Very usefull, but sadly not comaptible with e10s. At least for me, I don't get the popups :(
For all the negative reviews about sites that change their certificates too often or use multiple certificates: the app has an option to check just the Certificate Authority (CA) that issued the certificates to make sure it hasn't changed. You just have to check the box on the warning popup so it can't get much easier. For sites that use multiple certificates from different CAs there is the "nuclear" option of ignoring a host completely. I wish websites were consistent and used the same certificate on all servers for all subdomains. That being said, it would be REALLY nice if the app allowed the approval of multiple certificates for a domain.
As others have noted there are a lot of warning popups because many sites are prematurely updating their certificates because SHA-1 has been deprecated (superseded and discouraged since it is no longer considered safe) and the SHA-2, variant SHA-256, is the new minimum. (I wish the new minimum was SHA-3 so we won’t have to repeat this later when SHA-2 is deprecated.) Since Firefox, Chrome, Microsoft, and others have generally set the deadline for 2016 most websites should have upgraded by now and the popups will be greatly reduced.
As I said earlier, the most helpful feature to add would be to store multiple certificates for a domain. Most importantly it needs to be updated to be e10 compatible for multiprocess or it will no longer be compatible with newer versions of Firefox.
Good add-on, i have used it for sometime now and it has been useful. Though Certificate Patrol seems to be lacking support most recently. Could improve as all things. Provides good informations about certificates.
Popups now stealing focus in windows... very annoying.
some additional functionality would be helpful.
Edit (for teh lulz): go figure... exactly one year from the previous post.
At first I thought this is great, but now I have been made aware because of this addon that sites like google, twitter and amazon seem to change certificates at a rapid rate, I dont know why these companies have unusual certificate policies but it makes the purpose of this addon void, it becomes only useful for non mainstream sites that are not changing their certificate every 5 minutes.
So really it needs a whitelist function for twitter and co, then it may be a must use addon. As it stands I may turn it off due to all the prompts.
Since SHA1 signatures are deprecated, a lot of certificates are re-issued pre-maturely by the CAs signed with SHA2 or SHA256. (e.g. ssllabs asks for this).
If the issuing organization is the same, and this change is visible, do not label the change yellow, but green!
P.S.: BTW, do you have an issue-tracker?
I used this addon for several years and recently disabled it. I believe it was interfering with TLS in some way. Recently, if I tried to connect to https://www.google.com, I received an error "The server rejected the handshake because the client downgraded to a lower TLS version than the server supports". With the same version of Firefox in a VM that didn't have Certificate Patrol I was able to connect without the error. After disabling Certificate Patrol I could connect to Google fine.
The error appears to be a security step on Google's part to prevent POODLE attacks - if the client (browser) tries to negotiate a connection with a POODLE-vulnerable version of TLS, the server (Google) refuses. It's not clear why Certificate Patrol would cause problems there, but the issue went away when I disabled CP. The implication is that CP is in some way negotiating a lower version of TLS, which if true would ironically reduce SSL security.
That's it, Google has killed this extension now.
I've made an attempt to use it for the last couple of years (because something like this is really needed to be able to trust https), and it was almost OK initially, but these days it's unusable, mostly due to Google. Looks like they use hundreds (thousands?) of certificates, with their own CAs, so even checking the CA-only box doesn't help much. And now they're generating certificates valid for only 90 days. And with their ad network you get their warnings not only on Google's own sites, but *everywhere* (including here, addons.mozilla.org).
No updates for 3 years, when the landscape is changing this quickly, is inexcusable. This extension is dead.
This is nice, sure. But in the current form, unfortunatley also greatly annoying. Generally there are just too many sites that change certificates like people change clothes, and just too few sites that need the special attention that this addon provides.
My proposal is to only check certificates that:
a) come from sites that are on a force-check-list (the opposite of the current ignore-list)
b) are signed by root certificates that are not in the trust-store
c) are self-signed
Way too many warnings. I mostly get notified about cert changes that the add-on says are "harmless" - why is there no option to turn them off?
Great security extension. Sadly with Firefox 31 and the new key verifier changes it stopped working.
Great extension. Much more useful than just green indicator in the address bar or other extensions which track just the main page without third-party content.
But it's still hard to validate certificate which Patrol is suspicious about.
It would be a great feature to add on-demand (button?) validation via "https://www.grc.com/fingerprints.htm" or Perspectives notaries in the "certificate changed" dialog.
Great job, but the add-on needs more features to not be annoying to the user. Spamming the user with messages defeats the main purpose of the add-on, because after a while one stops paying attention to them. It becomes similar to banner blindness.
There are few things that should be added ASAP.
1. Configuration option to check embedded content certificates only if the webste itself is using HTTPS. It's not really important if an image comes from trusted source if whole website in which it is embedded is served via plain HTTP. Also the user will not spend time on verifying certificate of some image hotlinked on a forum from random hosting, but just accept the certificate to get rid of an annoying message. This is worse than not being notified at all.
2. Ability to not store each domain covered by wildcard certificate in the database. Instead only one entry for such certificate should be stored. The reason is that some providers (for example Google) uses randomly-generated subdomain names, which pollute the database quite fast.
When I see a suspect certificate change I reject the new certificate but it just comes back again. If I reject a changed certificate the new certificate should stay rejected.
