Pourquoi le module SSleuth a-t-il été créé ?
While attempting to enable only strong cipher suites for a web server, I felt the need for something like this. That the end users do not have much visibility of the SSL/TLS ciphers used in encryption. Shockingly, many major payment sites and banks enable weak ciphers with broken block ciphers and obselete HMAC algorithms. So I decided to write a very simple addon that displays the cipher suite name and a rank out of 10.
However, the more I got involved in the addon, the more I realized that the cipher suite ranking alone wouldn't help in alerting the user. Hence an overall 'connection ranking' concept was conceived which is based on perfect forward secrecy, firefox's own connection status, EV certificates and the validity of the certificate.
Prochaine étape pour SSleuth
Here are some good things that can happen with this addon. Although it would depend on my available time, and I'm not making any promises to implement them, I'd love to see these done in future.
- At the moment, the strength estimate is only based on the main domain connection which the user requested to. However, if the user exchanges sensitive information over multiple cross-domain sites (As is common now-a-days, main domain, cdn sites and several third party sites), the connection strength would also depend on those sites. It would be nice if all the cross-domain sites' strength are estimated and visualized for the user (possibly like a 'heat map').
- Make visible additional parameters like TLS version number (up until firefox 26.0 this value is not exposed in any APIs).
- Expand the 'notes' assoicated with each cipher, possibly with sources/citations.
- Make the ranking mechanism configurable for an advanced user.
I believe that the UI is as important as anything else, and here are some possible enhancements:
- Make the addon bootstrapped for restartless installation. Make the preferences loading immediate.
- Preferences interface for hidden configurations (eg:keyboard shortcut) and new features.
- Configurable view of more connection/certificate parameters : certificate fingerprint, signature algorithm etc.
- A color coded background gradient behind the URL - light enough not to distract user, and visible enough for a warning - again configurable by user
À propos du développeur
|Utilisateur depuis||November 19, 2013|
|Nombre de modules développés||1 module|
|Moyenne des notes des modules du développeur||Noté 5 sur 5 étoiles|