If you think this add-on violates Mozilla's add-on policies or has security or privacy issues, please report these issues to Mozilla using this form.
Please don't use this form to report bugs or request add-on features; this report will be sent to Mozilla and not to the add-on developer.
Ich finde dieses Add-on, sehr cool da es viele Informationen über das Zertifikat liefert.
Why it's not compatible with newest Firefox? :(
This addon, while not valid for my current Firefox, is a great tool for keeping track of which sites can be trusted and which cannot based on the trustworthiness of their security. I feel everyone should take advantage of its analysis.
would be lovely
I love this addon, but unfortunately it's tagged as a legacy application which will not run with FF 57+.
I have selected the options in Calomel to accept only 128 bit PFS and stronger. However, when I attempt to connect to www.paypal.com, among other sites, I get the failure message with the note, "SSL_ERROR_NO_CYPHER_OVERLAP". If, however, I drop down to 128 bit or strong I can make my connection. Then I check the site's Calomel score is reports 100%, notably, including PFS. I can then re-assert the 128 + PFS and stronger in the middle of my session and it will keep me connected.
I am running latest versions of FF & plugin on Fedora 24 fully updated. This behavior has persisted over some months.
Nonetheless, I am a big fan of this plugin. It has been a wonderful tool when I go talk to my bank and other sensitive businesses about their online security.
When are you gonna implement TLS 1.3?
In Firefox 52 you can already use it.
Would be nice to implement this protocol version asap.
Thanks in advance
I LOVE this plugin!
There is no matching or even similar extension for Google Chrome... :( - Do you plan to create one? PLEASE...
Like others, I'm surprised how many sites fail, juicy sites which could well be targeted.
Some however seem to be behind multiple firewalls. Perhaps they think that is adequate protection (I doubt it), and when I see a blank in the route for some essential content, I can have no certainty where it's from.
Could Calomel supply something like a standard letter to send to these companies which might grab their attention more than a note from an individual? Automate it, even.
I really like it, but could be improved for instance it does not report the size of the asymmetric keys used during DHE key exchanges (1024 bits or less is known to be problematic these days and should get only 5 out of 20 and not 15) or the name of the elliptic curve used for ECDHE.
Signature should also read the hash function used and report something like "SHA-1 RSA" or "SHA-256 ECDSA"
It displays only the CN not the SANs (even if the match is actually a SAN)
It does not report OV certificates as such.
One interesting information that is also missing is the length of the trust chain (shortest is 3, but it could be much longer and the site would have to provide more intermediate CA certificates).
You should make the Mozilla addons page point to https://calomel.org/firefox_ssl_validation.html for support.
And this page holds some inaccuracies:
- 3DES in EDE mode (Encode-Decode-Encode) as implemented in SSL/TLS is considered as a 112 bits cipher (not 168 bits) since only two 56 bits keys are used.
- There are 3 types of certificates: DV, OV and EV, OV —Organization Validation— https://www.ssl.com/article/dv-ov-and-ev-certificates/ and https://www.leaderssl.com/articles/236-differenza-tra-i-certificati-dv-e-ov OV bridges the gap between the virtual world and the real world since some evidence of the legal existence of an organization or business has to be provided and checked by the issuing CA.
That's also why your location is left blank DV certificate cannot enforce this type of check since they are issued to an internet domain.
Differentiating DV from OV is quite complicated and involves checks beyond the Policy Identifier: http://unmitigatedrisk.com/?p=203
In the explanations related to Bulk Cipher ChaCha20 is not mentioned would it also get the highest score?
small charities with feeble websites have top security, some rather important pages (finance + big so tasty to cybercriminals) don't.... interesting. About-addons-memory says it takes no memory up, so i'm keeping it. Very nice, thanks
This extension is great for simplifying and showing in quick second how bad/good the SSL/TLS of a given site one is on is currently at. I don't necessarily agree with the rankings sometimes, but once you get use to what is is measuring and how the points are awarded it is very eye-opening to see what many popular sites are actually using.
Just one nit. I checked "disable animated gifs and ads" under the Annoyances tab, but it does not appear to stop them.
For example, look at
https://yahoo.com.tw, or www.atpworldtour.com.
Hope they can fix this.
Otherwise, an excellent extension.
