This user hasn't shared any biographical information
Posted in Perspective Proxy on July 8, 2011
Von Welch contacted me recently with a really cool idea: make a client-side proxy that implements Perspectives logic. This client-side proxy would work with any browser, finally giving us an answer to the people who contact us asking for Perspectives on Chrome/IE.
The proxy plays a really cute trick: it acts as a man-in-the-middle itself, so it can have complete control over whether the browser displays a website connection as secure or not. This is secure, but if it sounds scary, you should probably stop reading right now. This code is still new and is really just for experimentation by the kind of person who would have read the above explanation and thought: huh… that’s pretty cool.
Von quickly whipped us a experimental implementation in python. This blog entry is about getting this proxy code working with Google Chrome on Ubuntu.
To get started, install some build dependencies :
sudo apt-get install git build-essential libsqlite3-dev libssl-dev
Now build and install Python2.7, so you can run python2.7 in addition to the default python that ships with Ubuntu:
wget http://python.org/ftp/python/2.7/Python-2.7.tgz tar xvfz Python-2.7.tgz cd Python-2.7/ ./configure make sudo make altinstall cd ..
Now build and install Me Too Crypto, a cryptography library for python (Note: you MUST use python2.7 to run setup.py):
wget http://pypi.python.org/packages/source/M/M2Crypto/M2Crypto-0.21.1.tar.gz tar -xzf M2Crypto-0.21.1.tar.gz cd M2Crypto-0.21.1 python2.7 setup.py build python2.7 setup.py install cd ..
Next, use git to grab the latest copy of the PerProxy code:
clone email@example.com:von/PerProxy.git cd PerProxy
Next, generate a private key and certificate that will be used by the proxy:
This creates “ca-key.pem”, the private key, and “ca-cert.crt”, the corresponding certificate.
The next thing to do is have Google Chrome add this certificate as a trusted root certificate. To do this:
- Click on the “wrench” icon
- Select “Preferences”
- On the left bar, click on “Under the Hood”
- Click “Manage Certificates”
- Click “Authorities”
- Click “Import”
- In the file dialog, browser to the PerProxy directory and choose the file ‘ca-cert.crt’ and click Open.
- Select “Trust this certificate for identifying web sites. “
- Click “OK”
Next, start running the proxy, which defaults to listening on localhost port 8080 (‘-d’ give extra debug output):
python2.7 PerProxy -d
Then configure Google Chrome to use this proxy for all HTTP traffic.
- Click on the “wrench” icon
- Select “Preferences”
- On the left bar, click on “Under the Hood”
- Click “Change Proxy Settings”
- Select the “Manual Proxy Configuration” radio button.
- In the “Secure HTTP Proxy”, enter a host value of “localhost” and a port of “8080″
- Click Close
- When a dialog prompts you again whether you want to apply these changes system-wide, click “Close” again.
To see PerProxy “promote” a certificate that would not normally be trusted, visit: https://moo.cmcl.cs.cmu.edu . This site has a self-signed certificate and would normally result in a Chrome security error, but with PerProxy it is allowed as long as the notaries validate the certificate.
Awesome work Von!
Posted in Perspectives Firefox on July 4, 2011
A new version of the Perspectives Firefox Extension (version 4.2) has been uploaded to the Mozilla Addons site: Install New Version
The new version will be reviewed by the Addons team, then automatically pushed via auto-update.
Customize Icon Location: Perspectives Icon can be place anywhere using Firefox’s mechanism for customizing toolbars. For example, here’s a picture of the Perspectives icon right next to the URL bar:
Add Your Own Notary Servers: The Perspectives Preferences dialog now has a tab dedicated to notary servers and includes the ability to specify your own notary servers to query in addition to the default set of notaries run by the Perspectives Project (the default notaries can even be disabled, if you prefer).
To add a notary server, add text in the following format to the bottom dialog window. The first line should be the notary server’s DNS name and port, separated by a colon. The next lines should be the notary server’s public key, including the “BEGIN PUBLIC KEY” and “END PUBLIC KEY” lines. For example:
notary.mydomain.com:8080 -----BEGIN PUBLIC KEY----- MIHKMA0GCSqGSIb3DQEBAQUAA4G4ADCBtAKBrAFiENC/BwZXOfzDOed4Qbvjd/25 MixlCMlRUlfArJAvcjeBRmnY4fdQhi7/VH1qZeTQClegX1FMcuOORD29a4lks12W eTrh1HxLKxCTkPp5ZLqP8OiNxWqHdEQyinh2ulYFXZHWMlXhlsQKV2T7VsmfS0rL eukQAWpgGTXhACyZNpOQgjMm1vWEFaIsd2tT59Son7vxyCcaBoFCWv+zRW6kwaoK i0KgnEHwKwcCAwEAAQ== -----END PUBLIC KEY-----
For example, here is a picture of adding a fake additional notary.