I generally always reject a certificate change if the new certificate has an older start/end date than the old certificate or if both the authority and domain change at the same time.
i will give it 5/5 !!!! great tool for advanced users thanks a lot !!!
did not had the time to review the code hope the addon is clean :)
May i suggest you to add a feature to colorize the notification on new CA or non Root CA
Needs updating and needs to be smarter (I have to keep clicking to accept even when using the host option - Google uses a million certificates apparently). But useful. Four stars if it had been kept up to date.
Great , props to dev
It only displays alerts for HTTPS connections - in which world is this an useful Thunderbird extension? Maybe for people who use it as an RSS reader, hence 2 stars.
Security on the web is impossible, but the attempt here is awareness and education. For those that don't care, nothing will help them. Others however, value information, especially when it can save them from massive headache like identity theft, or getting their bank account cleaned out from being careless online.
This add-on is not hard to use, and the popups, while a nuisance, can be tolerated. If taking a moment to scrutinize a new certificate, or one that has changed for no reason is too much hassle for you, then skip it. Good luck to you.
If however, you realize just how broken the concept of "trust" on the internet is, you will find this add-on a useful tool in gaining a little of that most elusive and valuable commodity, knowledge.
Trust nothing on the internet, not your ISP, especially not your government, nothing. Question everything. Good luck to you, as well.
Mostly good. The "CA Only" checkbox on the popup isn't working for me.
Having only a webchat for submitting problems borders on FAIL.
Certificate Patrol fills a gap in browser security, but does so at the cost of frightening popups that are far beyond most users. After recommending Certificate Patrol as part of a security overhaul, 0 out of 8 users are still using the software after 1 week. This is entirely due to the number of type and number of alerts for popular websites such as Twitter.
Adopting a strategy such as SSLEverywhere's observatory to verify certificates or just including IDs with the extension to verify like Chrome would go a long way to improving usability. As it stands, I would love to recommend or use the plugin, but it just isn't there yet.
CertPatrol is constantly popping up dialogs all over the place for me for almost expired certificates and CA changes for popular websites (Google, Amazon, etc). Maybe my Internet connection is being monitored or maybe not? I can't tell. What CertPatrol needs is a confirmation API similar to "is it me or is it down", but a package that can be installed on a trusted host. I own a dedicated server that is secure and isolated on a completely different network (it would be nothing short of impressive if the trust of both networks were violated at the same time). Pointing CertPatrol at a secure URL on my web server that exposes an API that goes and talks to the same domain my local machine is attempting to talk to would allow CertPatrol to ignore most of the dialogs that are currently popping up in my face. Only if there is a serious issue (e.g. two different root certs for the same domain from trusted server vs. local machine) would I or CertPatrol need to worry. Also, CertPatrol could be configured to only trust the response from the API if I choose to use my own homegrown CA (e.g. custom CA on a subdomain specifically for the API but not install the CA cert into my trusted root store - just a CA for CertPatrol to use to verify that the API interface hasn't been compromised). For every certificate presented to the browser, CertPatrol contacts the trusted server and makes sure that the same certificate is being presented to the trusted server. If so, and if the API hasn't been compromised, CertPatrol ignores the differences. For the super paranoid (as if my own paranoia isn't excessive already), CertPatrol could be configured with several trusted API endpoints. Each endpoint simply adds to the assurance level that the presented certificate and path to the CA in the trusted root store can be trusted (i.e. hasn't changed unexpectedly or the rest of the Internet sees the same thing). In summary, fewer dialogs = better!
I totally agree with you, the notifications are getting excessive and I really like your idea for an alternative design to detect suspicious certificate inconsistencies. Thanks for the great feedback!
great tool, 5 Stars for this.
But I would love to see one more feature: Like you remember the certificate of the server, can you also remember the TLS version that is used by each server and issue a warning when a lower TLS version is used in the future? Looks like a logical extension and very helpful agains downgrade attacks.
The issue with domains using changing certificates (e.g. www.google.com) has been fixed by allowing to either configure a check of site's certification authority's certificate (if it doesn't change) instead of the site's own, or by configuring the domain to be ignored (if the CA also change, as in some rare cases).
Improvement suggestion: A list of possible certs could be implemented per domain (instead of currently only one cert per domain). It would be useful for sites with changing certs – especially the ones also changing the CA – because the number of certs they use is still very limited. So that one then would not have to set the domain to be ignored, but would instead know that its cert is one of the list of the ones used by the domain. (This is an issue of those domains like google.com. Or maybe their desired behavior, to limit the worldwide damage in case a cert or its CA gets compromised.)
Note to Thunderbird: Unlike with Firefox, this add-on is not needed with TB. See http://forums.mozillazine.org/viewtopic.php?f=39&t=2687657 for information on how certificate pinning can be configured with Thunderbird itself.
Note to version 2.0.14: Since Firefox 19 (or so), the extension name is not shown under “Add-Ons”. “null 2.0.14” is shown instead. But the extension works as advertised nevertheless.
Update: Another suggestion: It would be great if it could also "pin" the certs of the update servers used by Firefox to search for new versions and update itself and its extensions.
It's a great idea, but for server farms like Google's, where there aren't any consistent certificates, it's simply going to numb you to the idea that certs are always changing.
Until the authors are willing to fix this—we've been complaining about it for years—it's worse than useless.
I also noticed the very frequent changes of Google certificates. Is this a sort of cookie like information gathering by google ? Can google detect when I click OK or Reject ?