Random Entry: There is no conspiracy, there is no conspiracy ...
< Absence | Microsoft's MS05-019 and Raw Sockets >

Website Security with Petnames

In an earlier conversation, Tristan pointed me to a Mozilla extension called Petname. Here is a snip:

The petname tool will be enabled anytime you visit a site using SSL strong encryption. Initially, the petname tool will display the text "untrusted". If you decide to form a relationship with the site, overwrite this text with a reminder note describing the new relationship. The petname tool will remember this reminder note and display it every time you visit the site. Be sure to always check that the petname tool is displaying the expected reminder note before sending personal information to a site. If you have the misfortune to land on a spoof site, you'll know it because the petname tool will be displaying the text "untrusted", instead of your expected reminder note.

This looks like a great idea and adds some use to SSL certs. It allows you to assign a petname to an SSL cert, so when you visit the site in future it will display the petname. If there is a spoofing attempt it won't display the petname, but 'untrusted'. This has all been possible before and was the intention of SSL certs. However, nobody checks the SSL cert and many sites incorporate cert's that don't belong to their organisation.

For spoofing attempt resulting from spyware (for e.g. modification of the windows hosts file), this won't be hugely useful if the spyware writers incorporate code to spoof the petname, a scenario likely if petnames become widespread. For DNS and e-mail spoofing/phising attempts (a topical issue) this is usefull.

Monday, April 25. 2005
Posted by Dominic White in Security
Comments (2) | Trackbacks (0)

Last modified on 2005-04-26 09:34

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

#1 Guy wrote (Link) (Reply)
Posted on Monday, April 25. 2005

This of course relies on people actually checking the thing. It is difficult enough to get them to check whether there is a little padlock at the bottom of their browser, or whether the URL starts with https://. It is also nothing you can't do already with your browser (X.509 certificates have a comment field where you can add your own comments). In short it looks like a cute toy that's not useful for anything other than being a cute toy :) If you care enough to check these sorts of things, you'll already be doing so; if you don't, this isn't going to make you care.

#1.1 Dominic White wrote (Link) (Reply)
Posted on Tuesday, April 26. 2005

I take your point but I don't think it can be completely written off. The other features and functionalities you mentioned are: 1) embedded in the certificate and hence, not from the user, and, 2) do not involve the users participation or understanding. I think (assuming avg.Joe gets it) participating in the scheme (by assigning the name) will provide more of an impetus to check the names. Then, lastly, this adds a feature I think all browsers should have, some information about the certificate displpayed on the main page, it is too obscure behind the lock icon. That last point can be implemented ina variety of ways.

Add Comment

Name
Email
Homepage
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry