Login

Please login to Techworld.com

Forgot password?
Need your new account confirmation email resent?
Forgot email?

Not a member yet?

Register for a Techworld Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.

Security

Top How-Tos / Advice articles

University offers fix for Firefox SSL-certificate warnings

No more 'man-in-middle' attacks.

By Ellen Messmer, Network World (US) | Published: 09:52, 26 August 2008

Carnegie-Mellon University has announced a free add-on to Mozilla Firefox 3.0 that's intended to resolve the browser's security warning when a website's SSL certificate has expired, or has not been issued by a trusted third party.

The Firefox add-on was developed at the university's School of Computer Science and College of Engineering, and is available for download here. According to the university, the Perspectives software not only protects Firefox users against attacks that might occur because of the recently disclosed software flaw in the DNS, but it also defends against some digital-certificate problems that crop up in everyday use.

"When Firefox users click on a website that uses a self-signed certificate, they get a security error message that leaves many people bewildered," said David Andersen, assistant professor of computer science at Carnegie-Mellon University, in a statement. But once Perspectives is installed in the Firefox, the browser can automatically override the security error page without disturbing the user if the site appears legitimate.

According to information provided by the university, the Perspectives system augments the certificates provided by VeriSign, Comodo and Godaddy, which reduce the risk of man-in-the-middle attacks by authenticating websites.

The Perspectives system, which uses "notaries" to query the desired site and check authentication information, is said to provide an extra measure of security for sites that don't use certificate authorities but instead use less expensive "self-signed" certificates.

The university says the system can detect if one of the certificate authorities may have been tricked into authenticating a bogus website and warn the Firefox user that the site is suspicious.

Researchers Andersen and Perrig also issued remarks that the Perspectives system will provide a defence against man-in-the-middle attacks that might occur in wireless LAN hot spots where users with mobile computers may seek to access public Wi-Fi service but get tricked into communicating with an attacker's computer instead.

Send to a friend

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.