Slashdot Mirror
Browser Extension Defeats Internet Eavesdropping
Pickens writes to tell us that researchers at Carnegie Mellon University have created a simple system to help prevent man-in-the-middle attacks. Using a preset list of friendly sites called 'notaries,' the new 'Perspectives' system helps users to authenticate sites that require secure communications. Additionally this should help with the recently debated solution implemented by Firefox that has so many users frustrated and confused. "By independently querying the desired target site, the notaries can check whether each is receiving the same authentication information (a digital certificate), in response. If one or more notaries report authentication information that is different than that received by the browser or other notaries, a computer user would have reason to suspect that an attacker has compromised the connection."
Now certs can finally be about the way they are actually used. Encryption. This should put an end to the argument that verifying encryption without verifying the identity of the third party allows man-in-middle attacks.
unless the site was compromised and everyone started receiving the false certificate. Maybe they could also have a store of previous certs to compare it against?
------
"And may your days be long upon the earth."
I don't know the particulars, but might not a hostile be able to bring down entire segments of the network by intentionally giving incorrect information?
So the MiTM attacks the notaries as well. I call Fail.
They have spytech! THEY KNOW!!!
In His Likeness - A sarcastic webcomic about God & the Devil.
Interesting idea, but it will not work if the man-in-the-middle is hijacking the websites connection rather than the users.
I thought the whole point was to have an "authority" (like verisign etc) sign your certificate. So MitM can't just swap in their own cert because to change it would break the signature?
Or are they just shooting for a free alternative? signed SSL certs are more expensive than some smaller places want to bother with.
I work for the Department of Redundancy Department.
... they need is a way to secure those "Notaries"...
TOP DSLR Cameras Reviews of the top DSLRs
The idea of "notaries" is essentially the same idea as having the Certificate Authorities: a third party who is considered trustworth and sufficiently dilligent that the third party would take the appropriate measures to verify something before signing off on it.
Who picks these people/companies?
Why not use a system like PGP, building a web of trust?
Disclaimer: I am a SC Notary Public.
Stupid solution for a stupid problem.
Crying wolf by making people jump through hoops for self-signed sites doesn't stop MiTM attacks, it just trains people to ignore warnings about self-signed certs. This is a scheme for adding a kind of web of trust to the "is this the same certificate as last time" check. It's a good idea, but it shouldn't be conflated with the Firefox overreaction to self-signed certs.
If you have a central trusted key server, there's no problem, and you don't need this. The whole point of public-key encryption is to eliminate the need for a central key server. How vulnerable is this new thing in a world with a large number of phony "notary" sites?
People used to talk about voting-based "web of trust" approaches, but that stopped working when the bad guys got zombie farms.
1. Bringing down notaries would bring down all SSL/TLS traffic 2. Compromising the extension itself could allow for proxying of SSL traffic; exposing private information 3. Using the the notaries increases the footprint of SSL traffic; increasing the attack surface
Overriding the security error page just because the site has self-signed cert that appears legitimate? How do you determine legitimacy? Just because a site has a self-signed cert doesn't mean its legitimate, it just means it has a self-signed cert. In fact, I prefer to be warned if I'm connecting to a site with a self=signed cert so I can choose whether to connect to the site or not.
Nothing good can come from hiding important security information from the user. Make it unobtrusive as possible, but never hide it.
This will have some effect, but it really is a band aid. If the certificate authorities would be doing their jobs and browsers would be more strict about using 'bad' certificates then this problem would not exist in the first place.
The greed of the certificate issuers is what has devalued the security.
Multiple layers of such security are not the same as a real solution.
MP3 Search Engine
Folks,
Nice try, but this scheme is a bad idea. It opens up a really easy DoS attack. All the attacker has to do is present a bogus certificate or SSH host key to a quorum of the notaries. BAM -- the server is now blocked. In fact, if the attacker can do this over a sustained period, he can masquerade as the actual server.
There's a reason why PKI works the way it does. There's a reason why you should use certificates or key pairs for authentication. The proposed system doesn't really help. Given that you can get a real SSL certificate for $15/year these days, only laziness leads to the use of a self-signed certificate.
