SSLbar

What?

When you visit an SSL secured web site, the SHA1 or MD5 fingerprint of the web site's SSL certificate will be displayed in your web browser's toolbar. If this makes about as much sense to you as wings on a goldfish, skip down to Why? for some further explanation.

SSLbar works with current versions of Mozilla (1.x), and FireBird (previously Phoenix). It should also work with current versions of Netscape. If you find a version of Mozilla, Firebird or Netscape that has problems with SSLbar, please let me know. If you would like to see a version of SSLbar for Internet Explorer, think long and hard about installing Mozilla or FireBird instead ;-)

Where?

If you have the "software installation" preference turned on, you can install SSLbar automatically using this handy one-click installer.

If you are running on Linux (or another Unix, or anything else with a decent security policy), you will likely need to be logged in as root for the automatic installation to work.

If you would like to install SSLbar manually, download sslbar.jar and save it in your mozilla/chrome directory. Then, add the following line at the end of your mozilla/chrome/installed-chrome.txt file:

content,install,url,jar:resource:/chrome/sslbar.jar!/content/sslbar/

Finally, restart Mozilla and you're done.

Why?

Because you are the best judge of whom to trust.

When you visit an SSL secured web site, the little padlock icon at the bottom of the browser window goes yellow to indicate that your connection is encrypted. Additionally, the SSL certificate of the web site is checked to see if it has expired, and if it was signed by a "known" certificate authority (CA). If it wasn't signed by a known CA, you'll see a warning to indicate that the authenticity of the certificate couldn't be verified.

This warning doesn't necessarily mean there's anything wrong with the certificate used to secure the site. It simply means that the operator of the site signed their own certificate, or had their certificate signed by a CA who does not appear in your web browser's default list.

There are a number of reasons why a site owner may choose not to use a commercial CA. Many (most?) require some proof of the site owner's identity, and they use traditional nation-state identification documents to prove this, such as business or company registration documents. This bizarre tie from a limited physical jurisdiction or meatspace identity to the space one "inhabits" on the global Internet just does not make sense to everyone. Further, commerical CA's can be quite expensive, and require you to renew your certificate for a fee every year.

The whole point of a certificate is to:

Provide encryption for data while viewing a site.
Prove that the site is run by who you think it is run by.

It's not enough to meet only one of these requirements; encrypted data is no good if you don't actually know who you're communicating with. If you look at the fingerprint of a site's certificate, and compare this against a fingerprint that you obtain from the site's owner via another channel (IIP, email, PGP-signed web page, etc.) you know that the above two items have been addressed.

If you leave it up to a commercial CA, you are trusting them to have verified the site owner's identity. For a good example of how this can fail, read Microsoft updates Windows to combat VeriSign glitch wherein is described "a pair of fraudulent digital certificates that were mistakenly issued by VeriSign Inc." in 2001.

Bottom line: if you check it yourself, you know exactly what's going on.

For some more thoughts on SSL, CAs and Public Key Infrastructure (PKI), check out the following documents:

Ian Grigg's SSL Considered Harmful page.
Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure by Carl Ellison and Bruce Schneier.
Seven and a Half Non-risks of PKI: What You Shouldn't Be Told about Public Key Infrastructure by Ben Laurie.

For an example of a web site that promotes the checking of fingerprints to verify the authenticity of their certificates, take a look at DMT. Follow the link that says "If your browser does not recognize the certificate of this site, click here to check, update and VERIFY", then use the instructions provided to verify the certificate fingerprint. (I'm not providing a link directly to the verification page, because its location can change from time to time.)

Who?

Please direct comments, questions, suggestions, bug reports, digital bearer instruments etc. to sslbar@metropipe.net.

Special thanks go to MetroPipe for providing hosting and email service for the SSLbar project.

Notes

The "Refresh" button in the toolbar is a throwback to when the toolbar didn't automatically refresh itself properly. If you don't think the toolbar has refreshed itself, try clicking this button.
I have occasionally found that when using SSLbar with PrefBar2, PrefBar2 does not appear correctly the first time a browser window opens.
This is a piece of software, therefore it's a work in progress... Expect even more useful additions to follow.
No goldfish were harmed during the production of this web page.