Researchers at Carnegie Mellon University have released an extension for Firefox 3 that can protect wireless-network users from so-called 'man-in-the-middle' attacks.
The software, dubbed 'Perspectives', is available for download for free.
Perspectives also protects against attacks that exploit a recently exposed flaw in the DNS system, which translates web addresses into numerical IP addresses, said Dave Andersen, a computer science professor at Carnegie Mellon University, who was an adviser on the Perspectives project.
In an attack on the DNS system, someone typing in a legitimate web address could be unwittingly redirected to a malicious site. Perspectives would pop up a warning to the web surfer that the site they are going to is suspicious.
In general, Perspectives is designed to guide web surfers away from malicious sites. It is also designed to assure surfers when they visit sites that are safe but which Firefox warns about because the sites are not paying a third-party certificate authority, such as VeriSign, for authentication, and instead are using 'self-signed' digital certificates, also known as keys.
Signing up with a certificate authority can be expensive and time-consuming, so some sites prefer to do it themselves, Andersen said. If they do, Firefox penalises them by displaying an error message that says the browser is unable to verify that the site can be trusted.
The messages leave many web surfers confused, and they may either avoid a legitimately safe site or get used to automatically accepting certificates with the warning and inadvertently trust a malicious site at some point.
"The fear is that the Firefox policy will force some sites to use certificate authorities but will make others not use any security at all," Andersen said.
The Perspectives software queries servers around the internet that Andersen has set up as notary-type nodes and asks them to verify the certificate they see for the website sought and to verify what certificate they have historically seen for that site. If the computers are in agreement on those questions, the surfer is sent directly to the site. If there is disagreement on those questions, the browser displays a warning to the web surfer that the site is suspicious.
"The average [internet] user probably wouldn't see one of these attacks in a given year," Andersen said, when asked how severe the problem is. "But, an unlucky user in an airport or some convention where there happened to be a bad guy [lurking on the network] would definitely be vulnerable."
In order to post a comment you need to be registered and logged in
Log in or create your ZDNet UK account below
By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Membership FAQ
Google, Viacom trade blows in YouTube copyright spat: [zdnet.co.uk] Google and the US media giant Viacom have issued... http://dlvr.it/Knht
35 minutes ago on Twitter by cybfor
Be sure to include an audio option - eg. a beep tone - to intensify and reiterate the action. This will greatly benefit some consumers and give...
37 minutes ago by CIMITL Data disposal is really important to get right. There are standards set by UK and US federal governments to ensure that data is kept secure. If...
1 hour ago by DataSecurityUK Online Fiber Optic Certification Join a talented group of professionals, who are dedicated to Fiber Optic Networking technology. The online course...
3 hours ago by chaycon1 on BT launches 40Mbps fibre-based broadband Online Fiber Optic Certification Join a talented group of professionals, who are dedicated to Fiber Optic Networking technology. The online course...
3 hours ago by chaycon1 on Google to build gigabit broadband to the home
Hi Dava, I'm glad to hear from you, and glad that you see things from the other side. I think that is the most important point of the whole...
3 hours ago by J.A. Watson on Ubuntu 10.04 (Lucid Lynx) and the Latest Tempest
please please please please please please kill that spam bot.
4 hours ago by dava4444 on ZDNet UK: faster, smarter, still IT all the way it didn't post the link it's 'Ubuntu 10.04 Lucid Lynx Beta-1 First Look' on youtube :) Dava
7 hours ago by dava4444 on Ubuntu 10.04 (Lucid Lynx) and the Latest Tempest Hi James I disagree, Ubuntu needs a GUI update and this one IMO is quite good. your pics show a low res. here's a high res. on YouTube* The...
7 hours ago by dava4444 on Ubuntu 10.04 (Lucid Lynx) and the Latest Tempest Hi any news on the comment bot? knocking me back from my own blog is a bit cheeky lol *Mulder to Scully* "I think it has an agenda.." I know, I...
8 hours ago by dava4444 on ZDNet UK: faster, smarter, still IT all the way if you look at the Brentwood exchange on samknows it servers 21,000 residential propertiesm, Lowestoft serves 31,000! Come on BT sort yourselves...
8 hours ago by benny boy on BT fibre broadband coming to 69 more towns
[programming] H.264 - a sting in the tail http://reddit.com/bfu4q [zdnet.co.uk]
10 hours ago on Twitter by pbreddit
H.264 - a sting in the tail [programming] 13 points, submitted by zigzag [zdnet.co.uk] http://reddit.com/bfu4q
11 hours ago on Twitter by reddit Malware infects second Vodafone HTC phone: [zdnet.co.uk] A second Android-based HTC Magic from Vodafone has been... http://dlvr.it/KhKx
13 hours ago on Twitter by cybfor US gov t considers undercover social networking: [zdnet.co.uk] The Obama administration has considered sending... http://dlvr.it/Kh3L
13 hours ago on Twitter by cybfor
Chatter preview http://www.zdnet.co.uk/news/application-development/2010/03/17/salesforce-opens-up-chatter-developer-preview-40088348/
13 hours ago on Twitter by miyabi81 Please give me chance in the vodafone essar Ltd as back office executive
15 hours ago by sudipta_vodafone on Vodafone culls 375 'mainly back-office' jobs I want to get a back office job in vodafone direct payroll
15 hours ago by sudipta_vodafone on Vodafone culls 375 'mainly back-office' jobsFor multi-store outlets, including retail, banking, grocery, gas, hospitality, convenience stores and others, reducing (or avoiding) the cost of in-store system support and maintenance while maintaining compliance with PCI and other requirements has become a strategic challenge.
Speaker: Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc. As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing.
This tutorial is for new MindManager users and teaches you how to get started, by creating maps, reading maps and organizing your information.
