Needs a confirmation API Rated 3 out of 5 stars
CertPatrol is constantly popping up dialogs all over the place for me for almost expired certificates and CA changes for popular websites (Google, Amazon, etc). Maybe my Internet connection is being monitored or maybe not? I can't tell. What CertPatrol needs is a confirmation API similar to "is it me or is it down", but a package that can be installed on a trusted host. I own a dedicated server that is secure and isolated on a completely different network (it would be nothing short of impressive if the trust of both networks were violated at the same time). Pointing CertPatrol at a secure URL on my web server that exposes an API that goes and talks to the same domain my local machine is attempting to talk to would allow CertPatrol to ignore most of the dialogs that are currently popping up in my face. Only if there is a serious issue (e.g. two different root certs for the same domain from trusted server vs. local machine) would I or CertPatrol need to worry. Also, CertPatrol could be configured to only trust the response from the API if I choose to use my own homegrown CA (e.g. custom CA on a subdomain specifically for the API but not install the CA cert into my trusted root store - just a CA for CertPatrol to use to verify that the API interface hasn't been compromised). For every certificate presented to the browser, CertPatrol contacts the trusted server and makes sure that the same certificate is being presented to the trusted server. If so, and if the API hasn't been compromised, CertPatrol ignores the differences. For the super paranoid (as if my own paranoia isn't excessive already), CertPatrol could be configured with several trusted API endpoints. Each endpoint simply adds to the assurance level that the presented certificate and path to the CA in the trusted root store can be trusted (i.e. hasn't changed unexpectedly or the rest of the Internet sees the same thing). In summary, fewer dialogs = better!This review is for a previous version of the add-on (18.104.22.168-signed.1-signed).
I totally agree with you, the notifications are getting excessive and I really like your idea for an alternative design to detect suspicious certificate inconsistencies. Thanks for the great feedback!
Rated 5 out of 5 stars
great tool, 5 Stars for this.
But I would love to see one more feature: Like you remember the certificate of the server, can you also remember the TLS version that is used by each server and issue a warning when a lower TLS version is used in the future? Looks like a logical extension and very helpful agains downgrade attacks.
A great extension for Firefox – a must have for security concerned Rated 5 out of 5 stars
The issue with domains using changing certificates (e.g. www.google.com) has been fixed by allowing to either configure a check of site's certification authority's certificate (if it doesn't change) instead of the site's own, or by configuring the domain to be ignored (if the CA also change, as in some rare cases).
Improvement suggestion: A list of possible certs could be implemented per domain (instead of currently only one cert per domain). It would be useful for sites with changing certs – especially the ones also changing the CA – because the number of certs they use is still very limited. So that one then would not have to set the domain to be ignored, but would instead know that its cert is one of the list of the ones used by the domain. (This is an issue of those domains like google.com. Or maybe their desired behavior, to limit the worldwide damage in case a cert or its CA gets compromised.)
Note to Thunderbird: Unlike with Firefox, this add-on is not needed with TB. See http://forums.mozillazine.org/viewtopic.php?f=39&t=2687657 for information on how certificate pinning can be configured with Thunderbird itself.
Note to version 2.0.14: Since Firefox 19 (or so), the extension name is not shown under “Add-Ons”. “null 2.0.14” is shown instead. But the extension works as advertised nevertheless.
Update: Another suggestion: It would be great if it could also "pin" the certs of the update servers used by Firefox to search for new versions and update itself and its extensions.
Rated 1 out of 5 stars
It's a great idea, but for server farms like Google's, where there aren't any consistent certificates, it's simply going to numb you to the idea that certs are always changing.
Until the authors are willing to fix this—we've been complaining about it for years—it's worse than useless.
Rated 4 out of 5 stars
I also noticed the very frequent changes of Google certificates. Is this a sort of cookie like information gathering by google ? Can google detect when I click OK or Reject ?This review is for a previous version of the add-on (22.214.171.124-signed.1-signed).
Rated 3 out of 5 stars
Google certificates are changing every few minutes, if not less, so I'm repeatedly bombarbared with Google certificate approvals. "So what" if the prior ones become outdated. It's a damn annoyance to be prompted every FEW minutes for approving updates to the certificates.
