Fingerprint Firefox Plugin?

Can anyone tell me... is there a Firefox plugin which allows
one to view the 
fingerprint of the SSL certificate of each page you visit
(e.g. in the status 
bar or address bar or something)?

Better still if it can learn which ones you trust, but just
being able to view 
them without having to jump through hoops would be a good
start.

Arcane Jill

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Arcane Jill wrote:
> Can anyone tell me... is there a Firefox plugin which
allows one to 
> view the fingerprint of the SSL certificate of each
page you visit 
> (e.g. in the status bar or address bar or something)?

   Never needed one. The hoops involved aren't THAT large,
at least in
the version I use - click the padlock icon in the right hand
side of the
navigation (address/url) box, then the "view"
button on the page that
presents.

> Better still if it can learn which ones you trust, but
just being 
> able to view them without having to jump through hoops
would be a 
> good start.

you can manually approve certificates of course, however
there are a few 
tools I find useful.

h
ttps://addons.mozilla.org/en-US/firefox/addon/2131

this one remembers which certificates were (mistakenly)
presented by 
which domains, so it won't ask you again. it also does
something similar 
to allow already-expired certs to function.

the author has a blog here where he discusses aspects of the
tool and 
related technologies:

http://www.andrewlucking.com/archives
/category/remember-mismatched-domains/

currently he is blogging about a recently checked-in patch
that will add 
similar functionality natively to Firefox, and changes to a
host's cert 
that makes it redundant for Thunderbird.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On Oct 23, 2007, at 12:46 AM, Arcane Jill wrote:

> Can anyone tell me... is there a Firefox plugin which
allows one to  
> view the fingerprint of the SSL certificate of each
page you visit  
> (e.g. in the status bar or address bar or something)?
>
> Better still if it can learn which ones you trust, but
just being  
> able to view them without having to jump through hoops
would be a  
> good start.

Suppose you did have a convenient way to display the SSL
certificate  
for every site whenever you loaded a page from the site. 
You  
probably wouldn't want to memorize all the certificates for
the  
secure sites that you care about, so you might instead write
some  
notes on a piece of paper next to your computer, for example
writing  
down an SSL certificate and then next to it writing
"bank", and then  
writing down another one and then next to it writing
"mail", and so on.

Then, whenever you load a page, you would look at the SSL
certificate  
that is linked to that page and glance at your notepad to
see which  
description it maps to.  If you are looking at a random web
site that  
you've never seen before, and the certificate doesn't appear
on your  
notes, then no big deal.  If you are looking at a page that
appears  
to belong to your bank, and the certificate that came with
that page  
doesn't appear on your notes, then this is a big red flag! 
Likewise,  
if you are looking at a page that appears to belong to your
bank, and  
the certificate appears on your notes, but the note next to
it  
doesn't say "bank", then this is a red flag, too! 
For example, it  
might be the certificate of your mail service, which appears
on your  
paper along with the note "mail".  Or it might
just be a certificate  
that appears on your paper along with the note "joke
site from Harry".

Note that a system which classified certificates into
"trusted" or  
"untrusted" categories might give you the green
flag even when a  
certificate that you trust to serve up good jokes is serving
up  
something that appears to be your bank account.

So, the thing about writing down certificates and mapping
them to  
short hand-written notes is what the Pet Name Toolbar
automates for you:

ht
tps://addons.mozilla.org/en-US/firefox/addon/957

Please let us know how it works for you.

