Q: Is my computer insecure if I do not install Perspectives?
A: No, you will be safe if you simply go along with Firefox’s default suggestion and refuse to connection to any websites that show Security Errors. Perspectives aims to make a better trade-off between security and useability with respect to these Security Errors by distinguishing between the frequent false positives and the rare (but serious) attack scenarios. If you aren’t familiar enough with Internet security to know the difference between a certificate signed by a Certificate Authority and a self-signed certificate, Perspectives may not be a good match for you. Hopefully in the future we will be able to work with browser makers like Mozilla and Microsoft to integrate Perspectives-like functionality into the normal browser experience.
Q: But what if an attacker takes over all paths to the destination?
A: There are two answers to that. Please see our academic paper for a detailed security analysis.
1) Perspectives actually keeps a record of the keys used by a service over time. Thus, even if a powerful adversary is able to take over the whole Internet (scenario L_server in the paper), clients can still detect the key as suspicious because the key has recently changed. If the attacker is able to compromise all paths for a long time, then you are in trouble, but then again such a powerful adversary could also fool the so-called “verification procedures” of many certificate authorities, which often consist of a one-time email verification.
2) Even though a powerful adversary can defeat the system, it makes man-in-the-middle attacks much harder. Today an attacker must only be on the path between you and the destination, which isn’t very hard. Think about an open wireless network, or the recent DNS attacks which compromise a targeted DNS resolver. Being on all links is much harder, and in the end security is nothing but making an attack harder.
Q: Does Perspectives prevent ”phishing” attacks, when the user clicks on a link for or is otherwise directed to a DNS address other than the one they intended to reach?
A: No. Perspectives extends your browser’s basic SSL authentication mechinisms, which validate that the browser is securely communicating with the server identified in the URL bar. It cannot tell you if that URL is trustworthy or not. For example, if you click on an email with the link https://www.good.com.evil.com/login it will not detect that that this website may be posing as good.com. You must enter in https://www.good.com/login in order to be protected.
Q: I get a red icon and a message that perspectives failed every time the extension contacts notaries. What is going on??
A: The most likely cause is that you are accessing the Internet through a proxy or firewall that is preventing Perspectives from reaching the notaries. Currently, we query notaries over HTTP using either port 80 or port 8080.
Q: What about services in “private” (RFC 1918) space?
A: Unfortunately, we can’t do much to monitor the keys used by these services, since our notary servers cannot reach them. Sorry.
Q: How do the recently announced MD5 attack on SSL certificates affect Perspectives?
A: The good news is that using Perspectives to check all SSL certificates can help detect such attacks. Also, the MD5 weaknesses described in the paper do not compromise the security of Perspectives. See our md5 page for details.
Q: I visited a website that uses a blacklisted debian certificate ( more info ) but Perspectives said it was secure, what gives?
A: Detecting such certificates is not the goal of Perspectives (there are already other fine extensions like SSLBlacklist that can help you). Perspectives plays a role that is similar to a certificate authority: avoiding man-in-the-middle attacks by attempting to determine if an SSL certificate (i.e., a public key) received by the browser is the actual certificate in use by the visited website. Perspectives does not do anything to protect you against a poorly run website where the administrator uses an insecure key pair (in the limit, the website admin could publish the private key, totally undermining security).