Rated 4 out of 5 stars

Great extension. Much more useful than just green indicator in the address bar or other extensions which track just the main page without third-party content.

But it's still hard to validate certificate which Patrol is suspicious about.
It would be a great feature to add on-demand (button?) validation via "https://www.grc.com/fingerprints.htm" or Perspectives notaries in the "certificate changed" dialog.

Rated 4 out of 5 stars

The Heartbleed bug has exposed both the importance and inadequacies of Certificate Patrol. Need to deal better with the torrent of changing certificates (like silently accepting when the only change is the issue/expiration dates moving forward). Also would be great to flag a certificate issued after Heartbleed disclosure being replaced by one issued prior to that as a Very High Risk event, as that's the only way to catch an attack using stolen server keys.

This user has a previous review of this add-on.

Great job, but needs upgrades Rated 4 out of 5 stars

Great job, but the add-on needs more features to not be annoying to the user. Spamming the user with messages defeats the main purpose of the add-on, because after a while one stops paying attention to them. It becomes similar to banner blindness.

There are few things that should be added ASAP.
1. Configuration option to check embedded content certificates only if the webste itself is using HTTPS. It's not really important if an image comes from trusted source if whole website in which it is embedded is served via plain HTTP. Also the user will not spend time on verifying certificate of some image hotlinked on a forum from random hosting, but just accept the certificate to get rid of an annoying message. This is worse than not being notified at all.
2. Ability to not store each domain covered by wildcard certificate in the database. Instead only one entry for such certificate should be stored. The reason is that some providers (for example Google) uses randomly-generated subdomain names, which pollute the database quite fast.

Rejected certificates should stay rejected Rated 3 out of 5 stars

When I see a suspect certificate change I reject the new certificate but it just comes back again. If I reject a changed certificate the new certificate should stay rejected.

I generally always reject a certificate change if the new certificate has an older start/end date than the old certificate or if both the authority and domain change at the same time.

5/5 Thanks !!!! Rated 5 out of 5 stars

i will give it 5/5 !!!! great tool for advanced users thanks a lot !!!
did not had the time to review the code hope the addon is clean :)

May i suggest you to add a feature to colorize the notification on new CA or non Root CA

Rated 3 out of 5 stars

Needs updating and needs to be smarter (I have to keep clicking to accept even when using the host option - Google uses a million certificates apparently). But useful. Four stars if it had been kept up to date.

Rated 5 out of 5 stars

Great , props to dev

Useless Rated 2 out of 5 stars

It only displays alerts for HTTPS connections - in which world is this an useful Thunderbird extension? Maybe for people who use it as an RSS reader, hence 2 stars.

Rated 5 out of 5 stars

Security on the web is impossible, but the attempt here is awareness and education. For those that don't care, nothing will help them. Others however, value information, especially when it can save them from massive headache like identity theft, or getting their bank account cleaned out from being careless online.

This add-on is not hard to use, and the popups, while a nuisance, can be tolerated. If taking a moment to scrutinize a new certificate, or one that has changed for no reason is too much hassle for you, then skip it. Good luck to you.

If however, you realize just how broken the concept of "trust" on the internet is, you will find this add-on a useful tool in gaining a little of that most elusive and valuable commodity, knowledge.

Trust nothing on the internet, not your ISP, especially not your government, nothing. Question everything. Good luck to you, as well.

Rated 4 out of 5 stars

Mostly good. The "CA Only" checkbox on the popup isn't working for me.

Having only a webchat for submitting problems borders on FAIL.

Almost There.. Just not yet Rated 3 out of 5 stars

Certificate Patrol fills a gap in browser security, but does so at the cost of frightening popups that are far beyond most users. After recommending Certificate Patrol as part of a security overhaul, 0 out of 8 users are still using the software after 1 week. This is entirely due to the number of type and number of alerts for popular websites such as Twitter.

Adopting a strategy such as SSLEverywhere's observatory to verify certificates or just including IDs with the extension to verify like Chrome would go a long way to improving usability. As it stands, I would love to recommend or use the plugin, but it just isn't there yet.

Needs a confirmation API Rated 3 out of 5 stars

CertPatrol is constantly popping up dialogs all over the place for me for almost expired certificates and CA changes for popular websites (Google, Amazon, etc). Maybe my Internet connection is being monitored or maybe not? I can't tell. What CertPatrol needs is a confirmation API similar to "is it me or is it down", but a package that can be installed on a trusted host. I own a dedicated server that is secure and isolated on a completely different network (it would be nothing short of impressive if the trust of both networks were violated at the same time). Pointing CertPatrol at a secure URL on my web server that exposes an API that goes and talks to the same domain my local machine is attempting to talk to would allow CertPatrol to ignore most of the dialogs that are currently popping up in my face. Only if there is a serious issue (e.g. two different root certs for the same domain from trusted server vs. local machine) would I or CertPatrol need to worry. Also, CertPatrol could be configured to only trust the response from the API if I choose to use my own homegrown CA (e.g. custom CA on a subdomain specifically for the API but not install the CA cert into my trusted root store - just a CA for CertPatrol to use to verify that the API interface hasn't been compromised). For every certificate presented to the browser, CertPatrol contacts the trusted server and makes sure that the same certificate is being presented to the trusted server. If so, and if the API hasn't been compromised, CertPatrol ignores the differences. For the super paranoid (as if my own paranoia isn't excessive already), CertPatrol could be configured with several trusted API endpoints. Each endpoint simply adds to the assurance level that the presented certificate and path to the CA in the trusted root store can be trusted (i.e. hasn't changed unexpectedly or the rest of the Internet sees the same thing). In summary, fewer dialogs = better!


