Browser security plug-in protects against DNS flaw

Dubbed ‘Perspectives’, the system has been about 18 months in the making, and now is available as a Firefox 3 plug-in.

Perspectives addresses what the researchers perceive to be an increased risk of MitM attacks due to the increased use of wireless connections to the Internet.

Researcher David Andersen explained that it is easy for attackers to hijack unsecured hotspots, or set up their own access points to which unsuspecting users may connect.

Once connected, users are susceptible to having all of their traffic monitored or changed as the attacker’s computer relays communications between the user and the target site.

“A lot of people wouldn't even know they've been attacked,” said Andersen, who is an assistant professor of computer science at Carnegie Mellon University.

“An attacker in the same area can redirect your packets through their own computer and have their way with them,” he told iTnews.

Perspectives authenticates Web sites by employing a set of friendly sites, or ‘notaries’ that independently query the desired target site.

If one or more notaries receives authentication information that is different than that received by the browser or other notaries, the users is alerted to a potential security breech.

The authentication function is similar to that provided by certificate authorities such as VeriSign. However, researchers expect Perspectives to complement, rather than compete with, the commercially-available security systems.

“We believe that both technologies are needed,” Andersen told iTnews.

“Banks and other high-security sites really should use a CA-signed certificate - they're resistant to more classes of attacks (and different classes) than Perspectives is.”

“However, certificate authorities face an interesting problem … the system is only as good as the most insecure certificate authority trusted by your browser,” he said.

Andersen explained that there are small certificate authorities that may issue valid certificates to spoof sites. In such cases, users see a Web site with an apparently valid certificate and may proceed to use the illegitimate site.

He mentioned previous cases of attackers obtaining certificates in the name of ‘micros0ft’, while the software giant Microsoft already owns an extended validation certificate for microsoft.com.

Perspectives is expected to detect bogus sites, even in such cases, and warn the Firefox user that the site is suspicious.

By validating the digital certificates of Web sites, Perspectives also could protect against the recently-disclosed DNS vulnerability that could cause ISPs to connect users with a malicious site instead of the desired target site.

The system could be especially useful for a growing number of sites that do not use certificate authorities and instead use less expensive, ‘self-signed’ certificates.

Currently, when Firefox users attempt to access Web sites that use self-signed certificates, they are faced with a security error message.

Perspectives can automatically override the security error page for sites that appear legitimate, which researchers expect to reduce complexity and confusion for users.

The development of Perspectives was supported with grants from the U.S. Army Research Office, the National Science Foundation, and the Department of Homeland Security.

Mozilla’s Firefox 3 was chosen as a basis for development due to the accessibility of its extension framework. Andersen expressed an interest in discussing the project with Mozilla, although there so far have been no communications between the groups.

“All of the browser manufacturers have been making good strides forward in terms of the security of their browsers, but the overall browser security situation is still a mess,” Andersen said.

“I think that while we're moving out of the stone age of browser security, we're still only in the bronze age,” he said.

Perspectives currently is available as a free download from the researchers’ Web site.

The system currently is supported by a publicly-available network of notary sites developed by the Carnegie Mellon researchers, who anticipate that ISPs, universities and large companies eventually will sponsor additional notary sites.