Firefox extension protects against man-in-the-middle attacks

Researchers at Carnegie Mellon University have released an extension for Firefox 3 that can protect wireless network users from so-called "man-in-the-middle" attacks.

The software, dubbed "Perspectives," is available for download for free.

Perspectives also protects against attacks that exploit a recently exposed flaw in the DNS system, which translates Web addresses into numerical IP addresses, said Dave Andersen, a computer science professor at Carnegie Mellon who was an adviser on the Perspectives project.

In an attack on the DNS system, someone typing in a legitimate Web address could be redirected to a malicious site without knowing it. Perspectives would pop up a warning to the Web surfer that the site they are going to is suspicious.

In general, Perspectives is designed to guide Web surfers away from malicious sites. It also is designed to assure surfers when they visit sites that are safe but which Firefox warns about because the sites are not paying a third-party Certificate Authority, such as VeriSign, to authenticate the sites and instead are using "self-signed" digital certificates, also known as keys.

Signing up with a Certificate Authority can be expensive and time-consuming, so some sites prefer to do it themselves, Andersen said. If they do, Firefox penalizes them by displaying an error message that says the browser is unable to verify that the site can be trusted.

The messages leave Web surfers confused and they may either avoid a legitimately safe site or get used to automatically accepting certificates with the warning and inadvertently trust a malicious site at some point.

"The fear is that the Firefox policy will force some sites to use Certificate Authorities but will make others not use any security at all," Andersen said.

The Perspectives software queries servers around the Internet that Andersen has set up as notary-type nodes and asks them to verify the certificate they see for the Web site sought and to verify what certificate they have historically seen for that site. If the computers are in agreement on those questions, the surfer is sent directly to the site. If there is disagreement on those questions, the browser displays a warning to the Web surfer that the site is suspicious.

"The average (Internet) user probably wouldn't see one of these attacks in a given year," Andersen said when asked how severe the problem is. "But, an unlucky user in an airport or some convention where there happened to be a bad guy (lurking on the network) would definitely be vulnerable."

[The_Decider]

Man in the middle is not a wireless only attack. It can happen just as easily as on a wired network.

So how exactly does it protect against MIM? Most of the article talks about a completely different issue: DNS.

If it brings up another nag screen that is not security.

[shanx24]

A nag screen that shows me an option to NOT visit a site is secure enough for me. Besides, on Windows, use Kaspersky.

[humanssssss]

sounds to me like a web of trust. Instead of relying on a central certificate authority, it relies on the trust of other websites which works better than relying on a single entity. I think Verisign needs to die.

[c|net Reader]

How long before the plugin update site is overtaken by an exploit, even the DNS vulnerabilities, such that the Perspective plugin is updated with a modified version that points to the wrong servers? The plugin user gets a false sense of security.

[Pete Bardo]

Verisign doesn't need to die, just go away. But the other certificate vendors have their quirks, too.