Pittsburg (PA) - A new software released as a browser plug-in by researchers at Carnegie Mellon University's School of Computer Science and College of Engineering provides an additional layer of security to warn users of potential eavesdropping when connections to secure websites are established.
Good idea, in theory. My questions are about the implementation.
Are the "notaries" vetted or certified in some manner? If not, what is to stop the attackers from creating thousands of fake notaries using a bot-net and zombies that they control?
Are the "notaries" accessed using DNS? If so, then if the attackers can poison your DNS, they can direct you to a "notary" they control and again, you gain nothing.
If they've addressed those issues, then this could be a very useful approach. Not perfect, but security never is. Good security uses layers of security, such that an attacker must compromise multiple independent systems and/or layers to mount a successful attack. This could be one more layer.
[citation][nom]geoffs[/nom]Are the "notaries" vetted or certified in some manner?[/citation]
I just found the answers to my questions on the Perspectives site at www.cs.cmu.edu They do have a vetting process for notaries, currently they're all at CMU, but they're looking to expand. They don't rely upon DNS, they have a notaries file that uses IP address and a public key.
An attacker could still compromise it by capturing traffic to/from the list of notaries, by changing the notaries file, or similar approaches, but those are much more difficult attacks to apply remotely. And if they can do that, they could simply install a key logger and get the same info.
The problem I see is that this is just a way to make companies pay to use the notary service. Its bad enough that they have to pay to register their SSL certificates (even though that accomplishes nothing other than making a browser happy), now they'll have to pay for this notary service too? For small companies (my company has about 15 employees and runs 5 websites that use SSL), the thousands of $ a year that this costs is a major pain.