The new version will be reviewed by the Addons team, then automatically pushed via auto-update.

What’s New?

Remove the forced statusbar icon: The Perspectives icon will no longer always appear on the addons bar or status bar, freeing you to only place it where you want!

Add Perspectives icons: The Perspectives icon will now appear when you press alt-tab to switch between windows, making it easier to identify Perspectives dialogs.

Display key age: The ‘Notary Results’ dialog now displays the age of each key in days:

Several UI Improvements:

• Perspectives dialogs now center themselves in the screen
• The ‘Escape’ key can be used to cancel and close all Perspectives dialogs
• ‘OK’ and ‘Cancel’ buttons have a consistent placement
• The size of notary key textboxes has been increased to improve readability
• Alert popups now mention that they are from Perspectives

Other fixes: Perspectives 4.3 also fixes several bugs and adds more error checking to the Preferences dialog, so everything should work more smoothly!

Please try out Perspectives 4.3 and let us know what you think! Feedback, questions, and requests are all welcome

The proxy plays a really cute trick: it acts as a man-in-the-middle itself, so it can have complete control over whether the browser displays a website connection as secure or not.  This is secure, but if it sounds scary, you should probably stop reading right now.  This code is still new and is really just for experimentation by the kind of person who would have read the above explanation and thought: huh… that’s pretty cool.

Von quickly whipped us a experimental implementation in python.  This blog entry is about getting this proxy code working with Google Chrome on Ubuntu.

To get started, install some build dependencies :

sudo apt-get install git build-essential libsqlite3-dev libssl-dev

Now build and install Python2.7, so you can run python2.7 in addition to the default python that ships with Ubuntu:

wget http://python.org/ftp/python/2.7/Python-2.7.tgz
tar xvfz Python-2.7.tgz
cd Python-2.7/
./configure
make
sudo make altinstall
cd ..

Now build and install Me Too Crypto, a cryptography library for python (Note: you MUST use python2.7 to run setup.py):

wget http://pypi.python.org/packages/source/M/M2Crypto/M2Crypto-0.21.1.tar.gz
tar -xzf M2Crypto-0.21.1.tar.gz
cd M2Crypto-0.21.1
python2.7 setup.py build
python2.7 setup.py install
cd ..

Next, use git to grab the latest copy of the PerProxy code:

clone git@github.com:von/PerProxy.git
cd PerProxy

Next, generate a private key and certificate that will be used by the proxy:

python2.7 m2crypto-create-ca.py

This creates “ca-key.pem”, the private key, and “ca-cert.crt”, the corresponding certificate.

The next thing to do is have Google Chrome add this certificate as a trusted root certificate.  To do this:

• Click on the “wrench” icon
• Select “Preferences”
• On the left bar, click on “Under the Hood”
• Click “Manage Certificates”
• Click “Authorities”
• Click “Import”
• In the file dialog, browser to the PerProxy directory and choose the file ‘ca-cert.crt’ and click Open.
• Select “Trust this certificate for identifying web sites. “
• Click “OK”

Next, start running the proxy, which defaults to listening on localhost port 8080 (‘-d’ give extra debug output):

python2.7 PerProxy -d

Then configure Google Chrome to use this proxy for all HTTP traffic.

• Click on the “wrench” icon
• Select “Preferences”
• On the left bar, click on “Under the Hood”
• Click “Change Proxy Settings”
• Select the “Manual Proxy Configuration” radio button.
• In the “Secure HTTP Proxy”, enter a host value of “localhost” and a port of “8080″
• Click Close
• When a dialog prompts you again whether you want to apply these changes system-wide, click “Close” again.

To see PerProxy “promote” a certificate that would not normally be trusted, visit: https://moo.cmcl.cs.cmu.edu .  This site has a self-signed certificate and would normally result in a Chrome security error, but with PerProxy it is allowed as long as the notaries validate the certificate.

Awesome work Von!

The new version will be reviewed by the Addons team, then automatically pushed via auto-update.

What’s New?

Customize Icon Location:  Perspectives Icon can be place anywhere using Firefox’s mechanism for customizing toolbars.  For example, here’s a picture of the Perspectives icon right next to the URL bar:

Add Your Own Notary Servers:  The Perspectives Preferences dialog now has a tab dedicated to notary servers and includes the ability to specify your own notary servers to query in addition to the default set of notaries run by the Perspectives Project (the default notaries can even be disabled, if you prefer).