Regards,

Zooko


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

zooko wrote:
> Suppose you did have a convenient way to display the
SSL certificate for 
> every site whenever you loaded a page from the site.
You probably 
> wouldn't want to memorize all the certificates for the
secure sites that 
> you care about, so you might instead write some notes
on a piece of 
> paper next to your computer, for example writing down
an SSL certificate 
> and then next to it writing "bank", and then
writing down another one 
> and then next to it writing "mail", and so
on.
> 
> Then, whenever you load a page, you would look at the
SSL certificate 
> that is linked to that page and glance at your notepad
to see which 
> description it maps to. If you are looking at a random
web site that 
> you've never seen before, and the certificate doesn't
appear on your 
> notes, then no big deal. If you are looking at a page
that appears to 
> belong to your bank, and the certificate that came with
that page 
> doesn't appear on your notes, then this is a big red
flag! Likewise, if 
> you are looking at a page that appears to belong to
your bank, and the 
> certificate appears on your notes, but the note next to
it doesn't say 
> "bank", then this is a red flag, too! For
example, it might be the 
> certificate of your mail service, which appears on your
paper along with 
> the note "mail". Or it might just be a
certificate that appears on your 
> paper along with the note "joke site from
Harry".
> 
> Note that a system which classified certificates into
"trusted" or 
> "untrusted" categories might give you the
green flag even when a 
> certificate that you trust to serve up good jokes is
serving up 
> something that appears to be your bank account.
> 
> So, the thing about writing down certificates and
mapping them to short 
> hand-written notes is what the Pet Name Toolbar
automates for you:
> 
> ht
tps://addons.mozilla.org/en-US/firefox/addon/957


the design point for certificates was first time
communication between total
strangers (aka the letters of credit/introduction from
sailing ship days).

certificates have also somewhat tried moving into no-value
market segment for relying
parties that had no (and/or couldn't cost justify) mechanism
for recording information
about other parties they were dealing with. 

by comparison pgp had assumed some mechanism for relying
parties being able to 
record information about the parties that they had dealings
with. huge number of
infrastructures have had well entrenched infrastructures for
recording information
about parties that they dealt with ... it just has been that
the authentication
related information (for these infrastructures) have tended
to be shared secrets.
many of these infrastructures could have been upgraded from
shared secrets
to public key ... w/o having any impact on the business
and/or trust models
... and furthermore by the very nature of the existing
infrastructures,
the paradigm behind digital certificates wasn't applicable
(i.e. digital
certificates being totally redundant and superfluous).

recent thread/posting about it being much more natural for
simple upgrade 
of kerberos infrastructure from shared secrets to public key
... w/o the
exorbitant additional overhead and processing introduced by
digital
certificates. 
http://www.g
arlic.com/~lynn/2007q.html#2 Windows Live vs Kerberos
http://www.g
arlic.com/~lynn/2007q.html#5 Windows Live vs Kerberos

when we were called in to consult with this small
client/server startup
that wanted to do payment transactions on their server ...
since then
somewhat has come to be called electronic commerce
h
ttp://www.garlic.com/~lynn/subnetwork.html#gateway

one of the technologies they had invented was SSL ... and we
had
to do some work on applying SSL to real business processes
and also
do some end-to-end audits of the whole series of operations
... including
these things that we calling themselves certification
authorities

one of the things that undermined original assumptions
applying
SSL to business processes was the whole "click"
paradigm ... discussed
in more detail in this recent post
http://www.
garlic.com/~lynn/2007q.html#30 

and the assumptions about SSL as countermeasure and the
related
threat models.

another aspect of SSL, certification authorities, digital
certificates
was the whole issue behind what is met by certification
process ... and
what certifications were represented by digital
certificates. 

during the initial decade or so of electronic commerce
something over
70 percent of the transactions were done by less than 100
websites
(activity is highly skewed) These websites were both well
known and 
also carried a lot of repeat business ... invalidating one
of the 
original/primary justifications  for having digital
certificates. 
so a very few websites did majority of transactions and
didn't 
need certification. by comparison, the vast majority of
websites
were only doing a very, very few electronic transactions
(especially those involving large percentage of first
interaction
between complete strangers) ... and couldn't cost justify 
expensive certification process

the other issue was that (all) merchants were already paying
a fairly
hefty "interchange fee" that acted as a form of
warranty/insurance
to cover their client/consumers (actually proportional to
the value of the operations). by comparison, the
certification
authorities were providing almost no added value ... so
except
for pure hype ... there was no real reason for spending
money for additional certification (at least from the
standpoint
of electronic commerce) ... which somewhat gave rise to the
thread 
about "merchant comfort certificates" in some of
the older ssl 
domain name certificate postings
ht
tp://www.garlic.com/~lynn/subpubkey.html#sslcert  

a combination of these factors continued to push
PKIs, certification authorities, and digital certificates
more and more into the no-value market segment.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com