I read the darn paper (yeah, yeah, I know, this is Slashdot, I'm not supposed to do that). They have a DoS column in their table in the Security Analysis section but don't discuss DoS in the text at all. Notaries need to be well known and are thus obvious candidates for a DNS-based attack. Next!
--Paul
Maybe its time to do a clean slate and revamp the way SSL works. There have been too many patchworks, band-aids, antidotes, etc. Just as the way the MIT is working on doing a clean slate for the Internet, maybe someone should consider reconstructing SSL cert process from scratch. Just my 2 cents.
slashdot rocks
Yeah yeah yeah, there's a new thing that'll protect you 100% from hacks and then the next article is there's a new thing that can bypass all security protections and you're 100% likely to get hacked. If they're gonna keep running these stories, they might as well make them real:
"New anti-hacking methods developed. You drive to the web host's datacenter and sit down at the server that contains the site you want and open the HTML files from there"
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
Bruce Schneier once chatted with the president of Verisign about how much it would cost to compromise Verisign's root signing key.
They figured that organized crime could swing a leveraged buyout for USD15 million.
(Any errors in the above are my fault).
I thought of something recently, which I'm not sure if it is a tremendously stupid idea, or has some merit, and I've been wondering - why couldn't DNS possibly be used as an additional way to verify SSL? Here's what I mean - right now, when you connect to a given server, you use DNS to lookup the server's IP, then connect to the server, which sends you back a certificate with the public key of the server. Unfortunately, you have no way to verify that the public key you are purportedly receiving from 'the server' really came from 'the server', or belongs to the owner of that DNS record. What if the owner of the server has uploaded the certificate into DNS, which the browser could also download a copy (or maybe a hash, instead of the full cert) of the certificate from the DNS record for that server, to try to check if they match?
Now, there's at least one main problem I can think of with this - right now, DNS itself may not be trustworthy enough for this to work, as it is currently implemented. But, it seems to me we already need a more secure DNS system, because DNS is way too important to not be as secure as we can make it. If we're upgrading our DNS infrastructure, it would be an opportune time to add new features like this. I don't claim to be a security expert, so I don't know exactly how you would go about securing DNS, but as a start I would suggest this - most PKI systems are intended to avoid having a user need to receive and manually load a key from an off-the-net source. That's fine, as you don't want users to have to constantly have to do that for every new server they visit.
But, would it be that onerous to have users enter or import a key, once, for their ISP's DNS server, which would act as a "Strong Link" in the web-of-trust - one very strongly verified key that can be used as the link with which you can 'complete' the chain of verified identities? Once the connection between a user and their ISP's DNS server is strongly verified, the ISP's can basically do the same thing with whoever their 'upstream' DNS provider is, be that a root tld server, or a higher-level 'backbone ISP'. All connections between DNS servers would be encrypted using these 'strongly verified' public keys.
Now, I realize that for a given server, e.g. www.example.com, the 'root' servers don't know the IP address for the server 'www' in that domain - just the address for the 'example.com' DNS Server - but the root servers could then send either a fingerprint, or the public cert, back to your ISP's DNS server, so that when your DNS server contacts the example.com DNS Server, to retrieve the domain and cert info for the 'www.example.com' server, it can verify the identity of the example.com domain server.
One 'convenience' related problem I can think of, at least, is users who move from one network to another - e.g. someone with a laptop or other wireless, mobile device who is using another network - at work, at a coffee shop, hotel, airport, etc. That could potentially be resolved by always using the same DNS server regardless of which network you are on, instead of the local network's DNS server. That is, regardless of which network you are on, you always get DNS from your ISP. This means taking DNS out of DHCP (that is, going back to statically assigned IP addresses for DNS), or, maybe, you use the local DNS server once, to lookup your ISP's DNS server (oh, but I hear you saying - if you use a different DNS server even once, just to try to lookup your home DNS server, there is an opportunity for an attack; my answer is, I think, not really - remember, your computer has locally stored the cert for your home DNS server, which you strongly verified, setting us that 'strong link' I mentioned earlier - any attempt at an attack would likely fail to authenticate against the locally stored certificate, wouldn't it, which could then cause your OS to trigger some sort of DNS verification error).
