Good idea but... Bewertet mit 3 von 5 Sternen

Good add-on, i have used it for sometime now and it has been useful. Though Certificate Patrol seems to be lacking support most recently. Could improve as all things. Provides good informations about certificates.

Popups now stealing focus in windows... very annoying.

some additional functionality would be helpful.

Edit (for teh lulz): go figure... exactly one year from the previous post.

Good idea but limited usefulness Bewertet mit 3 von 5 Sternen

At first I thought this is great, but now I have been made aware because of this addon that sites like google, twitter and amazon seem to change certificates at a rapid rate, I dont know why these companies have unusual certificate policies but it makes the purpose of this addon void, it becomes only useful for non mainstream sites that are not changing their certificate every 5 minutes.

So really it needs a whitelist function for twitter and co, then it may be a must use addon. As it stands I may turn it off due to all the prompts.

smarter comment on prematurely issued new certificates now with SHA2 or SHA256 signatures Bewertet mit 3 von 5 Sternen

Since SHA1 signatures are deprecated, a lot of certificates are re-issued pre-maturely by the CAs signed with SHA2 or SHA256. (e.g. ssllabs asks for this).
If the issuing organization is the same, and this change is visible, do not label the change yellow, but green!


P.S.: BTW, do you have an issue-tracker?

Possibly downgrades TLS? Bewertet mit 2 von 5 Sternen

I used this addon for several years and recently disabled it. I believe it was interfering with TLS in some way. Recently, if I tried to connect to, I received an error "The server rejected the handshake because the client downgraded to a lower TLS version than the server supports". With the same version of Firefox in a VM that didn't have Certificate Patrol I was able to connect without the error. After disabling Certificate Patrol I could connect to Google fine.

The error appears to be a security step on Google's part to prevent POODLE attacks - if the client (browser) tries to negotiate a connection with a POODLE-vulnerable version of TLS, the server (Google) refuses. It's not clear why Certificate Patrol would cause problems there, but the issue went away when I disabled CP. The implication is that CP is in some way negotiating a lower version of TLS, which if true would ironically reduce SSL security.

unusable now Bewertet mit 1 von 5 Sternen

That's it, Google has killed this extension now.

I've made an attempt to use it for the last couple of years (because something like this is really needed to be able to trust https), and it was almost OK initially, but these days it's unusable, mostly due to Google. Looks like they use hundreds (thousands?) of certificates, with their own CAs, so even checking the CA-only box doesn't help much. And now they're generating certificates valid for only 90 days. And with their ad network you get their warnings not only on Google's own sites, but *everywhere* (including here,

No updates for 3 years, when the landscape is changing this quickly, is inexcusable. This extension is dead.

Dieser Benutzer hat 2 ältere Bewertungen zu diesem Add-on.

Bewertet mit 3 von 5 Sternen

This is nice, sure. But in the current form, unfortunatley also greatly annoying. Generally there are just too many sites that change certificates like people change clothes, and just too few sites that need the special attention that this addon provides.

My proposal is to only check certificates that:

a) come from sites that are on a force-check-list (the opposite of the current ignore-list)
b) are signed by root certificates that are not in the trust-store
c) are self-signed

Bewertet mit 2 von 5 Sternen

Way too many warnings. I mostly get notified about cert changes that the add-on says are "harmless" - why is there no option to turn them off?

Bewertet mit 4 von 5 Sternen

Great security extension. Sadly with Firefox 31 and the new key verifier changes it stopped working.

Bewertet mit 4 von 5 Sternen

Great extension. Much more useful than just green indicator in the address bar or other extensions which track just the main page without third-party content.

But it's still hard to validate certificate which Patrol is suspicious about.
It would be a great feature to add on-demand (button?) validation via "" or Perspectives notaries in the "certificate changed" dialog.

Great job, but needs upgrades Bewertet mit 4 von 5 Sternen

Great job, but the add-on needs more features to not be annoying to the user. Spamming the user with messages defeats the main purpose of the add-on, because after a while one stops paying attention to them. It becomes similar to banner blindness.

There are few things that should be added ASAP.
1. Configuration option to check embedded content certificates only if the webste itself is using HTTPS. It's not really important if an image comes from trusted source if whole website in which it is embedded is served via plain HTTP. Also the user will not spend time on verifying certificate of some image hotlinked on a forum from random hosting, but just accept the certificate to get rid of an annoying message. This is worse than not being notified at all.
2. Ability to not store each domain covered by wildcard certificate in the database. Instead only one entry for such certificate should be stored. The reason is that some providers (for example Google) uses randomly-generated subdomain names, which pollute the database quite fast.

