Perspectives ext updated to 3.0.2

Talk about internet security, computer security, personal security, your social security number...
Post Reply
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Perspectives ext updated to 3.0.2

Post by Alan Baxter » Mon May 18, 2009 12:10 am

Version 3 of the Perspectives extension for Firefox is finally out of beta and released as version 3.0.2. http://www.cs.cmu.edu/~perspectives/firefox.html
The extension provides two primary benefits:

1. If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
2. It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.

* The same is true for HTTPS sites with certificates that contain mismatched domain names (e.g., http://www.gmail.com uses a certificate for mail.google.com) or certificates that are expired.

There might be other improvements, but most noticeable is more compact use of the status bar. Version 2 put "Perspectives" in the status bar, which took up way more space than necessary. That's been replaced with just an icon. :D
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Perspectives ext updated to 3.0.2

Post by Tom T. » Mon May 18, 2009 6:40 am

Alan Baxter wrote:* The same is true for HTTPS sites with certificates that contain mismatched domain names (e.g., http://www.gmail.com uses a certificate for mail.google.com) or certificates that are expired.

That will be interesting, when anyone who uses the MS Secure Update site, https://update.microsoft.com, as I do, gets all those warnings of mismatch, expiration, or unable to check for site revocation! ;)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

Nan M
Ambassador
Posts: 102
Joined: Thu Mar 19, 2009 12:44 pm

Re: Perspectives ext updated to 3.0.2

Post by Nan M » Mon Jun 08, 2009 7:44 am

After a short troubleshoot yesterday, I've uninstalled Perspectives 3.0.3 - finding it was implicated in the laggy DNS results I mentioned in the vague hangs thread
viewtopic.php?f=10&t=1494#p5207

Possibly to do with stuff I use not being mainly served from USA, but what would I know, the medium security level also fails to give quorum results consistently. Tested with clean profile and clean install.
There was also a persistent error message about parsing the Perspectives url, for what it's worth.
Overall, it's probably too beta for my kind of browser use, and I'm anticipating a ruleset from ABE.

Meanwhile, I'm relying on the good second presentation of the domain's credentials with the browser.identity pref set to 2
http://kb.mozillazine.org/Browser.ident ... in_display
Mozilla/5.0 (X11; U; Linux i686; en-AU; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Perspectives ext updated to 3.0.2

Post by Alan Baxter » Mon Jun 08, 2009 1:48 pm

Glad you found a way to fix your "laggy DNS results" problem. I haven't had any vague hangs, so it's not a problem for me. Also, I've never seen an "error message about parsing the Perspectives url".

I don't recall ABE providing protection against a man-in-the-middle attack like Perspectives does. Will changing the browser.identity pref provide any additional protection against a man-in-the-middle attack? I suppose that kind of attack isn't possible unless your DNS can be compromised, and unlikely in any event. I guess you're safe enough without Perspectives. If it gave me any trouble, I'd drop it in a heartbeat too.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

Nan M
Ambassador
Posts: 102
Joined: Thu Mar 19, 2009 12:44 pm

Re: Perspectives ext updated to 3.0.2

Post by Nan M » Mon Jun 08, 2009 6:38 pm

Alan Baxter wrote:Glad you found a way to fix your "laggy DNS results" problem. I haven't had any vague hangs, so it's not a problem for me.


Linux, or more precisely Ubuntu has some dns quirks that I haven't encountered before in either OS X or XP - and I haven't time right now to delve into the mechanics of it all. This XP machine hasn't hung at all over the same period as the little Ubuntu one, so I'm betting it's the linux dns differences at least partly responsible.

I don't recall ABE providing protection against a man-in-the-middle attack like Perspectives does.

Well, I'm guessing until a few power users get cracking with it to show the way, but I imagine that ABE will allow much more precise https forcing, and I'm hoping that it will allow a very shut down set of pages when I want to visit a particular domain - so no bastard of a mitm can get a look in. Just guessing so far from the rules I've skimmed. Being more like Sargeant Schulz - I know nothing. Yet.
Will changing the browser.identity pref provide any additional protection against a man-in-the-middle attack?

That one with a 2 value puts a big coloured field up next to any https url, with the owner of the certificate's details in full. Thus giving a good visual reinforcement of the credentials of the url. And hopefully ringing a big buzzer if it doesn't agree with a hijacked url. I think it was discussed in the hackademix post on "sslStrip" - no time to even look for that right now. Spending all day cleaning all the gutters on my water catchment after a very long drought, and falling asleep when I sit at the desk doesn't help either :-)
I suppose that kind of attack isn't possible unless your DNS can be compromised, and unlikely in any event. I guess you're safe enough without Perspectives.

That's the thinking. I'm relying on doing all the right things like using bookmarks for https logons, and watching for browser feedback and having a separate profile for banking (making that session stay only within the bank's domain) from a couple of extensions such as ShowIp.
When the Big DNS Scare of 2008 was on, I ran exclusively with Open DNS. But I did my research on this isp and they are top of the security pops in town, so I've relaxed again and use their servers.

What I do above all is to make sure the bank manager knows me and will go in to bat for me if there's any fraud - which touch wood there hasn't yet been.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

Post Reply