Update 2007-02-16
Securing wi-fi browsing with SOCKS and ssh:
- ssh -D 1080 $ssh_server
- set localhost port 1080 as firefox's SOCKS5 connection
- set network.proxy.socks_remote_dns = true in about:config
So you know how SSH throws lots of flags when a server's host key changes? Wouldn't it be nice if FireFox did the same when the host key changed for an SSL site that was important to you?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa.
Please contact your system administrator.
Add correct host key in /home/phaller/.ssh/known_hosts to get rid of this message.
Offending key in /home/phaller/.ssh/known_hosts:1
RSA host key for localhost has changed and you have requested strict checking.
Host key verification failed.
As things stand, if one of the 34 Certificate Authorities installed by default in Firefox screws up again, I could be in for a world of hurt because Firefox won't tell you if an SSL host key changes. The only way to get around this is to remove all the CAs:
sudo /bin/mv -f /opt/firefox/libnssckbi.so /opt/firefox/libsatanic-nssckbi.so
While you now are alerted when SSL host keys change, you need to check the site's certificate, e.g. (from Paul Heinlein's excellent site)
openssl s_client -connect ${REMHOST}:${REMPORT} \
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
> mycert.pem
openssl verify < mycert.pem
openssl x509 -noout -fingerprint < mycert.pem
Now you'll get very nice big pop-ups when Firefox tries to load sites with unknown keys.
Granted, there is more to securing Firefox than just SSL, I run No Script and Flash Block. What do you do to secure FireFox/Mozilla?
Not much really. I am woefully bad at my own security related concerns. If there was no Linux, my box would be owned on a regular basis.
In fact the one windows machine that I run with any regularity is the vm of XP that runs on my laptop, and just the other day I noticed it had an IRC daemon running on it :) (nope, I am not kidding, my vmware instance got owned). - Nathan
Heh, I should have added, when it's for other people I do the right things to lock boxes down, it's usually just my personal machines that I muff :) - Nathan
We should run a Capture the Flag contest. I know of at least two other people who would be interested. We can rent a VPS for $15 and put some bad code on it for people to hack.