Add-on recommendation #1: Conspiracy
There’s been a lot of discussion recently about the Certificate Authority (CA) paper, “Detecting and Defeating Government
Interception Attacks Against SSL” that was published. It turns out governments could compel CA’s to issue the them(or any law enforcement body) an intermediate CA certificate. This then allows that body to trivially perform a man in the middle attack (MitM) against any client with any server (Google, Microsoft, insert your bank here).
In case you don’t enjoy reading 20 page white papers, besides the brief summary above, you want to check out the experimental Firefox add-on ‘Conspiracy‘. It was written by the authors of the paper and it displays the country name/flag of the CA for the current page you’re on. If you’re visiting your bank or web-mail client and notice you’re trusting a Chinese or Russian CA you might want to think twice before entering your credentials. You can get the add-on here: https://addons.mozilla.org/en-US/firefox/addon/107867
Add-on recommendation #2: Request Policy
This morning I was listening to the most recent Pauldotcom security podcast. They interviewed RSnake who is an expert regarding web security. He mentioned a great Firefox addon which helps create rules to block cross site requests. This is more fine grained control than running NoScript. You can grab the add-on here: https://addons.mozilla.org/en-US/firefox/addon/9727