Perspectives : Mozilla Firefox Extension

Update 1-30-2011: A new version of the Perspectives notary server is available (written totally in python). Check it out! .

Update 1-30-2011: A proof-of-concept Chrome extension for Perspectives is available (Warning: for experimental use only, Chrome development help is welcomed)

Update 11-7-2010: Version 4.0 of the Perspectives Extension is available: Install Now. See our wiki to learn what is new and how you can help.

Overview

We have developed an extension to the popular Firefox browser that contacts network notaries whenever your browser connects an HTTPS website.

For an overview of how Perspectives works, see our main page .

The extension provides two primary benefits:

  1. If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
  2. It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.

* The same is true for HTTPS sites with certificates that contain mismatched domain names (e.g., www.gmail.com uses a certificate for mail.google.com) or certificates that are expired.

Installation

Note: All software on this page is provided "as-is", without warranty of any kind. In no event shall the authors or Carnegie Mellon be liable for any claim arising from use of this software.

Install Perspectives

Using the Extension

The easiest way to see what the notary client extension is doing is to use the info box it places in the lower right-hand corner of the browser window. The icon tells you whether the certificate has been notarized, and you can request to see the details of each server response. Double-clicking on this info box provides more detailed notary data and opens the preferences menu.

By default, Perspectives only queries for self-signed certificate or certificates deemed invalid by Firefox. To experiment more with Perspectives, you can change your preferences to query for all HTTPS connections. Preferences also let you control a security level that determines the criteria used by Perspectives to deem a certificate valid or invalid.

Once Perspectives has used notary data to deem a certificate valid, that certificate is cached locally as "trusted". You can configured Perspectives to cache these certificates either permanently or just for the current instance of the browser (default).

Perspectives uses automatic updates to help push bug fixes, feature enhancements, and new notary configuration data. If you experience problems, please make sure you have the latest version by going to Tool > Add-ons, clicking "Find Updates", and installing the update if one is available.

See the Perspectives Firefox Help Page

Known Issues:

  1. If your local network uses a proxy or firewall to access the Internet, it may prevent Perspectives from reaching notaries. As a result, all sites will fail verification (more details).
  2. If going to a website with a self signed certificate causes a small error dialog to pop-up in front of a blank page, instead of showing a full error page, Firefox may be misconfigured in a way that prevents Perspectives from working. To check, type "about:config" (no quotes) into the browser URL bar. Click past Firefox's warning, and then type 'browser.xul.error_pages.enabled' in the 'Filter' textbox at the top of the page. If the 'Value' column shows 'false' for this setting, double click the text 'false' to change it to 'true'. 'true' is the default setting for Firefox 3, but some users have reported that their browser was set incorrectly.
  3. Firefox extension APIs changed significantly between Firefox 2 and Firefox 3. The current code works ONLY with Firefox 3. The Firefox 2 code is no longer supported.
  4. Our code to override the Firefox security warning page for self-signed, mismatched, and expired certs is not perfect. Sometimes you will see the warning flash before our code overrides it.

Source

The Perspectives Firefox Extension code is now available on GitHub:

Now that Perspectives is written completely in javascript, it should be easy to play with the source code yourself. The source code contains all required source, images, etc and includes a simple Makefile to package an XPI file. We welcome contributions, just send us a patch!