Charles

Bemutatkozás

Fejlesztői információ
Név Charles
Ezóta tag dec. 17, 2014
Létrehozott kiegészítők száma 0 kiegészítő
A fejlesztő kiegészítőinek átlagos értékelése Még nem osztályozott

Saját értékelések

Perspectives

4 csillagra értékelve az 5-ből

This addon provides excellent protection from Man-in-the-Middle attacks. These attacks are rare but not unheard of, and when executed allow the attacker to completely eavesdrop on your SSL-encrypted communications (that is, your typical "https" connections to your bank, Google, email provider, etc).

There are two problems with the addon. One is that two thirds of the notaries are now silent. I was concerned that this might just be me, but actually the screen shot image shown on the addon page shows the same problem: Only three servers (nine-eyes, heimdal and perspectives8 - the ones with green horizontal bars) return replies when queried. That's at most 3/9, or 33%. The default security level requires 75% of the notaries to agree for a connection to be flagged as "confirmed". What this means is that ALL connections are flagged as dangerous, which in turn means you must manually check the notary results each time. The notaries are volunteers that provide a free service, so it's understandable that they're not all in it for the long haul, but it greatly limits the value of the addon. This can be partly solved by manually setting the security to only require 30% agreement, but even that's not perfect (as I write this only nine-eyes and heimdal are returning audit information for https://addons.mozilla.org : 2/9 is less than 30% = Warning!)

The second problem is not Perspective's fault, but it's an annoyance. Some websites (like my well-known credit card brand) initiate connections from a constantly churning and very large pool of diverse certificates. The notary results look like a confetti explosion. I'm baffled why they do this, but it means that such sites are *never* marked as "consistent", since each notary server is getting a different certificate every time they connect. Fortunately, that behavior seems isolated to only a handful of sites (though some of them are Fortune 50 companies).

Ideally, I'd like to see the Perspectives team and the Convergence team (http://convergence.io/) put together a joint addon AND host it on mozilla.org. An irony with Convergence is that it's self-hosted on an HTTP domain, and attempts to connect via HTTPS result in an SSL domain mismatch alert AND redirection to a different website. So I can't use Perspectives to help assure that I'm downloading an unaltered version of the Convergence .xpi file o_O

Ez az értékelés a kiegészítő előző verziójához készült (4.5.2.1-signed). 

Certificate Patrol

2 csillagra értékelve az 5-ből

I used this addon for several years and recently disabled it. I believe it was interfering with TLS in some way. Recently, if I tried to connect to https://www.google.com, I received an error "The server rejected the handshake because the client downgraded to a lower TLS version than the server supports". With the same version of Firefox in a VM that didn't have Certificate Patrol I was able to connect without the error. After disabling Certificate Patrol I could connect to Google fine.

The error appears to be a security step on Google's part to prevent POODLE attacks - if the client (browser) tries to negotiate a connection with a POODLE-vulnerable version of TLS, the server (Google) refuses. It's not clear why Certificate Patrol would cause problems there, but the issue went away when I disabled CP. The implication is that CP is in some way negotiating a lower version of TLS, which if true would ironically reduce SSL security.

Ez az értékelés a kiegészítő előző verziójához készült (2.0.14.1-signed.1-signed).