A critical security bug has been found that can lead to an incorrect quorum duration being calculated.
Summary: If your ((Quorum Percentage) * (Quorum Size)) is less than 0.5, any site will report a quorum duration equal to the longest length of all certificates returned by any notary, regardless of whether the key for any result matches the current certificate.
Temporary Workaround: Set your Preferences to use a high enough number of notaries and quorum percentage (i.e. default 10 notaries and at least a 10% quorum threshold). Using the default notaries (checking the checkbox) and 10% quorum will be enough to avoid this. Using any of the ‘High Security’, ‘Medium Security’, and ‘High Availability’ settings for Security Level will successfully avoid this bug.
Who is Affected: This issue only affects Perspectives clients who use a ‘Manual’ Security Level, and who have a ((Quorum Percentage) * (Quorum Size)) that is less than 0.5. For example, using only one notary with a quorum percentage of 10% would trigger this bug.
This currently affects all known versions of Perspectives clients.
What’s being done: We are actively working on a fix and will patch Perspectives as soon as possible. Bug details have been added to GitHub and will be updated as we make progress.
Update: This bug has now been fixed. A new release of Perspectives has been uploaded, and will be automatically published once it has been reviewed by the Mozilla Addons team. You can also download it directly via this link.