Have I missed something stupid, or is there a reason a more secure DNS couldn't be built, and used as a trusted means of verifying DNS certs for other servers?
Certificates from trusted parties should be used to certify that the certificate signed to belong to www.yourbank.com actually does belong to yourbank.
When certificate authorities break down, and issue www.yourbank.com certificates to somecrook, things break down.
The master certificate of the certificate authority that issues such bad nonsense should be revoked ASAP, and things can go on as designed.
This helps against some MitM attacks, but not against outright false-flag scams. Also, it provides limited help against MitM attacks where the "middle" is close enough to the other end that it is between all the notaries and the site to be verified. (Though monitoring certificates received over time may help with that in many cases.)
If this was offered as an add-on to the use of signed certs rather than a security alternative, it would be a good system.
But in a MitM attack.. If the DNS can be intercepted and rerouted to a spoofed site.. or the cert can be intercepted on the fly and regenerated.. why can't the information sent back from the notary also be forged?
Seems like an extra hoop for hackers to jump through but not an impossible one.
Bringing liberty to the masses. - http://freetalklive.com/
So... to defeat a Man-in-the-Middle attack, you use another Man-in-the-Middle that you can trust?
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
I've been screwed since 1949.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
In Soviet Russia, Internet Eavesdropping Defeats YOU!
You know the "I" in "PKI" stands for "Infrastructure", right? How do you expect to have public-key encryption without a way of securely distributing the public keys? To prevent MITM you need to know that the public key really belongs to the party you want to communicate with. You either need some centralized authority (in other words, a CA) or you need the "web of trust".
I got your MITM attack right here! [youtube.com]
Absurdity: A statement or belief manifestly inconsistent with one's own opinion. -- Ambrose Bierce
Can we tag this one tnew please? :-)
So the MiTM attacks the notaries as well. I call Fail.
You would have to successfully attack the notary. That will be harder than successfully attacking the client.
It's easy to see how a browser plugin, which potentially has canned cerdentials for some notaries, could work even if the MITM is between the user and all the notaries.
But TFA is too sketchy to tell us what, if anything, prevents a MITM who is intercepting all traffic with the far end - both from the user and the notaries - from faking things identically for all the observers.
(Another risk is the MITM corrupting the download of the plugin - after which point all bets are off.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
It seems that the MITM can accomplish his deception if he is sufficiently close to either the server or the client. If he's next to either of them, he can replace all the data going in or all the data going out, so that all I/O seems to be the same.
In other words, your officemate decides to bridge your network connection through his computer without you realizing he's switched your cables. It doesn't really matter what the notaries say, because he can manipulate all of them to say the same thing, since all their responses are routed through his computer first. Identically, if he's on the server side, he can modify all the outgoing notary requests so all notaries see the same thing.
With respect to that, there's not much that can save you. But, someone evil in the intarwebs who is randomly a few hops from either the server or client will no longer have the power to pull off a MITM. They have to compromise either network-bottleneck to break it. Actually it surprises me that no one thought of this earlier. It's a simple concept which appears to serve its purpose (at least until empirical evidence finds otherwise).
Assuming that the add-on becomes a very popular item, and that many people begin using it... how long before we see the following: 1) Poisoned Notaries - hackers setting up their own notaries and somehow inserting them into the system? 2) ISPs getting annoyed with the extra traffic and throttling back? Or ISP-level security appliances becoming suspicious that one GET begets many more connections? (Granted, I think this would have to be a very very well liked add-on, with huge user numbers and very large amounts of certificate checking.) 3) "Transparent" MitM attacks... The man in the middle being transparent to the flow of the certificate, but intercepting other portions of the document? (IANAC, so I have no idea how difficult or complex that may be to implement; I imagine a bit more than normal, as it's not the current topic.)
This is similar to what we've done with WiKID (sourceforge.net). A hash of the server's cert is stored on the auth server and is sent down to the software token with the OTP. The token fetches the cert via the user's internet connection, hashes it and compare the two hashes. If it matches, the otp is presented and copied to the clipboard. and the default browser is launched to the website.
The key difference is that your server becomes the validation source and not a 3rd party.
