Rated 5 out of 5 stars

I wrote "preference trouble" on Seamonkey 2.2 and Thunderbird 5 in the previous review.
Now I confirm the fix with Certificate Patrol 2.0.7. Thanks for your quick fix.

This review is for a previous version of the add-on (2.0.6.1-signed.1-signed).  This user has a previous review of this add-on.

You're welcome. 2.0.7 had another problem though so we had to replace it with 2.0.8.

Rated 5 out of 5 stars

I'm running v2.0.6 with Perspectives 2.4 in Firefox 5.0 Portable under WinXP Pro SP3 32-bit. No problems.

Feature request: a user configurable setting to enable and time out (i.e. 10 seconds) to collapse the yellow bar. See that in action with the BetterPrivacy add-on "Autoremove message after .... seconds" Thank you!

This review is for a previous version of the add-on (1.8.3.1-signed.1-signed). 

We have added the timeout feature in 2.0.9

Rated 2 out of 5 stars

Great job. Heard about Certificate Patrol from Steve Gibson's Security Now podcast. This add-on provides a feature that should be standard in every browser.

---

Update 07/21/2011

Had to uninstall because of the crazy number of notifications about Google's certificates. I keep several Google products pinned in app tabs and switch between them often. It's literally gotten to the point where I can't even access a single one of them without CP popping up with alerts about Google's wildcard certs and such. I can't even type in a single query in the Firefox search bar (I have the SSL version of Google added there) without getting prompted about the cert for each query.

CP is a great idea, but an add-on that requires you to close the same warning messages repeatedly 30+ times per day is just too much. I'm sure the real issue is Google needing to do a better job of cert management, but there really does need to be some configurability options for this in CP.

This review is for a previous version of the add-on (1.8.3.1-signed.1-signed). 

In version 2.0 we made many improvements, e.g. we added a checkbox at the bottom of the change notification dialog that makes CP check only the issuer for that host, this is useful in cases like this when a site uses multiple certificates for the same host. Which version were you using? Try upgrading to 2.0 if you haven't done so yet.

Rated 5 out of 5 stars

Decent program for keeping vigilant of proper certification for certain websites, especially for banking sites. Definitely a good addition to anyone's library of add-ons.

This review is for a previous version of the add-on (1.8.3.1-signed.1-signed). 

Rated 4 out of 5 stars

I held off on reviewing this one for a while because I needed to test it out and to do some more homework but now I am putting it into my "Apollo! Pack"! collection because it is one more step in the right direction. It alone is not going to secure your computer but it is one more step. Why Firefox doesn't do more to check certificates is a mystery.

This review is for a previous version of the add-on (1.8.3.1-signed.1-signed). 

Rated 2 out of 5 stars

I had a problem with it not giving a cancel button as there is such a thing as cookies that the suspicious site could get a hold of and use my session. I have noticed this with github today and I am unsure if I should trust that they changed as the CN on the old one is every subdomain and the CN on the new one is just github as well the new owner being digicert and 790 days until it expires when the old one was godaddy with 1290 days left. You would expect that they wouldn't change until it reaches the end of the certificate as there would be no reason so I am guessing the new one is fake and I am unable to push cancel to stop it from loading...

This review is for a previous version of the add-on (1.8.3.1-signed.1-signed). 

There is no Firefox API that allows us to prevent a web page from
being loaded. All we can do and intend to do is to add a "Reject"
button which keeps the new certificate from being stored as "seen
before". This obviously doesn't solve anything and the user is
still in charge of closing the window to the bogus website herself.
You'll have to file a bug report with Mozilla if you'd like to see
this kind of behaviour from CertPatrol.

Rated 5 out of 5 stars

I like it, but one suggestion would be to make the dropdown notifications specific to the tab they were generated from - using something like gBrowser.getNotificationBox(gBrowser.getBrowserForDocument(aDocument)); -- It's a little annoying getting the notifications when I open a bunch of new tabs (when I'm not looking at those tabs yet)

This review is for a previous version of the add-on (1.8.1.1-signed.1-signed).  This user has a previous review of this add-on.

Thank you. I think I tried several snippets of code like that and they failed to work but I'll try again.

Rated 4 out of 5 stars

This is an extension worth installing: it recognizes when the ssl/tls certificate of a site has changed, and will give warnings if this change looks suspicious.

From reading the source code, there are no surprises. It compares hashes from ssl/tls certs to hashes it has seen in the past. This means it will keep a list of https sites you have visited (including those visited while in private browsing mode), but this will stay on your computer and not be sent elsewhere.

The code quality is acceptable, but not excellent. For example, the code does not use braces around one-line if-statements, uses inconsistent indentation and one if...elseif really looks like it needs a final else statement.

The main logic for detecting if a certificate change is classed as "suspicious" is not commented and is difficult to follow. For example, time limits are coded in (billions of) milliseconds instead of human-readable days, and no explanation is given to the choice of these values or how they relate to real-world problems they want to warn about.

That said, I would still recommend installing as it does provide warning about many possible ssl/tls attacks.

This review is for a previous version of the add-on (1.8.1.1-signed.1-signed). 

