Convergence Firefox extension: replacement for the Certificate Authority system

Discussion in 'other security issues & news' started by MrBrian, Sep 5, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Convergence: Another Way to Trust:
    I haven't tried Convergence yet. Instead, I use Perspectives.
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Personally, I only install add-ons from the Mozilla website or another trusted company, but this is another addition to the list. So thanks for posting.
     
  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Interesting addon. Perspectives doesn't encrypt requests to notaries, I'm curious if this addon does.

    "#Anonymous
    Convergence caches trust information locally, and has a mode to shield your IP address from notaries when communicating with them, so that you never leak your browsing history to anyone else."

    It would also be interesting to know how this IP shielding mode works.

    It seems different than Perspectives btw. From what I understand Perspectives check certificates with notaries in addition to the normal check with CA's and OCSP check done by the browser. Convergence seems to replace the normal system check with the Notaries check:
     

    Attached Files:

  4. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    Apparently, Convergence is not compatible with Firefox 3.6.21 and could not be installed.

    -- Tom
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Why not Convergence?:
     
  6. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    Anyone use aditional notary servers with Perspectives? Which are recommended? I've had a couple of issues where addon is unable to contact default servers

    @BoerenkoolMetWorst: you posted a screenie of Certificate Patrol?
     
  7. tlu

    tlu Guest

    It works with FF 8.0 and 9.0 if used with the Add-on Compatibility Reporter so it should also work with 3.6.21. Perspectives, on the other hand, does NOT work in FF versions newer than 6.0.
     
  8. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    But can you be sure the addon works properly, as the author intended? It's a security addon after all.
     
  9. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    I'll test it. Seems promising.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Is there really such an issue with certificate systems? Except for self-signed certs (ie: wilders)
     
  11. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    @Hungry Man: risk is real (remember Gmail users of Iran), of course if you don't do ebanking or work with sensitive information (... ) you may ditch it altogheter

    My first impressions of Convergence: this addon does not seem compatible with addons that need DNS lookups to function properly, like Flagfox.

    For the moment, and being less popular(?) than Perspectives it feels a little more responsive than this addon.

    I also liked that is less intrusive than Perspectives althoug I personaly prefer Perspectives UI.
     
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Yes, it shows Convergence replacing the normal certificate with it's own, so the normal CA check/OCSP validation done by the browser is totally replaced by the notaries system of Convergence.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The Gmail issue was due to a hacked certificate. It's silly to think that the entire system is broken because a hacker got through to some legit certs. And the only reason that whole situation got so out of hand was because DigiNotar didn't tell anyone for a month.

    The certificate system is fine. While something like convergence may be picked up in a few years we have a system that's already been established and standardized.

    What we need to do is get rid of self-signing certs and work on more complicated problems like SSL Stripping programs, which are insanely easy to use (takes very little time to set up, 0 time to execute) and way way wayyyy more of a danger to the average user than a falsified (or even hacked in typical circumstances) cert.
     
  14. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    So you are saying that considering the state-of-the-art MITM prevention is not necessary? I don't know much about computer science but considering latest issues/incidents with SSL and HTTPS I feel safer with one such addon. Maybe it's psicological, but considering that both Mozilla and Chrome recently considered to hardcode it, I think the adoption of one such model makes sense. Besides, what this does is just an aditional check of the SSL key.

    @BoerenkoolMetWorst: thank you for clarification, now I see; I don't have experience with that addon but I might try later:thumb:
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'm saying we don't need addons and extensions to replace the system that's already in place.

    These issues really aren't that knew. TLS 1.0 has had these issues for years, it's the reason we have 1.1 and 1.2 and why it's an ever-evolving technology. The issues with TLS 1.0 and the issues with the MITM attacks using certs are very different.

    While they are the more publicized attacks I can tell you there are much easier ways to get someone on an encrypted network to reveal all of their information. Those attacks are both easier to implement and harder to mitigate.

    Instead of rebuilding the system we have to deal with a single (yet very heavily publicized) attack we should focus on mitigating attacks that are far easier to implement like sitting in a starbucks running SSLStripper.

    Mozilla and Chrome did what they always do in the case of an untrusted Cert. They blacklisted it. This was a big deal because they blacklisted hundreds of them and one was a google wildcard cert but this does not indicate an issue with the system itself.

    No, maybe in the future something like convergence can be adopted. Right now there are way bigger issues.
     
  16. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    About the MITM prevention. From your other thread you said that
    So in your oppinion it doesnt make sense to add Convergence/Perspectives on top of the setup above? I do have a similar setup...
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Custom firmware protects you from someone gaining control over your router through vulnerabilities in the firmware. It's not perfect, vulnerabilities will always exist, but it's better than using some legacy firmware full of known vulnerabilities.

    There are other issues. You may be on a network with a weak password or encryption or on a public network (starbucks etc.) In these cases a falsified cert could be an issue.

    If you're on a secure network and you trust that your ISP, DNS, router, and network in general are secure... you have nothing to worry about from a MITM attack, which by definition assumes some part of your network is compromised.

    And if you did have someone on your network, as I said, there are methods that are much easier to implement than hacking yourself certificates. You can sit in any starbucks and pick up all sorts of info and you don't have to be some elite hacker with 300 diginotar certs.

    EDIT: The cert system does have issues. Look at Wilders, it uses a "self-issued" cert. That's virtually useless, it's a formality at best.
     
  18. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    Convergence 0.06 released

    I could not find a changelog except
    http://twitter.com/#!/moxie__/statuses/119470038855061504
     
  19. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
  20. tlu

    tlu Guest

    I'm sorry to say that I was wrong: It seems that it doesn't work with FF 9 and 10. Whenever I load an SSL site Convergence says "Page nor secure" if I hover the mouse over its symbol. Doesn't make sense to me.
     
  21. tlu

    tlu Guest

    While I consider Convergence an interesting and promising concept, I've disabled it in FF 7.0.1 again. Loading new https sites is painfully slow (it takes ages until the existing certificates are replaced by the new ones), and even loading https sites for which Convergence certificates are already cached are very slow. This addon needs more development which I will certainly observe.

    In the meantime I'm back to Perspectives.
     
  22. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    On what websites do you experience slow down? I reported this yesterday with regards to Gmail (uncertain about Twitter)
     
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  24. tlu

    tlu Guest

    Yes, Gmail is one example. Google+ is another, but also Facebook (although less severe) or gmx.net or addons.mozilla.org. And all sites that rely on akamai.net.
     
    Last edited by a moderator: Oct 3, 2011
  25. tlu

    tlu Guest

    Yes, I know that site, and I had added most of them. But I wonder if a bigger number of notaries isn't counterproductive (in terms of performance) as all of them have to be contacted.
     
Loading...
Thread Status:
Not open for further replies.