Additional protection from Man In The Middle attacks

A nice article over at Arstechnica talking about a project some Carnegie Mellon students have been working on called Perspective.

It is a SSL and SSH security enhancement which helps prevent Man In The Middle attacks by giving you a 3rd party “perspective” of the site you are visiting.  I know you are asking, what does that mean and how is that my problem?

As this article over at TechDirt describes, the little pad lock has been one of the best things for Internet security.  Users, for the most, recognize and trust it to indicate that the site and the data about the transaction is secure.  A MITM attack is where a cracker intercepts your requests to initiate a secure connection and places them selves in the chain.  If done correctly, you, your browser, and the 3rd party have no idea that someone is listening in.  If this attack succeeds, the cracker now has access to all of the information that is encrypted which could be credit card numbers and passwords.  For you Linux/Unix users out there, SSH is susceptible to this attack as well.

The perspectives project, as they describe it, “designed Perspectives to supplement [Trust-on-first-use] applications with spatial and temporal redundancy”.  It works like this…

You visit a site which has a self-signed certificate. (Nobody wants to spend the rediculous ammount of money required to get a 3rd party signed cert.)

With out Perspectives, Firefox will give you a big warning that most users promptly ignore and select to add the exception.

Perspectives places itself in that step instead.  When you receive the public certificate of the site, perspectives goes out and queries their servers.  Their servers will then connect to the site and send back what they received.  The plugin then compares the two.  If they match, then the certificate is accepted as being valid and Fx doesn’t prompt you with the warning.

There are some additional configuration choices that can be turned on to further enhance this by requiring the signature to have been valid for X number of days.  This acts as a further validation in case the attacker is able to intercept all requests to the site.

All in all, this is yet another tool in the arsenal to keep our computing safe.  I hope that Mozilla, OpenSSL, and OpenSSH take this project to heart and integrate it into their suites as well as some large companies step up and offer their services as a notary.

You can obtain the Firefox extenstion here and an OpenSSH client here.

Leave a Reply

Your email address will not be published.