Saturday, October 19, 2013

BlueLight: A Firefox Extension for Notification of SSL Monitoring

Recently I built a Firefox Extension that was useful for my particular, if not peculiar needs. I wanted to share with any who might find it useful. BlueLight is designed to provide notification of SSL inspection--the type that is common for organizations to perform on the traffic of their consenting users.

There are many tools, and no shortage of Firefox extensions, that relate to SSL security and detecting MitM attacks. CipherFox and similar extensions are very useful, but didn’t fit my specific need because they aren’t quite noisy enough--I wanted more active and intrusive notification when CA’s of interest were used. Certificate Patrol and similar systems are useful for detecting the introduction of SSL inspection, but these systems don’t fit the scenario of overt, consensual, and long term SSL inspection. BlueLight is based heavily on Cert Alert. In fact, if the alerting criteria in Cert Alert wasn’t hardcoded, I’d probably be using it for this purpose.

BlueLight is useful when SSL Inspection is occurring, usually through a MitM scenario on web proxies using organizational PKI. Obviously, being notified of this on a per site basis is only useful when the organization is selective about what traffic is inspected—if everything is MitM’d then this notification provides no value.

Some claim that users are more secure when their traffic is subject to the organizations protections and monitoring. In this case, BlueLight provides re-assuring feedback to the user, letting them know that they are covered. Others may want to use BlueLight to know when they are under the purview of surveillance. It may deter them from taking some action while being subject to monitoring. In the case that monitoring should not occur on specific traffic, it provides useful notification to the user, so that the erroneous inspection can be rectified. In this vein, I’ve seen BlueLight be particularly useful as it alerts for all SSL elements of the page, not just the main URL (it alerts on the first occurrence, and only the first occurrence).

BlueLight isn’t designed to be useful for other scenarios such as detecting unauthorized SSL MitM attacks or any other covert SSL malfeasance. However, since BlueLight can be configured to alert on basically any certificate issuer, it may well be useful for other similar uses.

BlueLight has to be configured by the user to be useful. As it is, it’s probably only useful to reasonably technically savvy folk. In sharing BlueLight with the larger community, I hope it might be useful to others. BlueLight can be downloaded from addons.mozzilla.org or from csmutz.com/bluelight.