Does exactly what it claims. Clean interface and easy to use.
Still with 0.75 the revised user agent tag still doesn't work with youtube for some reason. Same for the old blank user agent. Could not find a way to leave feedback easily on support website.
A number of sites have blank shields, and there's no way to see what's going on, there's no way to report a bug, there's no way to contact that I can see, so when it works it's great. However the 3 specific sites I wanted it for it just showed the version number.
With no way to report/feedback on this, makes the tool mostly worthless to me.
I love this add-on! It is one of the main reasons why Firefox is my main browser. However, I believe I have found a bug that I would like to report here (as per the directions on your web site). When I resume my PC after hibernating it and continue to use an open browser, the visual color indicator of the add-on sticks to whatever it was last showing before I hibernated. I can click on the shield for each site I browse to and see the correct data, but I obviously would prefer to see the color without manual intervention. I can also close and reopen the browser and the add-on functions correctly again, but I tend to keep my browsers open for a week at a time with ongoing work.
The idea for this add-on is excellent, even if the implementation leaves just that little something to be desired.
The interface is not as smooth as one might like (as, for example SSLeuth’s interface is), and the options are displayed in a way that isn’t quite as elegant as one might hope for (the huge text “Calomel”, in a fancy font, seems needless, for example).
On the plus side, the shield icon is well-drawn and the colors help you see how secure a connection is at a glance, and the drop-down display looks good (though the “marble” background is slightly distracting).
Another big plus is the extensive documentation of the add-on’s features and settings available on Calomel’s website (though who “Calomel” is, remains unclear).
All in all, an add-on worth trying for those interested in increasing the security of their web surfing.
Neat and unobtrusive, with a few extra hidden tweaks for cache usage and "annoyances".
A bit shocking when you find out how bad some sites encyption really is.
I think the extension is great, not only does it expand the amount of info available from the browser itself.. it helps raise awareness of the quality of the encryption on sites you use.
the only thing that could be better is having some options to make the colors a bit easier to see for the colorblind. sometimes it is hard to tell what color the shield is... perhaps some textures.. or maybe a way to remove the '3-D' effect..
Unfortunately, it seems v0.70 of the addon is not compatible with Pale Moon (based on Firefox). Not entirely sure why since the previous version (0.67) worked just fine.
It does the best it can within the framework it has.
I'd love to just see a real 'secured' browser that has compatibility with other sites but just alerts the user of lowered security due to that website's settings.
Also the internet is far overdue in the need to kill RC4 and 3DES ciphers. There is no excuse, not anymore. AES 128 is fine and works well with far less hardware costs.
Icon bigger that usual when using 120 dpi screen, windows 7.
As "Heartbleed" demonstrated, knowing if a site supports Perfect Forward Security, alone, is a major help; at the moment no other plugin gives such exact data (though some websites do, site-by-site entered), but Calomel SSL Validation plugin tells us that for EVERY site/page on the fly! And the option in "privacy" tab does appear to make the OS unknown to most sites...this too is security, as some malware/ransomware (especially the silent sneaky ones) read OS via browsers and start running codes for attacking that type of OS...if they can tell what it is.
Unfortunately I have to give the extension one star - the only thing it is good for is notifying about HTTPS mixed content.
Detection of cipher suites misses some supported by Firefox (most common being 3DES). The use of weak signature hash algorithm (SHA-1) is not penalized, as well as relatively weak RSA keys (2048 bit) that provide just 112 bit security.
In the end, a connection that provides around 61 bit effective security (or 80bit if you wear rose-tinted glasses) will still get a green shield (most secure evaluation).
I tried contacting the developer about those issues, but I haven't heard back for over 2 weeks, so I don't think I'll receive any reply.
So close to perfect. This extension works well, but needs an option to change security levels.
Ideally you could set your security level to the maximum, and if access of a page is impossible you click the Calomel shield icon, it changes appearance (to reflect the lowered security level), and the page is reloaded with, say, a medium security level. Then if that doesn't work, you can click on the shield button and turn security all the way down (and the icon changes to show this again). And, of course, the change should only apply to the current page.
As things are, you can click to change security levels, but there doesn't seem to be any obvious way to, at a glance, tell what the settings are at the moment.