One more privacy and security tool! Rated 4 out of 5 stars

I held off on reviewing this one for a while because I needed to test it out and to do some more homework but now I am putting it into my "Apollo! Pack"! collection because it is one more step in the right direction. It alone is not going to secure your computer but it is one more step. Why Firefox doesn't do more to check certificates is a mystery.

This review is for a previous version of the add-on (1.8.3). 

Needs options... Rated 2 out of 5 stars

I had a problem with it not giving a cancel button as there is such a thing as cookies that the suspicious site could get a hold of and use my session. I have noticed this with github today and I am unsure if I should trust that they changed as the CN on the old one is every subdomain and the CN on the new one is just github as well the new owner being digicert and 790 days until it expires when the old one was godaddy with 1290 days left. You would expect that they wouldn't change until it reaches the end of the certificate as there would be no reason so I am guessing the new one is fake and I am unable to push cancel to stop it from loading...

This review is for a previous version of the add-on (1.8.3). 

You'll have to file a bug report with Mozilla...

There is no Firefox API that allows us to prevent a web page from
being loaded. All we can do and intend to do is to add a "Reject"
button which keeps the new certificate from being stored as "seen
before". This obviously doesn't solve anything and the user is
still in charge of closing the window to the bogus website herself.
You'll have to file a bug report with Mozilla if you'd like to see
this kind of behaviour from CertPatrol.

Rated 5 out of 5 stars

I like it, but one suggestion would be to make the dropdown notifications specific to the tab they were generated from - using something like gBrowser.getNotificationBox(gBrowser.getBrowserForDocument(aDocument)); -- It's a little annoying getting the notifications when I open a bunch of new tabs (when I'm not looking at those tabs yet)

This review is for a previous version of the add-on (1.8.1).  This user has a previous review of this add-on.

Thank you. I think I tried several snippets of code like that and they failed to work but I'll try again.

Rated 4 out of 5 stars

This is an extension worth installing: it recognizes when the ssl/tls certificate of a site has changed, and will give warnings if this change looks suspicious.

From reading the source code, there are no surprises. It compares hashes from ssl/tls certs to hashes it has seen in the past. This means it will keep a list of https sites you have visited (including those visited while in private browsing mode), but this will stay on your computer and not be sent elsewhere.

The code quality is acceptable, but not excellent. For example, the code does not use braces around one-line if-statements, uses inconsistent indentation and one if...elseif really looks like it needs a final else statement.

The main logic for detecting if a certificate change is classed as "suspicious" is not commented and is difficult to follow. For example, time limits are coded in (billions of) milliseconds instead of human-readable days, and no explanation is given to the choice of these values or how they relate to real-world problems they want to warn about.

That said, I would still recommend installing as it does provide warning about many possible ssl/tls attacks.

This review is for a previous version of the add-on (1.8.1). 

The "inconsistent" indentation is meant to be KNF, the BSD Kernel Normal Form, with different indentation levels for code blocks and line continuations. The source however has seen several authors and isn't all consistent. Fixing that now. The main logic is commented in the upcoming version 1.8.3. Thanks for the recommendation. :-)

Rated 4 out of 5 stars

A good add-on... BUT... sites providing multiple certificates for the same domain give false positives. Many of these false positives could be avoided if old (but unexpired) certificates were remembered after new certificates were accepted -- there is no harm switching between certificates that have already been accepted.

This review is for a previous version of the add-on (1.4). 

Rated 5 out of 5 stars

Essential. Would be nice to have some synchronization to detect certificate changes across networks (maybe via saving data to bookmarks like NoScript does).

If Google or anybody changes its certificate every several days, that's Google's problem and security risk for others. This addon does nothing wrong here. If you want an option to disable it for certain sites, consider using MitM Me instead.

This review is for a previous version of the add-on (1.4). 

Cries wolf with Google. Rated 5 out of 5 stars

An essential add-on, but it makes using SSL for Google Search very awkward, because this add-on issues a warning every time an "early" change of Google certificate takes place. One solution would be an option to suppress a warning about an early change if the CA has not changed.

This review is for a previous version of the add-on (1.4). 

Rated 5 out of 5 stars

Great extension. Does exactly what it says.

I hope this extension will continue to be maintained. Works fine up through at least 4.0b8, the compatibility should really be updated to reflect this.