I totally agree with you, the notifications are getting excessive and I really like your idea for an alternative design to detect suspicious certificate inconsistencies. Thanks for the great feedback!

Rated 5 out of 5 stars

great tool, 5 Stars for this.

But I would love to see one more feature: Like you remember the certificate of the server, can you also remember the TLS version that is used by each server and issue a warning when a lower TLS version is used in the future? Looks like a logical extension and very helpful agains downgrade attacks.

A great extension for Firefox – a must have for security concerned Rated 5 out of 5 stars

The issue with domains using changing certificates (e.g. www.google.com) has been fixed by allowing to either configure a check of site's certification authority's certificate (if it doesn't change) instead of the site's own, or by configuring the domain to be ignored (if the CA also change, as in some rare cases).

Improvement suggestion: A list of possible certs could be implemented per domain (instead of currently only one cert per domain). It would be useful for sites with changing certs – especially the ones also changing the CA – because the number of certs they use is still very limited. So that one then would not have to set the domain to be ignored, but would instead know that its cert is one of the list of the ones used by the domain. (This is an issue of those domains like google.com. Or maybe their desired behavior, to limit the worldwide damage in case a cert or its CA gets compromised.)

Note to Thunderbird: Unlike with Firefox, this add-on is not needed with TB. See http://forums.mozillazine.org/viewtopic.php?f=39&t=2687657 for information on how certificate pinning can be configured with Thunderbird itself.

Note to version 2.0.14: Since Firefox 19 (or so), the extension name is not shown under “Add-Ons”. “null 2.0.14” is shown instead. But the extension works as advertised nevertheless.

Update: Another suggestion: It would be great if it could also "pin" the certs of the update servers used by Firefox to search for new versions and update itself and its extensions.

Rated 1 out of 5 stars

It's a great idea, but for server farms like Google's, where there aren't any consistent certificates, it's simply going to numb you to the idea that certs are always changing.

Until the authors are willing to fix this—we've been complaining about it for years—it's worse than useless.

This user has a previous review of this add-on.

Rated 4 out of 5 stars

I also noticed the very frequent changes of Google certificates. Is this a sort of cookie like information gathering by google ? Can google detect when I click OK or Reject ?

Rated 3 out of 5 stars

Google certificates are changing every few minutes, if not less, so I'm repeatedly bombarbared with Google certificate approvals. "So what" if the prior ones become outdated. It's a damn annoyance to be prompted every FEW minutes for approving updates to the certificates.
What's the solution, to disable Certificate Patrol, or something else? I'll totally disable and possibly uninstall it, unless a helpful reply is provided, for I'm not going to put up with these continuous prompts for approviiing, or not, Google certs.

Good For Some But Not For The Blind Rated 3 out of 5 stars

This may have potential for the sighted but ever since I installed it a few days ago I have experienced a lot of trouble with it. Firstly, the fields are not labelled so says JAWS For Windows. I press Tab to go forwards and Shift+Tab to go backwards through a dialogue respectively and these read-only fields do not have labels or anything binded to the control. I as a blind person do not know what is what. This basically defeats the entire add-on because I can not discern between information in new and old certificates. Moreover, the entire layout is not designed for the non-sighted to make use of it.

Secondly, the options dialogue can use much improvement. I heard not long ago when Tab is pressed in a dialogue such as that there is a rectangle that puts focus to the control in question. If there exist any captions, tooltips or any additional information not encapsulated in that rectangle I do not notice it. There is a More Info [Alt+I] button and that thing too is not readable for me. I could keep typing for an hour explaining every single detail but my point is for EVERYBODY to have the ability to use this to its full and maximum potential it needs to be redesigned for everybody.

Rated 5 out of 5 stars

It's a great way to make sure that the site you're used to going to is still who you expect it to be. Sometimes there are too many notifications.

Simple, subtle way to improve security Rated 5 out of 5 stars

This add-on is simple, yet highly effective at detecting potential issues (e.g. man-in-the-middle attacks, unexpected certificate changes, etc.) related to SSL certificates.

In general, it is quiet and stays out of the way. In the few messages it presents to the user, it provides useful commentary about whether or not the change it detected is likely harmless or malicious, which is useful for non-technical users.

I highly recommend this add-on.

This review is for a previous version of the add-on (2.0.12).