smarter comment on prematurely issued new certificates now with SHA2 or SHA256 signatures Rated 3 out of 5 stars
Since SHA1 signatures are deprecated, a lot of certificates are re-issued pre-maturely by the CAs signed with SHA2 or SHA256. (e.g. ssllabs asks for this).
If the issuing organization is the same, and this change is visible, do not label the change yellow, but green!
P.S.: BTW, do you have an issue-tracker?
Possibly downgrades TLS? Rated 2 out of 5 stars
I used this addon for several years and recently disabled it. I believe it was interfering with TLS in some way. Recently, if I tried to connect to https://www.google.com, I received an error "The server rejected the handshake because the client downgraded to a lower TLS version than the server supports". With the same version of Firefox in a VM that didn't have Certificate Patrol I was able to connect without the error. After disabling Certificate Patrol I could connect to Google fine.
The error appears to be a security step on Google's part to prevent POODLE attacks - if the client (browser) tries to negotiate a connection with a POODLE-vulnerable version of TLS, the server (Google) refuses. It's not clear why Certificate Patrol would cause problems there, but the issue went away when I disabled CP. The implication is that CP is in some way negotiating a lower version of TLS, which if true would ironically reduce SSL security.
unusable now Rated 1 out of 5 stars
That's it, Google has killed this extension now.
I've made an attempt to use it for the last couple of years (because something like this is really needed to be able to trust https), and it was almost OK initially, but these days it's unusable, mostly due to Google. Looks like they use hundreds (thousands?) of certificates, with their own CAs, so even checking the CA-only box doesn't help much. And now they're generating certificates valid for only 90 days. And with their ad network you get their warnings not only on Google's own sites, but *everywhere* (including here, addons.mozilla.org).
No updates for 3 years, when the landscape is changing this quickly, is inexcusable. This extension is dead.
Rated 3 out of 5 stars
This is nice, sure. But in the current form, unfortunatley also greatly annoying. Generally there are just too many sites that change certificates like people change clothes, and just too few sites that need the special attention that this addon provides.
My proposal is to only check certificates that:
a) come from sites that are on a force-check-list (the opposite of the current ignore-list)
b) are signed by root certificates that are not in the trust-store
c) are self-signed
Rated 2 out of 5 stars
Way too many warnings. I mostly get notified about cert changes that the add-on says are "harmless" - why is there no option to turn them off?
Rated 4 out of 5 stars
Great security extension. Sadly with Firefox 31 and the new key verifier changes it stopped working.
Rated 4 out of 5 stars
Great extension. Much more useful than just green indicator in the address bar or other extensions which track just the main page without third-party content.
But it's still hard to validate certificate which Patrol is suspicious about.
It would be a great feature to add on-demand (button?) validation via "https://www.grc.com/fingerprints.htm" or Perspectives notaries in the "certificate changed" dialog.
Great job, but needs upgrades Rated 4 out of 5 stars
Great job, but the add-on needs more features to not be annoying to the user. Spamming the user with messages defeats the main purpose of the add-on, because after a while one stops paying attention to them. It becomes similar to banner blindness.
There are few things that should be added ASAP.
1. Configuration option to check embedded content certificates only if the webste itself is using HTTPS. It's not really important if an image comes from trusted source if whole website in which it is embedded is served via plain HTTP. Also the user will not spend time on verifying certificate of some image hotlinked on a forum from random hosting, but just accept the certificate to get rid of an annoying message. This is worse than not being notified at all.
2. Ability to not store each domain covered by wildcard certificate in the database. Instead only one entry for such certificate should be stored. The reason is that some providers (for example Google) uses randomly-generated subdomain names, which pollute the database quite fast.
Rejected certificates should stay rejected Rated 3 out of 5 stars
When I see a suspect certificate change I reject the new certificate but it just comes back again. If I reject a changed certificate the new certificate should stay rejected.
I generally always reject a certificate change if the new certificate has an older start/end date than the old certificate or if both the authority and domain change at the same time.
5/5 Thanks !!!! Rated 5 out of 5 stars
i will give it 5/5 !!!! great tool for advanced users thanks a lot !!!
did not had the time to review the code hope the addon is clean :)
May i suggest you to add a feature to colorize the notification on new CA or non Root CA
Rated 3 out of 5 stars
Needs updating and needs to be smarter (I have to keep clicking to accept even when using the host option - Google uses a million certificates apparently). But useful. Four stars if it had been kept up to date.
Rated 5 out of 5 stars
Great , props to dev
Useless Rated 2 out of 5 stars
It only displays alerts for HTTPS connections - in which world is this an useful Thunderbird extension? Maybe for people who use it as an RSS reader, hence 2 stars.
Rated 5 out of 5 stars
Security on the web is impossible, but the attempt here is awareness and education. For those that don't care, nothing will help them. Others however, value information, especially when it can save them from massive headache like identity theft, or getting their bank account cleaned out from being careless online.