This review is for a previous version of the add-on (1.4). 

Rated 3 out of 5 stars

A very good idea in principle, but current realization is very impractical. For example, the site https://encrypted.google.com/ changes its certificate every several days. I see no reason to patrol this site so carefully as Certificate Patrol imposes it. It is just a waste of my time. So, there should be some options concerning different sites. Thank you.

This review is for a previous version of the add-on (1.4). 

Rated 5 out of 5 stars

Excellent add-on. Has improved in the later versions to be more discreet and fixed all bugs I previously experienced. Great work!

This review is for a previous version of the add-on (1.4). 

Rated 5 out of 5 stars

Nice this new version!!!!!!!!

~bee!!!!!!!!!!

This review is for a previous version of the add-on (1.4). 

Rated 5 out of 5 stars

Excellent job. This puts my mind at ease.

This review is for a previous version of the add-on (1.4). 

Rated 5 out of 5 stars

Got a warning when logging onto the php|architect website. See http://i49.tinypic.com/11kfrmb.jpg for screenshot - note that it gves a certificate issued on April 17, 2009 as being from *28 days ago* and thus not due yet. Version is 1.2.6 on FF 3.6.3, WinXP Pro SP3, current date (July 1st, 2010) is correct both on my PC and in the response HTTP header from phparch.com.
I have no idea where is the addon getting a wrong date from.
Very good tool otherwise - I do reccomend this to everybody.

This review is for a previous version of the add-on (1.2.6). 

Just ignore it

This is due to the date parsing bug in older versions of CP. Since you have been using CP so long, some of the certificates in your database have messed up date (2009-17-04 would be the 17th month of 2009, that's why it computed as last month for you). Just replace those buggy entries in your database with the new certificates and this will no longer occur. Sorry for taking a while to understand what's happening here and getting back to you.

Strange dates and text "NaN days ahead" Rated 5 out of 5 stars

I'm seeing dates in the CP 1.2.3 dialog like this:

Issued On: 203/12/2010 0:00:00 AM (35 days ago)
Expires On: 203/25/2012 23:59:59 PM (NaN days ahead)

Is this due to a bug? If not, how do I interpret that date which is supposed to be 35 days ago?

This review is for a previous version of the add-on (1.3.1). 

It's a bug

... that I have fixed a month ago, but some new problems keep creeping up making the new versions (1.2.4, 1.3, 1.3.1) not 100% stable. I stepped back and uploaded a 1.2.5 which only fixes the bug in 1.2.3. It should appear soon or you can install it manually from https://addons.mozilla.org/en-US/firefox/addons/versions/6415 – At the same time I have 1.3.5 ready which should also fix the new bugs, but I can't upload it at the same time, so it may take a while until you get the "current" version of CP.

Rated 5 out of 5 stars

Hi!!!!!!!!!!!!!!
Well, yeah, i always download Certificate Patrol without waiting for the review process at AMO!!!!!!! The review process here, is very too slow and also very useless!!!!!!!!!!!!!! I quickly look at the source code of addons i use, so i don't have to wait for their reviews!!!!!!!!!!!!!!!!!!!
This is the page to download all the versions, including old versions and versions pending for approval, of CP: https://addons.mozilla.org/en-US/firefox/addons/versions/6415

CP 1.3.1 has a bug!!! And i can't use it, because it doesn't work!!!!!!!!!!
Error: uncaught exception: [Exception... "Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIPrefBranch.getBoolPref]" nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)" location: "JS frame :: chrome://certpatrol/content/CertPatrol.js :: anonymous :: line 424" data: no]

I think that you forgot to add the default preferences in defaults/preferences/CertPatrol.js !!!!!
Well, I reverted to CP 1.2.4!!!!!!!!!!!!!! and it works!!!!!!!!!!!

~bee!!!!!!!!!!!!!!!!!!!!!

This review is for a previous version of the add-on (1.3.1). 

Thanks for the tip!!!

Yes you could be very right I forgot to update defaults/preferences/CertPatrol.js – I did so in the upcoming 1.3.5 but I can't upload that yet while 1.2.5 is waiting for release. I can try to upload it as 'beta'.

