Check out the Perspectives extension for Firefox to improve validation of HTTPS encrypted session certificates.

Last Tuesday, Sterling Camden (of TechRepublic’s IT Consultant Weblog and his own Chip’s Tips development Weblog) contributed an article to Geeks Are Sexy about Perspectives, the new independent SSL/TLS certificate verification system created by researchers at Carnegie Mellon University’s CyLab. The article, titled Perspectives extension for Firefox gives second opinion on security, is an introduction to how the Firefox extension works and what it does for the user, and provides a good review of Perspectives in actual use.

I won’t provide a review of how it works. Not only has Sterling already done an admirable job at GAS, but there isn’t a Perspectives extension for Firefox compatible with my OS platform of choice (FreeBSD) yet. My experience with it is necessarily limited by the fact I can only use it on a secondary system — essentially in a testing environment — and as such I couldn’t easily offer a more in-depth review than Sterling’s at this time.

Perspectives is designed to provide some warning in case of attempted man-in-the-middle attacks and other threats to your security that may manifest as certificates that don’t match the certificates issued to other site visitors. Rather than attempting to validate certificates by acting as a third party registration authority, Perspectives checks the certificate you receive against those others receive to determine whether what you’re getting is out of the ordinary — and, therefore, suspicious.

When I first read about Perspectives, my first thought was about the social engineering aspects of its effect on security. My second was about what its social engineering effects on security say about the entire Certification Authority model of encryption certificate validation.

The problem with the CA model is that it inspires a false sense of security. End users in general are often predisposed to trust any sufficiently large organization that sets itself up as an “authority” to honestly and effectively serve as a replacement for the end user’s own power of reason.

It’s reasonable to expect to be able to, in effect, hire an expert to help you make informed decisions, of course. We can’t all be experts in everything — there just isn’t enough time in the day to maintain comprehensive expertise in everything we do. Getting guidance from an expert working on your behalf is not the same as trusting a CA to make your decisions for you, however.

The entire CA business model is predicated upon the sale of CA-signed certificates. This “signature” is meant to serve as a means of validating the certificate for the period before its expiration date, indicating your encrypted connection has been established with the site you expect — rather than some other site that has inserted itself between your browser and the target Webserver. Many people assume this validation means the Website from which their browsers downloaded the certificate is safe, because they simply don’t understand that all it is meant to guarantee is that you’re talking to the “right” people.

While it has the potential to offer a decent means of validating that your encrypted connection is directly established with the right domain, this depends on your browser interface’s handling of certificate validation. Many browsers only tell you anything at all about browser validation if the target domain and the certificate you receive do not match. If they do match, you see nothing to indicate whether you’re actually connected to the right Website or just a victim of DNS spoofing.

These CA-signed certificates don’t tell you anything about the domain’s registrants other than the fact they can afford the CA’s fees and are willing to provide (possibly fraudulent) identifying information. There are of course mechanisms used by CAs to disallow fraudulently identified people or organizations from getting certificates, but only enough to make the CAs feel they’ve sufficiently protected themselves from legal action or significant damage to their reputations.

By contrast, the Perspectives extension for Firefox doesn’t care whether anyone has paid a third party to sign an encryption certificate. It works just as well for self-signed certificates as for those signed by a Certification Authority. What it does care about is whether the certificate a site offers to other visitors is the same certificate your browser just receives. It is a more directly effective, and less limited, approach to certificate validation.

At least at present, Perspectives should provide users with an alternative validation model that is more universally effective at protecting the security of the end user than the CA model. It alone does not make your online activities via encrypted connections entirely secure any more than simply trusting a CA signing model of certificate validation, however. If the Website to which you’ve connected does not properly implement a secure encrypted connection, if the Webserver is not properly secured against direct compromise, or if the people who run that Webserver are themselves simply not trustworthy, you have no more guarantee of security in either case than if your connect is not encrypted at all.

The Perspectives extension can be configured to either check every certificate against Notary servers — the validation servers against which Perspectives checks certificates — or only those that produce an error. If you choose the latter, you are essentially telling the Perspectives extension that you trust all CA signed certificates that haven’t expired and match the domain to which your browser has connected. I think of that approach as the “greater convenience” approach, which saves the user from having to think about some certificate errors produced by the browser by making some of those warnings go away. If you choose the former, checking every single certificate against Notary servers regardless of who signed it, you have a means of improving certificate validation across the board because it double-checks even the certificates signed by a CA.

That’s how I recommend using it. The OpenSSH client may also provide a means to improve security when establishing encrypted sessions on remote SSH servers.

Overall, the Perspectives approach to certificate and encryption key validation is a good one in principle. The Firefox extension interface works smoothly and stays out of the user’s way, and adding Perspectives validation to your encrypted session clients certainly won’t hurt security. Perspectives is definitely worth a try.

Note: Michael Kassner also has an article about Perspectives in the Network Administrator Weblog, posted last Thursday — SSL/TLS certificates: Perspectives helps authentication