Website Security with Petnames

SA Security Bloggers

SensePost

Haroon Meer
link

Matt Erasmus
link

Andrew Mohawk

Junaid Loonat
link

Barry Irwin
link

Tom Wells

Allen Baranov
link

Jock Forrester
link

IT Security Pubcast
link

Telspace

ISGAfrica

Ralfe Poisson

How-To's
link Linux SSH Jail with pam_chroot
link Firefox Privacy & Security Extensions

Papers
link Managing Patching, my MSc Thesis
link Risk Analysis of Monthly Patch Schedules

Tools
link Automated Vodacom SMS (VodaSMS)
link RSS 2 SMS
link DShield Hack Detection

Neologisms
link Encryption principles
link Zoolander's Law

Syndicate This Blog

SSL

Certificate fingerprints:

SHA1: 61 13 45 4B 4C F9 89 9B B7 87 C8 78 F7 38 12 CB 07 E2 60 BF
MD5 : DA 53 7B 50 E4 3A 2C 6C A1 17 53 C1 A0 5E CB 89

HTTPS version.
You can find an explanation here.

License

Original content in this work is licensed under a Creative Commons License

Disclaimer

This blog and its contents are in no way affiliated with, or endorsed by my employer.

Random Entry: Not Yet a Master.
< Absence | Microsoft's MS05-019 and Raw Sockets >

Monday, April 25. 2005

Website Security with Petnames

In an earlier conversation, Tristan pointed me to a Mozilla extension called Petname. Here is a snip:

The petname tool will be enabled anytime you visit a site using SSL strong encryption. Initially, the petname tool will display the text "untrusted". If you decide to form a relationship with the site, overwrite this text with a reminder note describing the new relationship. The petname tool will remember this reminder note and display it every time you visit the site. Be sure to always check that the petname tool is displaying the expected reminder note before sending personal information to a site. If you have the misfortune to land on a spoof site, you'll know it because the petname tool will be displaying the text "untrusted", instead of your expected reminder note.

This looks like a great idea and adds some use to SSL certs. It allows you to assign a petname to an SSL cert, so when you visit the site in future it will display the petname. If there is a spoofing attempt it won't display the petname, but 'untrusted'. This has all been possible before and was the intention of SSL certs. However, nobody checks the SSL cert and many sites incorporate cert's that don't belong to their organisation.

For spoofing attempt resulting from spyware (for e.g. modification of the windows hosts file), this won't be hugely useful if the spyware writers incorporate code to spoof the petname, a scenario likely if petnames become widespread. For DNS and e-mail spoofing/phising attempts (a topical issue) this is usefull.

Posted by Dominic White in Security at 11:13 | Comments (2) | Trackbacks (0)

Last modified on 2005-04-26 09:34

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

This of course relies on people actually checking the thing. It is difficult enough to get them to check whether there is a little padlock at the bottom of their browser, or whether the URL starts with https://. It is also nothing you can't do already with your browser (X.509 certificates have a comment field where you can add your own comments). In short it looks like a cute toy that's not useful for anything other than being a cute toy :) If you care enough to check these sorts of things, you'll already be doing so; if you don't, this isn't going to make you care.

#1 Guy (Homepage) on 2005-04-25 16:44 (Reply)

I take your point but I don't think it can be completely written off. The other features and functionalities you mentioned are: 1) embedded in the certificate and hence, not from the user, and, 2) do not involve the users participation or understanding. I think (assuming avg.Joe gets it) participating in the scheme (by assigning the name) will provide more of an impetus to check the names. Then, lastly, this adds a feature I think all browsers should have, some information about the certificate displpayed on the main page, it is too obscure behind the lock icon. That last point can be implemented ina variety of ways.

#1.1 Dominic White (Homepage) on 2005-04-26 09:34 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry