Perspectives is a new approach to help clients securely identify Internet servers in order to avoid "man-in-the-middle" attacks. Perspectives is simple and cheap compared to existing approaches because it automatically builds a robust database of network identities using lightweight network probing by "network notaries" located in multiple vantage points across the Internet.
Contribute: If you would like to contribute to this project by writing code, running a notary, designing GUI's, or writing documentation please email us.
When you use a "secure" protocol like SSL or SSH to communicate on the Internet, your communication is vulnerable to a "man-in-the-middle" attack unless you are able to identify the remote server in a secure manner. One way to do this is to have the server participate in a "Public Key Infrastructure" (PKI) and buy a certificate from a certificate authority like VeriSign.
Unfortunately, PKI's can be expensive and cumbersome to operate, leading to widespread use of a simple and cheap "Trust-on-first-use" mechanism commonly associated with SSH and HTTPS with self-signed certificates. Unfortunately, this comes at the cost of security. For example, here are some familiar warnings from OpenSSH and Firefox:
Few users bother to verify the correctness of the key manually (hey, we're lazy by nature!), but Perspectives provides a simple "no effort" way to get significantly more information about whether a key is correct for that destination. A client can automatically make a secure connection to one of several publicly available "network notary servers" located around the world. These servers tell the client:
- What key does the notary server see for host.domain.com right now?
- What keys has the notary server seen in the past for host.domain.com ?
Read more: Perspectives
0 comments:
Post a Comment