New toy: SSLbar

[Steven M. Bellovin]

>It's a toolbar for Mozilla (and related web browsers) that automatically 
>displays the SHA1 or MD5 fingerprint of the SSL certificate when you visit 
>an SSL secured web site. You could of course click the little padlock icon 
>and dig through a couple of dialogs to see it, but it's much easier when 
>it's right there in front of you on the toolbar.
>
>So, what's the point?
>
>If you look at the fingerprint of an SSL certificate, and compare this 
>against a fingerprint that you obtain from the site's owner via another 
>channel (IIP, email, PGP-signed web page, etc.) you can be absolutely 
>certain that the certificate is legitimate, and that you are exchanging 
>encrypted data with the persons(s) you intended to.
>
>

Please don't take this personally -- I'm speaking in general terms 
here, rather than casting aspersions on anyone in particular.  I've
deliberately deleted any personal names from this reply, to underscore 
that point.

>From a security point of view, why should anyone download any plug-in 
from an unknown party?  In this very specific case, why should someone 
download a a plug-in that by its own description is playing around in 
the crypto arena.  How do we know it's not going to steal keys?  Is the 
Mozilla API strong enough that it can't possibly do that?  Is it 
implemented well enough that we trust it?  (I see that in this case, 
the guts of the plug-in are in Javascript.  Given how often Javascript 
has played a starring role in assorted security flaws, that doesn't 
reassure me.  But I do appreciate open source.)


		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com