sslvis

Author(s):



This add-on reads the public key fingerprint of HTTPS (TLS/SSL) connections and maps them to a simple english word which is displayed in the status bar. This allows a simple way to know if the SSL certificate being used has changed, because it's easy to remember what words you see (as opposed to remembering SHA1 fingerprints ;)

This functionality gives you a chance of detecting a Man-in-the-Middle (MitM) attack using a properly formed certificate (ie: wildcard SSL certificates and/or certificates issued to governments/intelligence agencies by Certificate Authorities).

SSL utilizes public-key cryptography, and two big parts of that are math and trust. The math generally keeps people from sneaking a peak into the SSL connection, and if someone tries on their own your browser will sound the alarm. The trust part comes in because the Certificate Authorities (CAs) who are trusted by default by virtually every browser in the world say they will not ever issue legitimate looking certs to illegitimate people. If any random person could go to a CA and get an SSL cert valid for www.paypal.com then a whole lot of things break down.

Unfortunately it appears that CAs are issuing false certificates to governments and intelligence agencies:

http://www.wired.com/threatlevel/2010/03/packet-forensics/
http://arstechnica.com/security/news/2010/03/govts-certificate-authorities-conspire-to-spy-on-ssl-users.ars

There is also the whole issue of wildcard SSL certs, which we're not getting into here, but this extension may help with...

So by mapping fingerprints to a simple word this extension allows you to keep a level of awareness of when there's a change to an HTTPS connection you use. If the word changes, then the certificate has changed. The certificate change could be legitimate or it could be part of a MitM attack.

If you see a change, you can go out to the sslvis reporting server and check and see what other people are seeing for the site you're trying to get to.

The default sslvis report server is currently: http://tlsvis-report.appspot.com/

PRIVACY WARNING:

By default, this extension reports the server, domain, and tld (ie: www.google.com) of HTTPS sites you visit along with the word value for their fingerprints.

If you use this at work or visit sites you don't want people to know about you can use the reporting exclusion option to disable external reporting for domains or sites. You can also disable reporting altogether. Internal RFC1918 IP address space is excluded by default. Sites which aren't reported externally include a trailing asterisk as a visual cue that they are not being reported.

Before you flip out about privacy, please keep in mind that internet traffic is regularly monitored and the sites you visit often aren't private. This extension is a bit of a trade-off, but the exclusion and reporting controls should help that out.

Download files:

sslvis-0.8.xpi


This page is part of the LegacyCollector website.
Disclaimer: All material on this site is property of their respective owners and available under
open licenses to the best of our knowledge. If you are an author and would like anything removed,
then please write an e-mail to legacy [at] collector dot org.