Typically, web browsers request authentication information from websites in order to verify their legitimacy. If the authentication information, or certificate, sent back to the browser is valid then the browser assumes that the website is safe. However, bogus certificates have now been created which can mimic real ones and trick the browser into thinking that a website is legitimate and safe, making it possible for ill-intentioned web users and fraudulent websites to launch “Man-in-the-Middle” (MitM) attacks—essentially a form of Internet eavesdropping.
To combat the growing threat posed by Internet eavesdropping, Carnegie Mellon CyLab researchers and computer science professors Adrian Perrig and Dave Anderson have developed Perspectives, a free browser add-on available via Mozilla Firefox. As of December 2008, an estimated 30,000 Firefox users had downloaded Perspectives. (Get the latest version here.) Perspectives helps thwart MitM attacks and steer users away from sites that may be malicious by adding an extra layer of security to existing certificate authentication processes. When Firefox sends a certificate authentication request to a web site, Perspectives simultaneously sends queries to a number of trusted Internet servers called notaries to verify the certificate information historically seen for that website. If the certificate information received back from the notaries matches that received by Firefox, then the website is deemed safe. If not, then users are alerted that the website they are trying to access may be illegitimate.
Many companies already use a third-party certificate authority, such as VeriSign, Comodo, or GoDaddy, to authenticate websites and help reduce the risk of MitM attacks. However, some companies prefer to handle certificate authentication themselves as a cost-saving measure due to the expense involved with using third-party authentication services. Because Perspectives is a free, downloadable plug-in, it offers companies a cost-effective extra layer of Internet security to complement existing authentication methods, while at the same time offering cost-conscious companies preferring to handle authentication themselves the ability to operate websites with a measure of security as well.