This add-on is not hard to use, and the popups, while a nuisance, can be tolerated. If taking a moment to scrutinize a new certificate, or one that has changed for no reason is too much hassle for you, then skip it. Good luck to you.
If however, you realize just how broken the concept of "trust" on the internet is, you will find this add-on a useful tool in gaining a little of that most elusive and valuable commodity, knowledge.
Trust nothing on the internet, not your ISP, especially not your government, nothing. Question everything. Good luck to you, as well.
Rated 4 out of 5 stars
Mostly good. The "CA Only" checkbox on the popup isn't working for me.
Having only a webchat for submitting problems borders on FAIL.
Almost There.. Just not yet Rated 3 out of 5 stars
Certificate Patrol fills a gap in browser security, but does so at the cost of frightening popups that are far beyond most users. After recommending Certificate Patrol as part of a security overhaul, 0 out of 8 users are still using the software after 1 week. This is entirely due to the number of type and number of alerts for popular websites such as Twitter.
Adopting a strategy such as SSLEverywhere's observatory to verify certificates or just including IDs with the extension to verify like Chrome would go a long way to improving usability. As it stands, I would love to recommend or use the plugin, but it just isn't there yet.
Needs a confirmation API Rated 3 out of 5 stars
CertPatrol is constantly popping up dialogs all over the place for me for almost expired certificates and CA changes for popular websites (Google, Amazon, etc). Maybe my Internet connection is being monitored or maybe not? I can't tell. What CertPatrol needs is a confirmation API similar to "is it me or is it down", but a package that can be installed on a trusted host. I own a dedicated server that is secure and isolated on a completely different network (it would be nothing short of impressive if the trust of both networks were violated at the same time). Pointing CertPatrol at a secure URL on my web server that exposes an API that goes and talks to the same domain my local machine is attempting to talk to would allow CertPatrol to ignore most of the dialogs that are currently popping up in my face. Only if there is a serious issue (e.g. two different root certs for the same domain from trusted server vs. local machine) would I or CertPatrol need to worry. Also, CertPatrol could be configured to only trust the response from the API if I choose to use my own homegrown CA (e.g. custom CA on a subdomain specifically for the API but not install the CA cert into my trusted root store - just a CA for CertPatrol to use to verify that the API interface hasn't been compromised). For every certificate presented to the browser, CertPatrol contacts the trusted server and makes sure that the same certificate is being presented to the trusted server. If so, and if the API hasn't been compromised, CertPatrol ignores the differences. For the super paranoid (as if my own paranoia isn't excessive already), CertPatrol could be configured with several trusted API endpoints. Each endpoint simply adds to the assurance level that the presented certificate and path to the CA in the trusted root store can be trusted (i.e. hasn't changed unexpectedly or the rest of the Internet sees the same thing). In summary, fewer dialogs = better!
I totally agree with you, the notifications are getting excessive and I really like your idea for an alternative design to detect suspicious certificate inconsistencies. Thanks for the great feedback!
Rated 5 out of 5 stars
great tool, 5 Stars for this.
But I would love to see one more feature: Like you remember the certificate of the server, can you also remember the TLS version that is used by each server and issue a warning when a lower TLS version is used in the future? Looks like a logical extension and very helpful agains downgrade attacks.
A great extension for Firefox – a must have for security concerned Rated 5 out of 5 stars
The issue with domains using changing certificates (e.g. www.google.com) has been fixed by allowing to either configure a check of site's certification authority's certificate (if it doesn't change) instead of the site's own, or by configuring the domain to be ignored (if the CA also change, as in some rare cases).
Improvement suggestion: A list of possible certs could be implemented per domain (instead of currently only one cert per domain). It would be useful for sites with changing certs – especially the ones also changing the CA – because the number of certs they use is still very limited. So that one then would not have to set the domain to be ignored, but would instead know that its cert is one of the list of the ones used by the domain. (This is an issue of those domains like google.com. Or maybe their desired behavior, to limit the worldwide damage in case a cert or its CA gets compromised.)
Note to Thunderbird: Unlike with Firefox, this add-on is not needed with TB. See http://forums.mozillazine.org/viewtopic.php?f=39&t=2687657 for information on how certificate pinning can be configured with Thunderbird itself.
Note to version 2.0.14: Since Firefox 19 (or so), the extension name is not shown under “Add-Ons”. “null 2.0.14” is shown instead. But the extension works as advertised nevertheless.
Update: Another suggestion: It would be great if it could also "pin" the certs of the update servers used by Firefox to search for new versions and update itself and its extensions.
Rated 1 out of 5 stars
It's a great idea, but for server farms like Google's, where there aren't any consistent certificates, it's simply going to numb you to the idea that certs are always changing.
Until the authors are willing to fix this—we've been complaining about it for years—it's worse than useless.