To add a notary server, add text in the following format to the bottom dialog window.  The first line should be the notary server’s DNS name and port, separated by a colon.  The next lines should be the notary server’s public key, including the “BEGIN PUBLIC KEY” and “END PUBLIC KEY” lines.  For example:

notary.mydomain.com:8080
-----BEGIN PUBLIC KEY-----
MIHKMA0GCSqGSIb3DQEBAQUAA4G4ADCBtAKBrAFiENC/BwZXOfzDOed4Qbvjd/25
MixlCMlRUlfArJAvcjeBRmnY4fdQhi7/VH1qZeTQClegX1FMcuOORD29a4lks12W
eTrh1HxLKxCTkPp5ZLqP8OiNxWqHdEQyinh2ulYFXZHWMlXhlsQKV2T7VsmfS0rL
eukQAWpgGTXhACyZNpOQgjMm1vWEFaIsd2tT59Son7vxyCcaBoFCWv+zRW6kwaoK
i0KgnEHwKwcCAwEAAQ==
-----END PUBLIC KEY-----

For example, here is a picture of adding a fake additional notary.

If you’re curious how you can get additional notary servers, look at our post about running your own notary server for free on Amazon Web Services.

If you’d like to beta test future version of the Perspectives Firefox Extension, sign up for our beta testing email list:

This post will show you how you can get your own notary running in just 15 minutes using AWS.

First, read about the free usage tier and sign up for an AWS account: http://aws.amazon.com/free/

Then, access the AWS management console to create an instance: http://aws.amazon.com/console/

Click on the “EC2″ tab near the top left of the screen, then click the “Launch Instance” button in the main window pane.

Choose an Ubuntu server AMI by clicking on the “Community AMIs” tab and finding a matching image.  Here are a couple things to keep in mind:

• Make sure the image is free tier eligible (denoted by a yellow star).
• I use an image with a “Root Store” of “ebs”, as this means that even if this particular instance dies, I can spin up a new instance and reattach the same disk.
• 64-bit image is suggested.
• I’ve done most of my testing on Ubuntu Maverick (10.10), but other recent Ubuntu platforms should work as well.  You can see the exact version for an image by reading the “Manifest” field.

In the “U.S East” region, an AMI that matches these criteria is: ami-cef405a7

Select your AMI, and keep the default “Micro” instance.

You will need amazon to create a SSH keypair, which will automatically be “injected” into the instance, allowing you to access the instance remote without a password.  Give this key a name (e.g., notary) and download it to you filesystem.

After downloading the key, make sure it is only accessible to your user:

chmod 600 notary.pem

Once you have launched the instance, you will need to modify its “security group”, which by default drops all inbound traffic.  You should open up port 22 for SSH and port 8080 for the notary webserver.   Click on “Security Groups” on the left panel, click on the “default” security group in the table, and view the box at the bottom of the pane.  Select “Inbound” and add two rules:

• Custom TCP Rule, port range = 8080, source = 0.0.0.0/0 , click “Add Rule”
• Custom TCP Rule, port range = 22, source = 0.0.0.0/0 , click “Add Rule”
• Click “Apply Rule Changes”

Now you can access your machine remotely.  Click on “Instances” in the left panel and select your instance’s row in the main pane and view the details box at the bottom.  Note the “Public DNS” field, as this is how you will access the machine remotely.  For example, run:

ssh -i notary.pem ubuntu@<insert-public-dns>

Now we are on the Ubuntu server and the real fun can be begin.  We need to install the right dependencies and download the notary code and admin utilities.

sudo apt-get install git-core python-sqlite python-m2crypto python-cherrypy3
git clone git://github.com/danwent/Perspectives-Server.git
git clone git://github.com/danwent/psv-admin.git

Now, initialize the setup and start the webserver:

psv-admin/setup.sh
psv-admin/start_webserver.sh

Now your notary is up and running!  It will respond to notary requests on port 8080 . To see the public key the notary uses to sign all requests, run:

cat Perspectives-Server/notary.pub

This is the public key that can be provided to a Perspectives client to authentic the notary response.  The server code comes with a simple client for you to test.  To query a website to monitor (called a “service-id” with Perspectives), specify it using the form ::2. For example for www.google.com, run:

cd Perspectives-Server
python utilities/simple_client.py www.google.com:443,2 localhost 8080 notary.pub

The first time this you query the notary server, it will not know about a service and will return a 404 error, as the notary -server will launch an “on-demand” probe for that service.  Wait a couple seconds and run the same command again and it should succeed.

A new version of the Perspectives Firefox Client will soon be released that will let you use your own notary servers as well.

By default, this notary server will run a scan of all known service-ids twice a day, as configured using crontab. You can manually run a scan of all services at any point by running:

psv-admin/start_scan.sh

For more information, look at Perspectives-Server/README and feel free to ask questions in the comments below.

• Highlight new work being done by us and others related to Perspectives
• Discuss and debate ideas of how a Perspectives-style model compares to existing models and how Perspectives can be improved.

If you’re interested in contributing to this blog, please drop us a note!