If you’re curious how you can get additional notary servers, look at our post about running your own notary server for free on Amazon Web Services.
If you’d like to beta test future version of the Perspectives Firefox Extension, sign up for our beta testing email list:
Note: These instructions are for version 2 of the Perspectives Server software, and are now out of date. We will be releasing an updated guide with the next release, version 3.2. For now please see the Perspectives Serve README for up-to-date instructions, or feel free to contact us on the mailing list.
The Good News: it’s now even easier to run a Perspectives Server and you don’t need to install or use the ‘psv-admin’ package. Simply running the server will automatically create a key pair and set up the database if required!
This post will show you how you can get your own notary running in just 15 minutes using AWS.
First, read about the free usage tier and sign up for an AWS account: http://aws.amazon.com/free/
Then, access the AWS management console to create an instance: http://aws.amazon.com/console/
Click on the “EC2″ tab near the top left of the screen, then click the “Launch Instance” button in the main window pane.
Choose an Ubuntu server AMI by clicking on the “Community AMIs” tab and finding a matching image. Here are a couple things to keep in mind:
- Make sure the image is free tier eligible (denoted by a yellow star).
- I use an image with a “Root Store” of “ebs”, as this means that even if this particular instance dies, I can spin up a new instance and reattach the same disk.
- 64-bit image is suggested.
- I’ve done most of my testing on Ubuntu Maverick (10.10), but other recent Ubuntu platforms should work as well. You can see the exact version for an image by reading the “Manifest” field.
In the “U.S East” region, an AMI that matches these criteria is: ami-cef405a7
Select your AMI, and keep the default “Micro” instance.
You will need amazon to create a SSH keypair, which will automatically be “injected” into the instance, allowing you to access the instance remote without a password. Give this key a name (e.g., notary) and download it to you filesystem.
After downloading the key, make sure it is only accessible to your user:
chmod 600 notary.pem
Once you have launched the instance, you will need to modify its “security group”, which by default drops all inbound traffic. You should open up port 22 for SSH and port 8080 for the notary webserver. Click on “Security Groups” on the left panel, click on the “default” security group in the table, and view the box at the bottom of the pane. Select “Inbound” and add two rules:
- Custom TCP Rule, port range = 8080, source = 0.0.0.0/0 , click “Add Rule”
- Custom TCP Rule, port range = 22, source = 0.0.0.0/0 , click “Add Rule”
- Click “Apply Rule Changes”
Now you can access your machine remotely. Click on “Instances” in the left panel and select your instance’s row in the main pane and view the details box at the bottom. Note the “Public DNS” field, as this is how you will access the machine remotely. For example, run:
ssh -i notary.pem ubuntu@<insert-public-dns>
Now we are on the Ubuntu server and the real fun can be begin. We need to install the right dependencies and download the notary code and admin utilities.
sudo apt-get install git-core python-sqlite python-m2crypto python-cherrypy3 git clone git://github.com/danwent/Perspectives-Server.git git clone git://github.com/danwent/psv-admin.git
Now, initialize the setup and start the webserver:
Now your notary is up and running! It will respond to notary requests on port 8080 . To see the public key the notary uses to sign all requests, run:
This is the public key that can be provided to a Perspectives client to authentic the notary response. The server code comes with a simple client for you to test. To query a website to monitor (called a “service-id” with Perspectives), specify it using the form ::2. For example for http://www.google.com, run:
cd Perspectives-Server python utilities/simple_client.py www.google.com:443,2 localhost 8080 notary.pub
The first time this you query the notary server, it will not know about a service and will return a 404 error, as the notary -server will launch an “on-demand” probe for that service. Wait a couple seconds and run the same command again and it should succeed.
A new version of the Perspectives Firefox Client will soon be released that will let you use your own notary servers as well.
By default, this notary server will run a scan of all known service-ids twice a day, as configured using crontab. You can manually run a scan of all services at any point by running:
For more information look at Perspectives-Server/README and feel free to ask questions in the comments below.
Posted in Misc on June 26, 2011
The Perspectives Project (http://www.cs.cmu.edu/~perspectives/) has been around for 3+ years now and it has attracted interest well beyond academic circles. Lately the interest has picked up significantly, and so we decided to create this blog to:
- Highlight new work being done by us and others related to Perspectives
- Discuss and debate ideas of how a Perspectives-style model compares to existing models and how Perspectives can be improved.
If you’re interested in contributing to this blog, please drop us a note!