Don't use until issues are fixed Rated 2 out of 5 stars
This extension (version 1.1 - latest as of 2014-04-18) has a number of problems and I don't suggest you use it unless you are a researcher and you really know what you're doing. Several months ago I made some fixes to get it running on later versions of Firefox and did a brief audit:
Although my dev release is usable now the collected data is still sometimes inaccurate. Unfortunately I just don't have the time to repair even the most serious problems. I e-mailed the author several months ago but didn't receive a reply.
Rated 2 out of 5 stars
very good idea but not working on firefox 24 :((((
thanks any way
plus french translation is so so
Look good. Rated 4 out of 5 stars
I have a question:
- I visit a site A with a certificate signed by CA1. I approve the certificate chain.
- I visit a site B with a certificate signed by CA2. I approve the certificate chain.
- If I visit the site A again, and that its certification chain has changed and uses CA2, will I get a warning ?
In other words: CertWatch show me certificates I have not yet approved, but will it inform me of changes in certificate chains for a particular website ?
Re: detecting a certficate chain change
[ Sébastien asked this question at the CertWatch blog and I replied there, http://certwatch.simos.info/2010/08/10/certwatch-1-0-is-out/#comment-2 I copy the answer here for completeness. For further feedback, please use the blog URL. ]
@sebsauvage: CertWatch is made of two components; the collection /storage of certificate data for the secure websites you visit, and the reporting to the user (based on the historic data) whether a secure connection needs attention.
The collection/storage of certificate data is quite complete; I cannot think of any data that is not stored in the SQLite database.
For the part of the reporting, this is where CertWatch will be growing in the following months. What I expect is to have cases like the one you describe above and create code that checks for this type of issue.
At the moment, a user would need to manually figure this one out. Suppose that the GMail certificate chain changes from the Verisign root certificate to certification authority CA_rogue (and CA_rogue is actually used by other certificate chains so you do not get a strange “first time with this root certificate” message). In this case, the website certificate would have to be different in order to match CA_rogue. Therefore, when you connect once more to GMail and see some new GMail website certificate, you can check the certificate chain to verify whether it is still GMail » Thawte » Verisign (that’s the current certificate chain) or the root certificate changed.
Rated 4 out of 5 stars
Excellent idea! I removed or disabled many of the certs from my system long ago that I expected I'd never want rely on, e.g. for small countries I didn't trust.
With this add-on, I should be able to identify the handful of certs I rely on and disable the rest. Bravo! Only...
WHERE IS THE SOURCE? It was released under the MPL, so where's the source? Not on a mozilla or simos.info site, AFAICT! I guess it's new and hope this will be addressed shortly. -1 star; I intend to post a 5 -star review if this is addressed.
Source code availability
Thanks for the comments.
1. Download the XPI file (right-click on the Install link).
2. Rename file from *.xpi to *.zip
3. Open with any ZIP archiver.
You can also find the source code in your Firefox profile directory, in the 'extensions' subdirectory. Every extension's source code is available there, either unzipped or as a 'jar file (.jar or .xpi are both ZIP file, so you rename to .zip and you can open with any archiver).
I maintain the source code in a 'git' repository; I have been planning to release the repository, though I am not sure if it will be useful.