New toy: SSLbar
Mister Lee
mister_lee at metropipe.net
Thu Jun 26 10:56:24 EDT 2003
"Steven M. Bellovin" wrote:
> Please don't take this personally...
None taken here either, and I'm the author :)
> >From a security point of view, why should anyone download any plug-in
> from an unknown party? In this very specific case, why should someone
> download a a plug-in that by its own description is playing around in
> the crypto arena.
They probably shouldn't. Unless they've conversed with me at length and
decided that I'm nice, or they download the JAR and vet the code themselves.
IMO this is just something that takes time. If I work on SSLbar (or other
plugins) long enough, and they get used, I cease to be an unknown party...
It'd probably help if I signed the thing, too :)
> How do we know it's not going to steal keys? Is the
> Mozilla API strong enough that it can't possibly do that?
Presumably it is strong enough to stop that, but I haven't pushed it yet
(you're talking about personal certs installed in Mozilla, yes?).
> Is it
> implemented well enough that we trust it? (I see that in this case,
> the guts of the plug-in are in Javascript. Given how often Javascript
> has played a starring role in assorted security flaws, that doesn't
> reassure me. But I do appreciate open source.)
Security problems with JavaScript are directly related of the context (or lack
thereof) in which the code is run. The entire UI of Mozilla is actually
bolted together with JavaScript, including the existing SSL certificate
properties pages. Unzip the pippki.jar file in your mozilla/chrome directory
and take a look at content/pippki/viewCertDetails.js and viewCertDetails.xul
- this is code for viewing certs that comes with Mozilla. As far as I am
aware, you can't access any of the juicy stuff from within eg: a web page,
only from within toolbars and other UI overlays.
Regarding the usefulness of SSLbar itself, its immediate purpose was
fingerprint display, as a (theoretically) easy means of checking a cert's
validity yourself, rather than relying on a third party signing. That list
of "officially sanctioned CAs" that comes with browsers just keeps getting
longer and longer. I don't know who the hell any of those organizations are,
or what their policies are... Anyway, SSLbar could be made much more useful
if I were to have it (somehow) cache fingerprints or certs, and a flag to
indicate whether the user has validated them. Implementing this requires
further investigation however, and I've just been pointed at this list and
it's archive, so I have some more reading to do :)
Regards,
ML
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list