Rated 4 out of 5 stars

Nice work, thanks a lot. Just curious if you'd considered crowd sourcing with this add-on? If Certificate Patrol made use of crowd sourcing and made publicly available the oldest known valid cert for any organization, so that it can be compared to the one a visitor just loaded on first visit to a site, that might be pretty useful as if the cert is already swapped that visitor who came later is not going to know.

This review is for a previous version of the add-on (1.3.1). 

Crowd decentralized

'Perspectives' does something of that sort, but it does so using preset servers at cmu.edu. What we would need is some DHT and/or P2P features built directly into Firefox so that we could do anonymous crowdsourced certificate look-ups as one out of many applications of such an infrastructure. We also thought about announcement channels where certificates are announced, but how would we filter which ones could be of interest to you without exposing your browsing habits?

Great Extension, but too many false positives for Google Docs Rated 5 out of 5 stars

This is an awesome extension, just what I was looking for. It would be nice if you could add an option to disable the warnings for new certs and only warn on changed certs, even if the preference didn't have a GUI. The new cert dialog pops up so much I dug into CertPatrol.js and commented out the openDialog for outnew... but I'll need to repeat for each update until you add it as a feature.

Update 2011-01-20: Thanks! The new version is great, except I am constantly getting false positives for Google Docs. Unfortunately, this is also a very important site that I want Cert Patrol's protection. They're obviously using multiple certificates on different servers, and as I'm swapped between servers I keep seeing updates.

So... how hard would it be to add the ability to keep multiple versions of the same certificate? Or, alternatively, to say that I trust a specific CA for google (in this case, Google has its own intermediate CA) but want to be notified if I see any others.

To give you an idea of the false positive problem, I get this several times a day, to the point that I find myself trained to ignore the warnings.

This review is for a previous version of the add-on (1.2.3). 

That bad?

Do you encounter so many new certificates all the time? I'll find a solution. It should be better than just to ignore first encountered certificates since MITM may already be happening then, but also better than to disturb the user with pop-ups if they are definitely too many.

Update: I uploaded 1.3.5beta which has options to make less intrusional notification boxes instead of pop-ups for all lesser threatening events. :)

Rated 5 out of 5 stars

Here's a good reason to install this extension: http://www.wired.com/threatlevel/2010/03/packet-forensics/

This review is for a previous version of the add-on (1.2). 

contacts!!!! Rated 5 out of 5 stars

Hi!!!!!!!!!!!!!!!!!!!!!!!

I'm using this addon into my project factorBEE!!!!!!!!!!!!

I would like to email you, to ask you some things (and, perhaps, to suggest you features you could add to Certificate Patrol!!!!).

Well, i haven't found your email address anywhere!!!!!!!!!!!!!! my email address is written here: http://honeybeenet.altervista.org/factorbee/?id=800000 so you should email me first!!!!!!!!!!!!!!!!

~bee!!!!!!!!!!!!!!!!

This review is for a previous version of the add-on (1.0). 

just meet us..

in the PSYC chatroom ( https://psyced.org/PSYC/ or psyc://psyced.org/@welcome or xmpp:*welcome@psyced.org or irc://psyced.org/welcome ) linked from the *actual* homepage of the add-on, which is http://patrol.psyced.org

Great idea! Rated 5 out of 5 stars

Great idea, just what I was looking for!
If there was an option to switch between "admin/learning mode" (current way of working) and "user/working mode" (deny access on unknown cert), this would be absoultely PERFECT.

re: "is it really important to show certificate details the first time when I visit an https site?"
Yes, yes it is, if you actually care whether it's the real site you want or whether it's a phishing impostor, you should verify with the site owner that the certificate fingerprints are correct. Unfortunately, only a few people actually do that, as this should be done through a different (secure) channel than the browser, e.g. through a snail-mail letter or over the phone. Example: I go to https://mybank.example.com/ , I get a "new certificate" warning. I call MyExampleBank's support and check the certificate fingerprints with them. If they don't match what I'm seeing, the site is most probably a fake.

This review is for a previous version of the add-on (0.7). 

"user mode"

Hey Jan & eyv, thanks for Kudos! We only get to the certificate data "after the fact," that is - after the certificate got accepted. So should Patrol think you ran into an evil certificate it would have to do funny things in order to keep you from accessing it anyway, like closing the page for you. Is this something we would want? Maybe there are other/newer hooks that I am not aware of, though.