danwent
Icon is always red cross for many well known sites
Hi,
Just installed the Firefox add-on and Perspectives icon is always displayed as red cross on the well known sites. Such as:
https://plus.google.com/ https://addons.mozilla.org/en-US/firefox/addon/perspectives/developers https://github.com/danwent/Perspectives/issues/new (this page!) https://encrypted.google.com/search ...
Tried with Security Level of Medium Security and High Availability. In Results window there are always several answers.
What does this icon mean? All those sites are insecure? Should the icon be changed if the meaning is different?
Or I'm just not getting it right?
br,
vlatko
Hi vlatko,
Two things are going on here. A few notary servers were down, but should be back up now. Sites the consistently use the same certificate (most sites, like mozilla.org and github.com) should show a green check mark now.
Unfortunately, Google sites use a whole mess of different certificates, and so you can often get a red X for those sites even with the notary servers fixed. This is not really saying that the site is insecure, it is just saying that the data does not look "right" to Perspectives. Certain sites that are frequently broken like *.google.com can be whitelisted. A site that is regularly green, but starts showing up as red is concerning.
Hey vlatko, thanks for bringing this up. I think this would be worth explaining in the FAQ, because it can indeed be confusing.
To tackle the first issue of notaries not sending replies, I am actively working on code that will make them more stable and reliable. I hope to roll out an update soon.
To tackle the second issue of many rotating certificates, I have created ticket #63 to let people mark individual certificates as whitelisted instead of marking the whole site. This would mean that you can try to 'pin' or remember a set of certificates, so that Perspectives will work properly for sites that use many of them.
You bring up an important point - people's first impression just after they install Perspectives is important. We should try to make sure things are easy to understand and as clear as possible.
I'm going to re-open this ticket and assign it to myself to make sure I update the FAQ and until the notary stability update is finished.
Hi guys,
thanks for your answers. And indeed, github and mozilla sites are green now. :-)
Have you thought about showing different icons for different problems/issues/states? Like orange question mark, yellow exclamation point, etc.
br,
vlatko
All but one(?) server in the AWS rotation is failing at this time. (Or they're blocking inbound connections against a "well-known proxies, VPN endpoints, Tor nodes" list.) Perspectives could really use an option to not "fail" certificates because a notary isn't responding. I've had to add my own internal-only server and remove most of the notaries just to hit the 3/4ths quota.
Hey @rmenessec thanks for the post. Yes, I am definitely aware of these issues and actively working on it. I have finished most of the code to improve notary stability (server version 3.2) and have upgraded both heroku notaries. I am working with Dan right now to upgrade the remaining AWS ones.
In the meantime it is possible to adjust your quorum numbers if you like. If you set the Security Level to 'Manual Configuration' you can set any value from 1-100 in Quorum Percentage and Quorum Duration. Would that help?
I'm aware of the config option. I installed a local server in some part so that I would have a notary that I'm reasonably certain is under my control. ;)
I realize that there's a lot to do, but it would be nice to see more flexible, fine-grained configuration of notaries in the future. (New GH issue?) I ended up copying the config for the two working public notaries, pasting it into the custom box, and checking the box to disable the default list.
Per-server control would be nice, preferably in a multi-select listbox control that can be populated / de-populated via a trivial mechanism. Something akin to NoScript's whitelisting UI, for example.
Just as a forward-looking suggestion, this may also be a good time to start storing notary data via the Storage API.
Finally, while I'm tossing out ideas for someone else to code (sorry—my expertise stops with UNIX shellcode), it would be great if the notaries could hand out data on the status of other notaries; some kind of system combining perhaps server-initiated notifications to other notaries ("I'm going offline" / "I'm back") plus some sort of simple "peer" status checking. This may raise questions of trust and spoofing, but it would be nice if the browser extension at least could decide whether to mark notaries as "known offline" based on results from working notaries. Right now, all the extension can(?) do is report that querying a notary didn't work for Reasons.
I installed a local server in some part so that I would have a notary that I'm reasonably certain is under my control. ;)
Hey, I think that is a great reason to run a local server ;)
it would be nice to see more flexible, fine-grained configuration of notaries
I agree, and would like to address this. My first priority is getting the existing notaries reliable and stable enough for use.
We recently had another request for better control and organization of notaries; I have filed #97 and #98 . Would either of those help?
this may also be a good time to start storing notary data via the Storage API.
Yes, I have plans for that when we get to improving client caching.
it would be great if the notaries could hand out data on the status of other notaries
Yes, this is a good idea. Do you want to post to the mailing list and see if it generates discussion?
#97 seems interesting, but not necessary, nor related. #98 is a good idea, and it would be helpful to include it in a redesign of the notary UI/UX.