Convergence Firefox extension: replacement for the Certificate Authority system

From Convergence: Another Way to Trust:

I haven't tried Convergence yet. Instead, I use Perspectives.

 

Personally, I only install add-ons from the Mozilla website or another trusted company, but this is another addition to the list. So thanks for posting.

 

Interesting addon. Perspectives doesn't encrypt requests to notaries, I'm curious if this addon does.

"#Anonymous
Convergence caches trust information locally, and has a mode to shield your IP address from notaries when communicating with them, so that you never leak your browsing history to anyone else."

It would also be interesting to know how this IP shielding mode works.

It seems different than Perspectives btw. From what I understand Perspectives check certificates with notaries in addition to the normal check with CA's and OCSP check done by the browser. Convergence seems to replace the normal system check with the Notaries check:

 

Apparently, Convergence is not compatible with Firefox 3.6.21 and could not be installed.

-- Tom

 

From Why not Convergence?:

 

Anyone use aditional notary servers with Perspectives? Which are recommended? I've had a couple of issues where addon is unable to contact default servers

@BoerenkoolMetWorst: you posted a screenie of Certificate Patrol?

 

It works with FF 8.0 and 9.0 if used with the Add-on Compatibility Reporter so it should also work with 3.6.21. Perspectives, on the other hand, does NOT work in FF versions newer than 6.0.

 

But can you be sure the addon works properly, as the author intended? It's a security addon after all.

 

I'll test it. Seems promising.

 

Is there really such an issue with certificate systems? Except for self-signed certs (ie: wilders)

 

@Hungry Man: risk is real (remember Gmail users of Iran), of course if you don't do ebanking or work with sensitive information (... ) you may ditch it altogheter

My first impressions of Convergence: this addon does not seem compatible with addons that need DNS lookups to function properly, like Flagfox.

For the moment, and being less popular(?) than Perspectives it feels a little more responsive than this addon.

I also liked that is less intrusive than Perspectives althoug I personaly prefer Perspectives UI.

 

Yes, it shows Convergence replacing the normal certificate with it's own, so the normal CA check/OCSP validation done by the browser is totally replaced by the notaries system of Convergence.

 

The Gmail issue was due to a hacked certificate. It's silly to think that the entire system is broken because a hacker got through to some legit certs. And the only reason that whole situation got so out of hand was because DigiNotar didn't tell anyone for a month.

The certificate system is fine. While something like convergence may be picked up in a few years we have a system that's already been established and standardized.

What we need to do is get rid of self-signing certs and work on more complicated problems like SSL Stripping programs, which are insanely easy to use (takes very little time to set up, 0 time to execute) and way way wayyyy more of a danger to the average user than a falsified (or even hacked in typical circumstances) cert.

 

So you are saying that considering the state-of-the-art MITM prevention is not necessary? I don't know much about computer science but considering latest issues/incidents with SSL and HTTPS I feel safer with one such addon. Maybe it's psicological, but considering that both Mozilla and Chrome recently considered to hardcode it, I think the adoption of one such model makes sense. Besides, what this does is just an aditional check of the SSL key.

@BoerenkoolMetWorst: thank you for clarification, now I see; I don't have experience with that addon but I might try later

 

I'm saying we don't need addons and extensions to replace the system that's already in place.

These issues really aren't that knew. TLS 1.0 has had these issues for years, it's the reason we have 1.1 and 1.2 and why it's an ever-evolving technology. The issues with TLS 1.0 and the issues with the MITM attacks using certs are very different.

While they are the more publicized attacks I can tell you there are much easier ways to get someone on an encrypted network to reveal all of their information. Those attacks are both easier to implement and harder to mitigate.

Instead of rebuilding the system we have to deal with a single (yet very heavily publicized) attack we should focus on mitigating attacks that are far easier to implement like sitting in a starbucks running SSLStripper.

Mozilla and Chrome did what they always do in the case of an untrusted Cert. They blacklisted it. This was a big deal because they blacklisted hundreds of them and one was a google wildcard cert but this does not indicate an issue with the system itself.

No, maybe in the future something like convergence can be adopted. Right now there are way bigger issues.

 

About the MITM prevention. From your other thread you said that

So in your oppinion it doesnt make sense to add Convergence/Perspectives on top of the setup above? I do have a similar setup...

 

Custom firmware protects you from someone gaining control over your router through vulnerabilities in the firmware. It's not perfect, vulnerabilities will always exist, but it's better than using some legacy firmware full of known vulnerabilities.

There are other issues. You may be on a network with a weak password or encryption or on a public network (starbucks etc.) In these cases a falsified cert could be an issue.

If you're on a secure network and you trust that your ISP, DNS, router, and network in general are secure... you have nothing to worry about from a MITM attack, which by definition assumes some part of your network is compromised.

And if you did have someone on your network, as I said, there are methods that are much easier to implement than hacking yourself certificates. You can sit in any starbucks and pick up all sorts of info and you don't have to be some elite hacker with 300 diginotar certs.

EDIT: The cert system does have issues. Look at Wilders, it uses a "self-issued" cert. That's virtually useless, it's a formality at best.

 

Convergence 0.06 released

I could not find a changelog except

http://twitter.com/#!/moxie__/statuses/119470038855061504

 

"Qualys endorses alternative to crappy SSL system" : http://www.theregister.co.uk/2011/09/30/qualys_endorses_convergence/

 

I'm sorry to say that I was wrong: It seems that it doesn't work with FF 9 and 10. Whenever I load an SSL site Convergence says "Page nor secure" if I hover the mouse over its symbol. Doesn't make sense to me.

 

While I consider Convergence an interesting and promising concept, I've disabled it in FF 7.0.1 again. Loading new https sites is painfully slow (it takes ages until the existing certificates are replaced by the new ones), and even loading https sites for which Convergence certificates are already cached are very slow. This addon needs more development which I will certainly observe.

In the meantime I'm back to Perspectives.

 

On what websites do you experience slow down? I reported this yesterday with regards to Gmail (uncertain about Twitter)

 

Notary list

 

Yes, Gmail is one example. Google+ is another, but also Facebook (although less severe) or gmx.net or addons.mozilla.org. And all sites that rely on akamai.net.

 

Yes, I know that site, and I had added most of them. But I wonder if a bigger number of notaries isn't counterproductive (in terms of performance) as all of them have to be contacted.