Rated 2 out of 5 stars

by Charles on Dec. 17, 2014 · permalink

I used this addon for several years and recently disabled it. I believe it was interfering with TLS in some way. Recently, if I tried to connect to https://www.google.com, I received an error "The server rejected the handshake because the client downgraded to a lower TLS version than the server supports". With the same version of Firefox in a VM that didn't have Certificate Patrol I was able to connect without the error. After disabling Certificate Patrol I could connect to Google fine.

The error appears to be a security step on Google's part to prevent POODLE attacks - if the client (browser) tries to negotiate a connection with a POODLE-vulnerable version of TLS, the server (Google) refuses. It's not clear why Certificate Patrol would cause problems there, but the issue went away when I disabled CP. The implication is that CP is in some way negotiating a lower version of TLS, which if true would ironically reduce SSL security.