[13692] in cryptography@c2.net mail archive
Re: New toy: SSLbar
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Jun 24 23:06:00 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: cryptography@metzdowd.com
Date: Tue, 24 Jun 2003 22:42:43 -0400
From: "Steven M. Bellovin" <smb@research.att.com>
>It's a toolbar for Mozilla (and related web browsers) that automatically
>displays the SHA1 or MD5 fingerprint of the SSL certificate when you visit
>an SSL secured web site. You could of course click the little padlock icon
>and dig through a couple of dialogs to see it, but it's much easier when
>it's right there in front of you on the toolbar.
>
>So, what's the point?
>
>If you look at the fingerprint of an SSL certificate, and compare this
>against a fingerprint that you obtain from the site's owner via another
>channel (IIP, email, PGP-signed web page, etc.) you can be absolutely
>certain that the certificate is legitimate, and that you are exchanging
>encrypted data with the persons(s) you intended to.
>
>
Please don't take this personally -- I'm speaking in general terms
here, rather than casting aspersions on anyone in particular. I've
deliberately deleted any personal names from this reply, to underscore
that point.
>From a security point of view, why should anyone download any plug-in
from an unknown party? In this very specific case, why should someone
download a a plug-in that by its own description is playing around in
the crypto arena. How do we know it's not going to steal keys? Is the
Mozilla API strong enough that it can't possibly do that? Is it
implemented well enough that we trust it? (I see that in this case,
the guts of the plug-in are in Javascript. Given how often Javascript
has played a starring role in assorted security flaws, that doesn't
reassure me. But I do appreciate open source.)
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
