Firefox extension: New MitM Me

I’m an engineer. I understand SSL, public-key encryption, man-in-the-middle (MitM) attacks, and certificate chains-of-trust. I look carefully at the URL bar before entering login or personal data, I don’t allow javascript to change the status bar, and I mouse over a URL and read it before I click. I’m paranoid as all hell, and I do not fall for stupid fraud schemes.

I regularly interact with hundreds of SSL-enabled devices as part of my job. I don’t allow HTTP or telnet interfaces to devices that support HTTPS or SSH. These devices usually have self-signed certificates, and it is not always convenient (or possible, with some devices) to replace them with certs signed by the company’s root CA. This wasn’t a problem when all I had to do was bypass one error dialog. But then Firefox replaced this dialog with an extremely annoying 5-step dance. I’m tired of it.

Enter New MitM Me, a Firefox plugin to restore the old SSL error behaviour. Now Firefox still displays the “This Connection is Untrusted” page. But when you click the “Add Exception…” button, that’s it, you’re done.

I do not recommend that the average user install this plugin. For a casual user, this increases the chance of being defrauded. But if you are like me, if you truly know what you are doing and want to save some time, install it.

Has anyone hacked this plugin to restrict its behaviour to specific IP ranges, or to allow me to choose temporary or permanent with just one click?

Tags: ,

  1. Andrew’s avatar

    How do you get Firefox to show you the real URL? As far as i can tell the “Allow scripts to change status bar text” option doesn’t really do what it purports to do. Many, many sites large and small lie about the URL that you select.

    Reply

    1. tyler’s avatar

      That option works for me, Andrew. I believe I always see the correct target. Do you have a URL I can test?

      Reply

Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.