Pittsburg (PA) – A new software released as a browser plug-in by researchers at Carnegie Mellon University's School of Computer Science and College of Engineering provides an additional layer of security to warn users of potential eavesdropping when connections to secure websites are established. While the tool quietly resides in the corner auf the browser windows and may not be noticed most of the time, it may become an important tool that can verify that a secure connection, for example when visiting a bank website, in fact is free from an attack.
There is this uncomfortable feeling when visiting websites that list critical data that someone could be listening in. That is especially the case when you are using a wireless connection and given how easily Wi-Fi connections can be attacked, it has become a common sense rule that you just do not access your bank account or other critical information over a Wi-Fi network you are not familiar with. But what if you have no choice? How do you know that you are connecting your computer directly through a trustworthy Wi-Fi net to your bank and not through another PC of an attacker? How do you know youa re not exposed to a man-in-the-middle attack?
A very simple and lightweight solution could be a software developed by researchers developed at Carnegie Mellon and provide as a plug-in for the Firefox 3.0 browser (IE and Firefox 1.x and 2.x are not supported at thsi time.) Called Perspective, the software uses a set of friendly sites, or "notaries," to authenticate financial services, online retailers and other transactions requiring secure communications.
The researchers believe that Perspectives will be very efficient because they believe that “most of the time the Internet works correctly.” Since attacks are typically limited in scope or time, periodic network probing from “many vantage points across the Internet” are believed to be sufficient to authenticate a legitimate source and expose an attack that may be focused on a limited number of PCs: Whenever a key of a website needs to be authenticated, the software asks each of network notary for the keys they have monitored the server using over time and verify that these records are consistent with the key they received.
To fool a browser into accepting a compromised a key, an attacker would have to cover all notaries of the network over an expanded period of time, which would be nearly impossible. Users can adjust the settings of their Perspective software and change the number of consistent keys required to be received and the time frame a key remained the same. “These threshold values let you decide how paranoid you want to be about accepting keys,” the help file of the software reads. “In both cases, higher values are more secure, but also run the risk of incorrectly determining that a key is invalid.”
Carnegie Mellon’s software especially addresses an issue that has become more prevalent with the popularity of self-signed certificates, which is substantially cheaper to employ for companies than using use certificate authorities. "When Firefox users click on a Web site that uses a self-signed certificate, they get a security error message that leaves many people bewildered," David Andersen, assistant professor of computer science, said. Once Perspectives has been installed in the browser, however, it can automatically override the security error page without disturbing the user if the site appears legitimate.
Most Internet communications, such as to standard hypertext transfer protocol (HTTP) sites, are unsecured, but those involving encryption over a secured socket layer (SSL) and those using secure shell (SSH) protocol, which involves the use of a login and password, require that sites authenticate themselves with a digital certificate containing a so-called public key, which is used for encryption. The researchers explained that the exchange of this security information typically occurs without the computer user being aware of it, but if there are inconsistencies, a dialogue box with a warning "Unable to verify the identity of XYZ.com as a trusted site" is displayed and may confuse users what to do.
"It's very, very, very easy for someone to convince you to go through their computer" when making connections through public Wi-Fi, Andersen said. A user who thinks he is linked to an airport or coffee shop "hot spot," for instance, might actually be linked to a laptop of someone just a few seats away. "A lot of people wouldn't even know they've been attacked," he said.
The researchers said that the system can also detect if one of the certificate authorities may have been tricked into authenticating a bogus Web site and warn the Firefox user that the site is suspicious.
