There has been a lot of talk recently questioning the trust authorities that underpin the SSL/TLS world. After a few high-profile incidents, it is clear that there is something wrong with this structure.
While some people have suggested that DNSSEC might solve this problem, here are three Firefox add-ons that can be used today to enhance the security of HTTPS:
- Certificate Patrol applies the "trust on first use" principle familiar to most ssh users. It keeps track of the certificates you get for the sites you visit and displays a warning if important elements (e.g. the certificate authority) change.
- Perspectives uses a network of certificate notaries to issue a warning when you encounter a certificate that is different from what other Perspectives users see.
- Monkeysphere takes advantage of the PGP/GPG web-of-trust to verify the authenticity of certificates.
Unlike the Convergence approach which completely takes over certificate handling, all three of the above add-ons can be used together.
The NSA recommends these Firefox settings (browse to about:config to set them):