So, the way to defeat internet eavesdropping is to have a centralized service that double-checks all the websites you go to?
Does anyone else think this is mutually incompatible with any concept of anonymity online? In other words, this reduces the risk of one form of eavesdropping by having you accept an entirely different form of eavesdropping.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Opera has similar functionality for a few months now.
Ok, the error message for self-signed certs is a bit overly-alarmist, but I like one thing FF3 does that previous versions didn't - local certificate caching. So, if I've accepted the cert once, it never has to retrieve the cert again, so there is only one opportunity for a MITM, not an opportunity every time I visit the site. If I got the right cert the first time, then I'm secured from that point forward, and never see the nag message again.
Sounds like we are going from the "Two generals problem" to the "Byzantine generals problem" (or more specifically the "Commander and Lieutenants" solution to that problem) the latter of which can let a certain amount of generals be compromised and still have the desired outcome. Hey, math wins again! Was Charlie involved?
I like one thing FF3 does that previous versions didn't - local certificate caching.
That's how it should be done (and how I've been suggesting it for years), except it should be handled similarly to the way SSH does it. I think there's 6 cases to consider:
1. First time, if and only if you have not seen a certificate for that site before: "This is a self-signed certificate. Click here to accept it once, click here to accept it every time."
2. If a different self-signed certificate shows up, whether or not you selected 'accept it every time', "This certificate has changed. Someone may be attempting to trick you ... etc etc etc...".
3. If a CA-certified certificate shows up, and it had previously been self-signed, a similar warning, but less severe.
4. If a CA-signed certificate changes, tell the user that too, but informationally... not as a warning.
5. Don't notify for a new CA-signed certificate at all.
6. If a self-signed certificate shows up where a CA-signed certificate had previously shown up, THEN you pull out all the stops and require the folderol Firefox does right now. That's the case you REALLY have to watch for.
Maybe if the notaries were banks, or some other org that can pay damages when they enable some exploit to damage someone who trusts them, this system might be reliable. Because then the notaries' recommendation to trust the other site would actually have some consequences when they're inevitably wrong sometimes.
And if the transactions, with the questionable sites and the notaries themselves, were all recorded at yet another independent storage. Auditing those logs is the crux of any protection this system can offer.
--
make install -not war
So what's to stop evesdroppers from setting up fake responders ?
Does this really fix anything, or does it just bring about a new round of hide the sausage ?
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Sure, with this system you can't just DNS spoof the website you are trying to eavesdrop on like you've been able to in the past. However, why not DNS spoof both the website and the notary? When the client asks the Notary for verification, the Mitm responds to the client dns request, tells it that the Notary can be found by connecting to the MitM's hacked Notary server which verifies the hacked certificate as being legit. All this does is make a days worth of work for some hackers to program a fake Notary server...or better yet, they'll just hack the REAL notary server and swap some certificate records.
Of course the best part is that it doesn't even prompt to install. And Mozilla doesn't recognize the extension.
I hate sigs, and refuse to have one.
Default whitelist:
www.pncbank.com
cards.chase.com
www.aa.com
smtp.andrew.cmu.edu
www.citicards.com
mcp.microsoft.com
www.mealpayplus.com
www.pnc.com
www.onlinebanking.pnc.com
chaseonline.chase.com
Why have a default whitelist at all? Do they think these sites will never be compromised?
But the whining about the new setup in Firefox is really nothing more than the same level of whining you get when Homer Simpson says "10 Seconds.... oooooh but I want it now." Decision time folks. Do you want a reasonable expectation of security or to be lazy? It must be understood that whatever automation does for you it also does to you. The end result is a layer on top of a layer that slows down the web (from the user viewpoint) even more. Despite what you have been told.
1. You are smarter than your computer. (all you need to be able to do is add 2 + 2, a computer can only do 1 + 1 + 1 + 1)
2. You are eventually, no matter how hard you try to avoid it, going to have to take responsibility for your own decisions. What you click on and the actions it results in are 1 of them. This includes deciding if you want to accept an SSL cert or not.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
+1
I was wondering about this myself. This seems like a glaring issue that essentially renders the idea worthless, even if the notaries are trustworthy.