Security, Shields up and Man in the Middle SSL...
So I was listening to TWIT and Steve Gibson of Shields Up fame riding a plane back from San Jose on Monday evening, yeah a red eyeSteve talked about a quasi man-in-the-middle SSL tactic that corporations employ (http://www.twit.tv/sn64). I started thinking, there is no reason a Firefox plugin couldn't alert a user this was happening to their SSL connection. I've never written a Firefox plugin (yet). But the premise is pretty simple:
1)User requests https://somehost.com
2) Widget corporation creates a false cert for https://somehost.com and SSL session is started.
3) Firefox looks at said cert and requested URL. Inspect the cert, the issuer url, and the requested url and compare.
4) alert if the cert signing chain doesn't resolve to Verisign or an external party.
So that would be a cool tool for all the paranoid corporate users. I'll leave the idea here for now.
1)User requests https://somehost.com
2) Widget corporation creates a false cert for https://somehost.com and SSL session is started.
3) Firefox looks at said cert and requested URL. Inspect the cert, the issuer url, and the requested url and compare.
4) alert if the cert signing chain doesn't resolve to Verisign or an external party.
So that would be a cool tool for all the paranoid corporate users. I'll leave the idea here for now.
0 Comments:
Post a Comment
<< Home