What's the solution, to disable Certificate Patrol, or something else? I'll totally disable and possibly uninstall it, unless a helpful reply is provided, for I'm not going to put up with these continuous prompts for approviiing, or not, Google certs.
Good For Some But Not For The Blind Rated 3 out of 5 stars
This may have potential for the sighted but ever since I installed it a few days ago I have experienced a lot of trouble with it. Firstly, the fields are not labelled so says JAWS For Windows. I press Tab to go forwards and Shift+Tab to go backwards through a dialogue respectively and these read-only fields do not have labels or anything binded to the control. I as a blind person do not know what is what. This basically defeats the entire add-on because I can not discern between information in new and old certificates. Moreover, the entire layout is not designed for the non-sighted to make use of it.
Secondly, the options dialogue can use much improvement. I heard not long ago when Tab is pressed in a dialogue such as that there is a rectangle that puts focus to the control in question. If there exist any captions, tooltips or any additional information not encapsulated in that rectangle I do not notice it. There is a More Info [Alt+I] button and that thing too is not readable for me. I could keep typing for an hour explaining every single detail but my point is for EVERYBODY to have the ability to use this to its full and maximum potential it needs to be redesigned for everybody.
Rated 5 out of 5 stars
It's a great way to make sure that the site you're used to going to is still who you expect it to be. Sometimes there are too many notifications.This review is for a previous version of the add-on (126.96.36.199-signed.1-signed).
Simple, subtle way to improve security Rated 5 out of 5 stars
This add-on is simple, yet highly effective at detecting potential issues (e.g. man-in-the-middle attacks, unexpected certificate changes, etc.) related to SSL certificates.
In general, it is quiet and stays out of the way. In the few messages it presents to the user, it provides useful commentary about whether or not the change it detected is likely harmless or malicious, which is useful for non-technical users.
I highly recommend this add-on.
Rated 5 out of 5 stars
For the past few days, this addon "freezes" firefox, whenever I visit rapidshare:(..There seem to be multiple popups. I've done all that can be done with the exceptions. Don't know what is going on. Still great addon!
Edit: This could be a rapidshare problem.
I couldn't reproduce the problem, visited https://rapidshare.com/ and got only one notification without any freezing..
Rated 4 out of 5 stars
It's great that the new 2.0.12 has fixed the cert popup issue. Thank you to the developers. Just however, 2.0.12 also introduces a new bug that in the "Details" of "Clear Recent History", only "Browsing and Download History" is there visible with all other items disappearing.This review is for a previous version of the add-on (188.8.131.52-signed.1-signed).
Are you sure this is caused by the CertPatrol update? This works for me fine just like before and nothing changed in that part of the code in 2.0.12.
Check if disabling the addon or installing the previous version fixes it.
Rated 4 out of 5 stars
What with the recent problems with DigiNotar and potentially some other CAs this addon shows its importance and relevance.This review is for a previous version of the add-on (184.108.40.206-signed.1-signed).
Thunderbird support please =) Rated 5 out of 5 stars
Cert Patrol reports to support Thunderbird, but it appears be dormant and inactive in Thunderbird. Any news on when Thunderbird will truly be supported? And how exactly can I find out when it is supported? Is there a website I can monitor or something?This review is for a previous version of the add-on (220.127.116.11-signed.1-signed).
Uploaded a new version with a fix so it works again. Latest versions are at https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/versions/ you can install 2.0.12 from there or wait until Mozilla approves it and it gets updated automatically.
Good heads-up tool for SSL monitoring Rated 5 out of 5 stars
This Extension is useful for tracking SSL and TLS clearances on newly-visited Web pages, and the Preferences this Extension can locally allow and/or block individual Certificates, even mark a specific Certificate repository as untrusted when the need arises. The pop-up toolbar appears for first-time certificate presentations, with reject and view-details options.This review is for a previous version of the add-on (18.104.22.168-signed.1-signed).
Notification Bar, Suggestion Rated 5 out of 5 stars
Certificate Patrol needs an OPTION to "Do not repeat notifications in Notification Bar"
I keep getting the EXACT same notification on Google pages, a wildcard, EVERY time I load a page. Even if I use Refresh or open a Google page in a New Tab.
