2008 has not been a happy year for web security, especially regarding trust you can have in the identity of web site you're visiting:

  1. Dan Kaminski shook world's faith in DNS. BTW, you already checked your DNS hardness or switched to OpenDNS, didn't you? Anyway, DNS security or not, you cannot trust non-SSL traffic when you're traveling, or you're behind a proxy you can't control (TOR, for instance), or otherwise not using a trusted ISP... wait, do you really trust your ISP? OK, you should not trust non-SSL traffic, period.
  2. But then, Mike Perry demonstrated how cookies can be stolen from SSL-secured sites (and NoScript deployed some countermeasures).
  3. Unfortunately, a shameful incident revealed that you can easily buy a valid SSL certificate for a web site you're not related with, if you find an unscrupulous enough vendor: in this case, a mozilla.com certificate has been obtained by Eddy Nigg of StartCom Ltd. from the Certstar Comodo reseller, no question asked. Of course, as a work-around, you could remove the offending CA root, but you must expect side effects (I discovered this breaks cleverbridge e-commerce back-ends, for instance). And, most important, are you sure this is the only sloppy CA out there?
  4. As if this didn't suck enough, a speech has been given today at 253c by Alex Sotirov, Arjen Lenstra and other high-profile researchers, who managed to leverage known MD5 weaknesses and not-safe-enough practices of some certificate issuers to build their own rogue CA.

The implications of the 3rd and 4th scenarios are scary: as long as these issues stand, trusting internet transactions is an act of faith.
CAs definitely need to move their asses, performing and proving their due diligence on "basic validation" when issuing a proof of identity (which a certificate is), rather than focusing on overpriced "premium services". Obsolete technologies like MD5 in SSL certificates must be deprecated and banned, both by CAs and browser vendors, as soon as possible.

In the meanwhile, there's not much we as end-users can do, other than checking for a sudden and unjustified change in the SSL certificate of a site we usually do business with, and that's not simple either, because there's no built-in browser alert of the kind we've got in SSH clients, for instance. Anyway, some help can come from the Perspectives add-on for Firefox.

Even if Perspective's primary and most advertised aim is enabling SSH-style certificate "validation" for self-signed certificates (those not issued by an established certification authority), it can be configured to act a second validation layer for CA-signed certificates too, by checking their consistency from multiple internet nodes (called "Notaries") and/or over time:

  • Install the Perspectives add-on (if you are not a Firefox user, get Firefox first).
  • Open the Tools|Add-Ons Firefox's menu item, then select the Perspectives row and click the Options button.
  • In the Preferences panel of the Perspective options window, check Contact Notaries for all HTTPS sites.
  • Optionally clear the Allow Perspectives to automatically override security errors checkbox if you're not interested in managing self-signed certificates.
  • Optionally modify, in the Security Settings box, the required quorum (the fraction of Notaries which must agree) and the number of days this quorum must have been reach for.

This way you should obtain some protection against rogue but "valid" certificates.
Happy new year!

16 Responses to “Putting SSL in Perspectives”

  1. #1 Gary Johnson says:

    Thank you.

  2. #2 Cal-O-Ne says:

    "Perspectives" could not be installed because it is not compatible with your Shiretoko build type


  3. #3 Cal-O-Ne says:

    I think you should also have mentioned the extension "Certificate Patrol"

  4. #4 Ajaxian » MD5 hash collision gets people worried about PKI says:

    [...] we get SSL in perspectives which talks us through [...]

  5. #5 Alan Baxter says:

    Thank you, Giorgio and luntrus. Works fine so far.

  6. #6 MD5 hash collision gets people worried about PKI | How2Pc says:

    [...] we get SSL in perspectives which talks us through [...]

  7. #7 Ajax Girl » Blog Archive » MD5 hash collision gets people worried about PKI says:

    [...] we get SSL in perspectives which talks us through [...]

  8. #8 Tommy says:

    SSL Blacklist addon has been updated today to, and warns about certificate chains that use the MD5 algorithm for RSA signatures.The website is at


  9. #9 Nan M says:

    Grazie Prof.
    Best wishes for all your 2009 projects!

    And when will you facilitate donations via other than the devil PayPal?

  10. #10 Javascript News » Blog Archive » MD5 hash collision gets people worried about PKI says:

    [...] we get SSL in perspectives which talks us through [...]

  11. #11 MD5 hash collision gets people worried about PKI | Castup says:

    [...] we get SSL in perspectives which talks us through [...]

  12. #12 SSL-lekken opgelost door VeriSign | says:

    [...] Hier worden nog verdere instellingen voor Perspectives [...]

  13. #13 MD5 hash collision gets people worried about PKI | ieDevelopment.com says:

    [...] we get SSL in perspectives which talks us through [...]

  14. #14 MattJ says:

    I am grateful for the protection against "unsafe cookies" in Noscript, but what I really want is to know which of my home banking/e-commerce sites are setting unsafe cookies so that I can call customer support and scream at them.

    In fact, this sort of "social engineering" is the way to get the sluggards of industry to get on the ball and get serious about security.

  15. #15 Giorgio says:

    I'm all for putting the liability on site owners for the stupid security holes they leave open.
    Mike Perry's article has a paragraph about the thing you're asking for.

  16. #16 hackademix.net » More HTTPS Troubles says:

    [...] we already noticed, 2008 had not been a great year for Internet Security, and especially for SSL and HTTPS. Today, web sites relying upon encryption and certified identity [...]

Bad Behavior has blocked 729 access attempts in the last 7 days.