectives is definitely worth a try.


Note: Michael Kassner also has an article about Perspectives in the Network Administrator Weblog, posted last Thursday -- SSL/TLS certificates: Perspectives helps authentication

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

8 comments
bandman
bandman

on web SSL certs on Michael Kassner's blog entries too. Perspectives sounds great, but I haven't had a chance to use it. The idea is useful as long as you can trust the notary servers handing out recommendations.

apotheon
apotheon

I just can't keep up with every single TR blog and article category all the time. Oh, well -- I guess redundancy is bound to happen. (edit: . . . and, luckily, my article had a somewhat different subject focus than yours, so they're not entirely redundant.) Thanks for the link.

apotheon
apotheon

That's the point -- you don't have to trust any given source. You just have to realize how unlikely it is for several notary servers to all be wrong in the same way.

Michael Kassner
Michael Kassner

Chad, I apologize. I just mentioned that I was doing a series on this subject and have been in contact with the people that developed Perspectives. You or Chip didn't mention being able to offer that, so I thought I would offer that capability if anyone had a particular question. I have the utmost respect for your insight and was just trying to point the members to a post that purveyed a slightly aspect than what you or Chip discussed. .

tony
tony

I feel warm and fuzzy...

Michael Kassner
Michael Kassner

My utmost concern is TR members and that's why I immediately linked your article in mine. Kudos to you, Chad.

apotheon
apotheon

There's nothing to apologize for. I appreciated the link you provided, and took what you said in the most positive light. The fact each of our three articles (yours at Network Administrator, mine at IT Security, and Sterling's at GAS) all deal with slightly different aspects of what makes Perspectives interesting and how it fits into the world of SSL/TLS certificate validation, and overall I think that means our readers have a wealth of information on the subject. Everybody wins. I just wish I'd noticed before I published my article that yours already existed, so I could have incorporated references to it into the body of my own article from the beginning. C'est la vie. Keep up the good work, Michael.

Editor's Picks