Needs a confirmation API Noté 3 sur 5 étoiles
CertPatrol is constantly popping up dialogs all over the place for me for almost expired certificates and CA changes for popular websites (Google, Amazon, etc). Maybe my Internet connection is being monitored or maybe not? I can't tell. What CertPatrol needs is a confirmation API similar to "is it me or is it down", but a package that can be installed on a trusted host. I own a dedicated server that is secure and isolated on a completely different network (it would be nothing short of impressive if the trust of both networks were violated at the same time). Pointing CertPatrol at a secure URL on my web server that exposes an API that goes and talks to the same domain my local machine is attempting to talk to would allow CertPatrol to ignore most of the dialogs that are currently popping up in my face. Only if there is a serious issue (e.g. two different root certs for the same domain from trusted server vs. local machine) would I or CertPatrol need to worry. Also, CertPatrol could be configured to only trust the response from the API if I choose to use my own homegrown CA (e.g. custom CA on a subdomain specifically for the API but not install the CA cert into my trusted root store - just a CA for CertPatrol to use to verify that the API interface hasn't been compromised). For every certificate presented to the browser, CertPatrol contacts the trusted server and makes sure that the same certificate is being presented to the trusted server. If so, and if the API hasn't been compromised, CertPatrol ignores the differences. For the super paranoid (as if my own paranoia isn't excessive already), CertPatrol could be configured with several trusted API endpoints. Each endpoint simply adds to the assurance level that the presented certificate and path to the CA in the trusted root store can be trusted (i.e. hasn't changed unexpectedly or the rest of the Internet sees the same thing). In summary, fewer dialogs = better!
I totally agree with you, the notifications are getting excessive and I really like your idea for an alternative design to detect suspicious certificate inconsistencies. Thanks for the great feedback!