Rejected certificates should stay rejected Bewertet mit 3 von 5 Sternen

When I see a suspect certificate change I reject the new certificate but it just comes back again. If I reject a changed certificate the new certificate should stay rejected.

I generally always reject a certificate change if the new certificate has an older start/end date than the old certificate or if both the authority and domain change at the same time.

5/5 Thanks !!!! Bewertet mit 5 von 5 Sternen

i will give it 5/5 !!!! great tool for advanced users thanks a lot !!!
did not had the time to review the code hope the addon is clean :)

May i suggest you to add a feature to colorize the notification on new CA or non Root CA

Bewertet mit 3 von 5 Sternen

Needs updating and needs to be smarter (I have to keep clicking to accept even when using the host option - Google uses a million certificates apparently). But useful. Four stars if it had been kept up to date.

Bewertet mit 5 von 5 Sternen

Great , props to dev

Useless Bewertet mit 2 von 5 Sternen

It only displays alerts for HTTPS connections - in which world is this an useful Thunderbird extension? Maybe for people who use it as an RSS reader, hence 2 stars.

Bewertet mit 5 von 5 Sternen

Security on the web is impossible, but the attempt here is awareness and education. For those that don't care, nothing will help them. Others however, value information, especially when it can save them from massive headache like identity theft, or getting their bank account cleaned out from being careless online.

This add-on is not hard to use, and the popups, while a nuisance, can be tolerated. If taking a moment to scrutinize a new certificate, or one that has changed for no reason is too much hassle for you, then skip it. Good luck to you.

If however, you realize just how broken the concept of "trust" on the internet is, you will find this add-on a useful tool in gaining a little of that most elusive and valuable commodity, knowledge.

Trust nothing on the internet, not your ISP, especially not your government, nothing. Question everything. Good luck to you, as well.

Bewertet mit 4 von 5 Sternen

Mostly good. The "CA Only" checkbox on the popup isn't working for me.

Having only a webchat for submitting problems borders on FAIL.

Almost There.. Just not yet Bewertet mit 3 von 5 Sternen

Certificate Patrol fills a gap in browser security, but does so at the cost of frightening popups that are far beyond most users. After recommending Certificate Patrol as part of a security overhaul, 0 out of 8 users are still using the software after 1 week. This is entirely due to the number of type and number of alerts for popular websites such as Twitter.

Adopting a strategy such as SSLEverywhere's observatory to verify certificates or just including IDs with the extension to verify like Chrome would go a long way to improving usability. As it stands, I would love to recommend or use the plugin, but it just isn't there yet.

Needs a confirmation API Bewertet mit 3 von 5 Sternen

CertPatrol is constantly popping up dialogs all over the place for me for almost expired certificates and CA changes for popular websites (Google, Amazon, etc). Maybe my Internet connection is being monitored or maybe not? I can't tell. What CertPatrol needs is a confirmation API similar to "is it me or is it down", but a package that can be installed on a trusted host. I own a dedicated server that is secure and isolated on a completely different network (it would be nothing short of impressive if the trust of both networks were violated at the same time). Pointing CertPatrol at a secure URL on my web server that exposes an API that goes and talks to the same domain my local machine is attempting to talk to would allow CertPatrol to ignore most of the dialogs that are currently popping up in my face. Only if there is a serious issue (e.g. two different root certs for the same domain from trusted server vs. local machine) would I or CertPatrol need to worry. Also, CertPatrol could be configured to only trust the response from the API if I choose to use my own homegrown CA (e.g. custom CA on a subdomain specifically for the API but not install the CA cert into my trusted root store - just a CA for CertPatrol to use to verify that the API interface hasn't been compromised). For every certificate presented to the browser, CertPatrol contacts the trusted server and makes sure that the same certificate is being presented to the trusted server. If so, and if the API hasn't been compromised, CertPatrol ignores the differences. For the super paranoid (as if my own paranoia isn't excessive already), CertPatrol could be configured with several trusted API endpoints. Each endpoint simply adds to the assurance level that the presented certificate and path to the CA in the trusted root store can be trusted (i.e. hasn't changed unexpectedly or the rest of the Internet sees the same thing). In summary, fewer dialogs = better!


I totally agree with you, the notifications are getting excessive and I really like your idea for an alternative design to detect suspicious certificate inconsistencies. Thanks for the great feedback!

Bewertet mit 5 von 5 Sternen

great tool, 5 Stars for this.

But I would love to see one more feature: Like you remember the certificate of the server, can you also remember the TLS version that is used by each server and issue a warning when a lower TLS version is used in the future? Looks like a logical extension and very helpful agains downgrade attacks.