Firefoxish SSL sites

OK, so I started using FF 3. And I eventually noticed that when connecting to SSL secure sites (the ones starting with https://), the address bar no longer changes colour! (and that’s not the only thing that changed)

In version 2, Firefox used to issue a warning when a certificate was invalid for some reason. By “invalid”, I mean it either had expired, was self-signed (and had not been imported out-of-band), or the name it refers to was not the name given in the URL used. And the address would turn to a yellow background. The instructions to achieve the same with version 3 are given here; for Linux just put

#urlbar[level] .autocomplete-textbox-container > *
{ background-color: #FFFFB7 !important; }

in ~/.mozilla/firefox/xxxxxxxx.default/chrome/userChrome.css

To change to green bar, change the colour to #D0F2C4

A final word on SSL / HTTPS: whenever you access to an URL starting with https://<rest of url here>, your connection to that site is encrypted, which means that information received from and sent to said site cannot easily be eavesdropped. HOWEVER, this does not mean that the site you’re connecting to is the site you meant to be connecting to! In order words, the fact that a given site has an SSL certificate does not, by itself, prove its authenticity.

Browsers deal with this problem by shipping with a set of certificates hard coded. These are the certificates from companies like Verizon and Thawte. These companies then provide certificates to other entities, namely banks, and sign these with their own (root) certificates (the ones that are hard coded in browsers). The rationale of this is that the certification companies, before issuing a certificate, will verify that a given domain belongs to its purported owner. When the browser then sees a certificate matching a given name (URL), and signed by one of the root certificates it is aware of, will recognise the banking/e-commerce/whatever site as authentic.

In pratice this approach does not solve the problem because 1) it is possible to clone the site to another (subtly) distinct URL, with a different domain, and 2) that in turn makes it possible to request a new valid certificate for that new domain (so the site will appear as legitimate to the user) and finally 3) use DNS forgeries to trick users to the wrong sites.

My advice, is to always do two things: make sure the certificate is valid, and no matter how the URL changes, make sure you are always within the same domain (because that fact alone renders it impossible for an attacker to use a bogus certificate). From the DNS example, if your bank’s domain is hugebank.com, whenever you enter you personal info, that domain must be the same e.g.:

securebank.hugebank.com -> OK

hugebank.securebank.com -> WRONG! the domain here is securebank.com, NOT the bank’s domain!

One response to “Firefoxish SSL sites

  1. To properly understand the issues at stake here, it is necessary to understand what *exactly* is a certificate, and how the cryptographic algorithms underneath it work. That however, is out of the scope of this post. For what’s relevant here, you can think of a certificate as being something that *binds* together a name (URL) to a company/owner.

    Knowledgeable readers will notice that it is possible to change the URL without changing the domain; and that is indeed correct. However what’s of interest to an attacker is to change the domain, because he can than register that new domain, and get a certificate for it, therefore making it “look” authentic in the eyes of the unsuspecting user.