This extension (version 1.1 - latest as of 2014-04-18) has a number of problems and I don't suggest you use it unless you are a researcher and you really know what you're doing. Several months ago I made some fixes to get it running on later versions of Firefox and did a brief audit:
Although my dev release is usable now the collected data is still sometimes inaccurate. Unfortunately I just don't have the time to repair even the most serious problems. I e-mailed the author several months ago but didn't receive a reply.
- I visit a site A with a certificate signed by CA1. I approve the certificate chain. - I visit a site B with a certificate signed by CA2. I approve the certificate chain. - If I visit the site A again, and that its certification chain has changed and uses CA2, will I get a warning ?
In other words: CertWatch show me certificates I have not yet approved, but will it inform me of changes in certificate chains for a particular website ?
[ Sébastien asked this question at the CertWatch blog and I replied there, http://certwatch.simos.info/2010/08/10/certwatch-1-0-is-out/#comment-2 I copy the answer here for completeness. For further feedback, please use the blog URL. ]
@sebsauvage: CertWatch is made of two components; the collection /storage of certificate data for the secure websites you visit, and the reporting to the user (based on the historic data) whether a secure connection needs attention.
The collection/storage of certificate data is quite complete; I cannot think of any data that is not stored in the SQLite database.
For the part of the reporting, this is where CertWatch will be growing in the following months. What I expect is to have cases like the one you describe above and create code that checks for this type of issue.
At the moment, a user would need to manually figure this one out. Suppose that the GMail certificate chain changes from the Verisign root certificate to certification authority CA_rogue (and CA_rogue is actually used by other certificate chains so you do not get a strange “first time with this root certificate” message). In this case, the website certificate would have to be different in order to match CA_rogue. Therefore, when you connect once more to GMail and see some new GMail website certificate, you can check the certificate chain to verify whether it is still GMail » Thawte » Verisign (that’s the current certificate chain) or the root certificate changed.