I've noticed this in some other pages that are NOT wildcard notifications.
Must-have fix for SSL shortcomings Rated 5 out of 5 stars
Righteous! Love this to death.
Edited for dev reply: SQLite: excellent. Mostly what I'm asking for is: in addition to the lovely host/domain ignore list you added, also a "host/domain to only check CA list". Keep it all centralized, and make it easy to only check CA for *.google.com, *.googleusercontent.com. and so on.
Right now, I have to check this box for *every certificate*, and it's a long, long slog. Then, when the cert expires in a-year-or-whatever: I have to re-check all those boxes for all those certificates. Too much effort.
I *want* to know if the issuance chain has *completely changed* on, say, Google certificates; I'd rather not ignore them entirely. However, until I can "semi-ignore" entire domains, it's very tempting to dump *.g*.com into the ignore list. Or disable Certificate Patrol entirely.
There's a checkbox in the change notification dialog that makes CP check only the issuer of the certificate for that host, you can also set this flag in the certificate manager, and yes it's stored in SQLite.
Be nice to have option to disable banner at top Rated 4 out of 5 stars
Certificate patrol is a great product. I applaud the recent "improvements."
One thing I would really like to see though is a setting that TOTALLY disables notices when new certificates are added to the library. For example, I don't want to see a banner appear across the top of the browser every time I visit a new HTTPS page. Just silently add the certificate to the library without telling me.
There should really be a setting for this silent behavior.
We added a setting for this in 2.0.10rc2, you can already try it or wait for the next stable release.
Great, but needs to be able to deal with sites load balancing Rated 4 out of 5 stars
Very useful for the security-conscious, but like a previous reviewer I've found that some sites (Twitter in particular) balance their load between servers with different SSL certificates installed, so even though I'm accessing the same URL each time, the certificate alternates back and forth between two different ones that are not due to expire and also have different CAs. This means I frequently have to dismiss a warning popup even though I've previously accepted both certs.This review is for a previous version of the add-on (22.214.171.124-signed.1-signed).
There's a a checkbox at the bottom of the change notification dialog (after clicking 'View Details') labeled 'Check certification authority only' which makes CertPatrol check only that the issuer is still the same for that host. This usually solves the problem for sites using load balancing (e.g. Google, Citibank).
The Twitter case is a bit different as they use completely different certificates from different issuers for si0.twimg.com, for this we added an ignore list to the prefs and an ignore button to the dialog that disables any checking for that host, so at least it's not annoying. This feature is going to be available in 2.0.10, for the impatient it's already available in the development channel, in version 2.0.10rc.
Works great, one feature needed Rated 4 out of 5 stars
Works great and I like knowing that I'm getting the same certs over and over and knowing that Mallory isn't trying to serve me a new certificate from a questionable/hacked/compelled Root CA.
However, the only issue I'm having is that many Google sites are using two (or more) certs and keep alternating back and forth. *.gstatic.com and ssl.gstatic.com. We really need a way to remember two or more certs for a site such as this and not have it keep flagging them as problems between clicks.
Constant notifications I have to manually dismiss Rated 1 out of 5 stars
I have all CAs disabled since I don't trust them and use Perspectives so that might be affecting it - most places are already overridden by perspectives.
Almost every site pops up the notification, including this one. Actually it popped up several while I was getting to this page. The version is 2.0.6. In the configuration panel there are 4 boxes, and all of them are NOT checked. There is no apparent way to tell it NOT to pop up anything.
There is no option to have it either shut up when storing the cert the first time ("Certificate accepted and stored"), or even to have the notification bar disappear after a few seconds if it is a low-threat. On my big screen is is annoying. On my netbook that doesn't have a lot of vertical space it makes it almost useless.
I get the perspectives notification the first time and that is enough. I only want notification if there is a different certificate than stored - one that changed something significant, and maybe one that automatically disappears in 5-10 seconds if it is something like a cert expiration switch (from the same CA even though I don't trust the CAs). Alternately, you might be able to integrate with Perspectives to validate the cert and NOT pop up anything if perspectives says the cert is valid.