Life, Photography, and Security

Random thoughts that have crossed my mind

Thoughts on...

February
Mon Tue Wed Thu Fri Sat Sun
   
10
         

Subscribe
Subscribe to the RSS feed.

2006-02-10

Using Petnames for Security

When I worked on my Master’s Thesis back in 1998 [wow, time flies], I spent quite a lot of time understanding the security semantics of names and naming schemes. At the time, I looked at SPKI/SDSI and X.509, and learned a lot. The whole concept still intrigues me, because it is at once very simple and very complex.

To put it simple, names cannot at the same time be global, secure, and memorable. You can only have two of the three, which is why SSL certificates have failed to provide protection against domain name based spoofing attempts.

Enter petname systems. The concept itself is not new, and was well understood when Ron Rivest worked on SDSI. Or at least that is what I believe, because I understood it back then.

But enough theory. Try it out yourself. Install the petname Firefox extension. It’s simple to use, and simple to understand. When you go to an SSL site for the first time, you give it a petname. From then on, you should always expect to see your petname when you visit that site. If the name does not show up, you see “untrusted” instead—a clear hint that something is wrong.

For you security geeks out there, this may be just the Thing™ to help your aunt, uncle, or whatever to avoid falling for phishing attempts. Perhaps even the best thing since sliced bread. Not that I like sliced bread.

[/security] permanent link