Perspectives ext updated to 3.0.2

[Alan Baxter]

Version 3 of the Perspectives extension for Firefox is finally out of beta and released as version 3.0.2. http://www.cs.cmu.edu/~perspectives/firefox.html

The extension provides two primary benefits:

1. If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
2. It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.

* The same is true for HTTPS sites with certificates that contain mismatched domain names (e.g., http://www.gmail.com uses a certificate for mail.google.com) or certificates that are expired.

There might be other improvements, but most noticeable is more compact use of the status bar. Version 2 put "Perspectives" in the status bar, which took up way more space than necessary. That's been replaced with just an icon.

[Tom T.]

* The same is true for HTTPS sites with certificates that contain mismatched domain names (e.g., http://www.gmail.com uses a certificate for mail.google.com) or certificates that are expired.

That will be interesting, when anyone who uses the MS Secure Update site, https://update.microsoft.com, as I do, gets all those warnings of mismatch, expiration, or unable to check for site revocation!

[Nan M]

After a short troubleshoot yesterday, I've uninstalled Perspectives 3.0.3 - finding it was implicated in the laggy DNS results I mentioned in the vague hangs thread
http://forums.informaction.com/viewtopi ... 1494#p5207

Possibly to do with stuff I use not being mainly served from USA, but what would I know, the medium security level also fails to give quorum results consistently. Tested with clean profile and clean install.
There was also a persistent error message about parsing the Perspectives url, for what it's worth.
Overall, it's probably too beta for my kind of browser use, and I'm anticipating a ruleset from ABE.

Meanwhile, I'm relying on the good second presentation of the domain's credentials with the browser.identity pref set to 2
http://kb.mozillazine.org/Browser.ident ... in_display

[Alan Baxter]

Glad you found a way to fix your "laggy DNS results" problem. I haven't had any vague hangs, so it's not a problem for me. Also, I've never seen an "error message about parsing the Perspectives url".

I don't recall ABE providing protection against a man-in-the-middle attack like Perspectives does. Will changing the browser.identity pref provide any additional protection against a man-in-the-middle attack? I suppose that kind of attack isn't possible unless your DNS can be compromised, and unlikely in any event. I guess you're safe enough without Perspectives. If it gave me any trouble, I'd drop it in a heartbeat too.

[Nan M]

Glad you found a way to fix your "laggy DNS results" problem. I haven't had any vague hangs, so it's not a problem for me.

Linux, or more precisely Ubuntu has some dns quirks that I haven't encountered before in either OS X or XP - and I haven't time right now to delve into the mechanics of it all. This XP machine hasn't hung at all over the same period as the little Ubuntu one, so I'm betting it's the linux dns differences at least partly responsible.

I don't recall ABE providing protection against a man-in-the-middle attack like Perspectives does.

Well, I'm guessing until a few power users get cracking with it to show the way, but I imagine that ABE will allow much more precise https forcing, and I'm hoping that it will allow a very shut down set of pages when I want to visit a particular domain - so no bastard of a mitm can get a look in. Just guessing so far from the rules I've skimmed. Being more like Sargeant Schulz - I know nothing. Yet.

Will changing the browser.identity pref provide any additional protection against a man-in-the-middle attack?

That one with a 2 value puts a big coloured field up next to any https url, with the owner of the certificate's details in full. Thus giving a good visual reinforcement of the credentials of the url. And hopefully ringing a big buzzer if it doesn't agree with a hijacked url. I think it was discussed in the hackademix post on "sslStrip" - no time to even look for that right now. Spending all day cleaning all the gutters on my water catchment after a very long drought, and falling asleep when I sit at the desk doesn't help either

I suppose that kind of attack isn't possible unless your DNS can be compromised, and unlikely in any event. I guess you're safe enough without Perspectives.

That's the thinking. I'm relying on doing all the right things like using bookmarks for https logons, and watching for browser feedback and having a separate profile for banking (making that session stay only within the bank's domain) from a couple of extensions such as ShowIp.
When the Big DNS Scare of 2008 was on, I ran exclusively with Open DNS. But I did my research on this isp and they are top of the security pops in town, so I've relaxed again and use their servers.

What I do above all is to make sure the bank manager knows me and will go in to bat for me if there's any fraud - which touch wood there hasn't yet been.