The "inconsistent" indentation is meant to be KNF, the BSD Kernel Normal Form, with different indentation levels for code blocks and line continuations. The source however has seen several authors and isn't all consistent. Fixing that now. The main logic is commented in the upcoming version 1.8.3. Thanks for the recommendation. :-)

Rated 4 out of 5 stars

A good add-on... BUT... sites providing multiple certificates for the same domain give false positives. Many of these false positives could be avoided if old (but unexpired) certificates were remembered after new certificates were accepted -- there is no harm switching between certificates that have already been accepted.

This review is for a previous version of the add-on (1.4). 

Rated 5 out of 5 stars

Essential. Would be nice to have some synchronization to detect certificate changes across networks (maybe via saving data to bookmarks like NoScript does).

If Google or anybody changes its certificate every several days, that's Google's problem and security risk for others. This addon does nothing wrong here. If you want an option to disable it for certain sites, consider using MitM Me instead.

This review is for a previous version of the add-on (1.4). 

Rated 5 out of 5 stars

An essential add-on, but it makes using SSL for Google Search very awkward, because this add-on issues a warning every time an "early" change of Google certificate takes place. One solution would be an option to suppress a warning about an early change if the CA has not changed.

This review is for a previous version of the add-on (1.4). 

Rated 5 out of 5 stars

Great extension. Does exactly what it says.

I hope this extension will continue to be maintained. Works fine up through at least 4.0b8, the compatibility should really be updated to reflect this.

This review is for a previous version of the add-on (1.4). 

Rated 3 out of 5 stars

A very good idea in principle, but current realization is very impractical. For example, the site https://encrypted.google.com/ changes its certificate every several days. I see no reason to patrol this site so carefully as Certificate Patrol imposes it. It is just a waste of my time. So, there should be some options concerning different sites. Thank you.

This review is for a previous version of the add-on (1.4). 

Rated 5 out of 5 stars

Excellent add-on. Has improved in the later versions to be more discreet and fixed all bugs I previously experienced. Great work!

This review is for a previous version of the add-on (1.4). 

Rated 5 out of 5 stars

Nice this new version!!!!!!!!

~bee!!!!!!!!!!

This review is for a previous version of the add-on (1.4). 

Rated 5 out of 5 stars

Excellent job. This puts my mind at ease.

This review is for a previous version of the add-on (1.4). 

Rated 5 out of 5 stars

Got a warning when logging onto the php|architect website. See http://i49.tinypic.com/11kfrmb.jpg for screenshot - note that it gves a certificate issued on April 17, 2009 as being from *28 days ago* and thus not due yet. Version is 1.2.6 on FF 3.6.3, WinXP Pro SP3, current date (July 1st, 2010) is correct both on my PC and in the response HTTP header from phparch.com.
I have no idea where is the addon getting a wrong date from.
Very good tool otherwise - I do reccomend this to everybody.

This review is for a previous version of the add-on (1.2.6). 

This is due to the date parsing bug in older versions of CP. Since you have been using CP so long, some of the certificates in your database have messed up date (2009-17-04 would be the 17th month of 2009, that's why it computed as last month for you). Just replace those buggy entries in your database with the new certificates and this will no longer occur. Sorry for taking a while to understand what's happening here and getting back to you.

Rated 5 out of 5 stars

I'm seeing dates in the CP 1.2.3 dialog like this:

Issued On: 203/12/2010 0:00:00 AM (35 days ago)
Expires On: 203/25/2012 23:59:59 PM (NaN days ahead)

Is this due to a bug? If not, how do I interpret that date which is supposed to be 35 days ago?

This review is for a previous version of the add-on (1.3.1). 

... that I have fixed a month ago, but some new problems keep creeping up making the new versions (1.2.4, 1.3, 1.3.1) not 100% stable. I stepped back and uploaded a 1.2.5 which only fixes the bug in 1.2.3. It should appear soon or you can install it manually from https://addons.mozilla.org/en-US/firefox/addons/versions/6415 – At the same time I have 1.3.5 ready which should also fix the new bugs, but I can't upload it at the same time, so it may take a while until you get the "current" version of CP.

Rated 5 out of 5 stars

Hi!!!!!!!!!!!!!!
Well, yeah, i always download Certificate Patrol without waiting for the review process at AMO!!!!!!! The review process here, is very too slow and also very useless!!!!!!!!!!!!!! I quickly look at the source code of addons i use, so i don't have to wait for their reviews!!!!!!!!!!!!!!!!!!!
This is the page to download all the versions, including old versions and versions pending for approval, of CP: https://addons.mozilla.org/en-US/firefox/addons/versions/6415

CP 1.3.1 has a bug!!! And i can't use it, because it doesn't work!!!!!!!!!!
Error: uncaught exception: [Exception... "Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIPrefBranch.getBoolPref]" nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)" location: "JS frame :: chrome://certpatrol/content/CertPatrol.js :: anonymous :: line 424" data: no]

I think that you forgot to add the default preferences in defaults/preferences/CertPatrol.js !!!!!
Well, I reverted to CP 1.2.4!!!!!!!!!!!!!! and it works!!!!!!!!!!!

~bee!!!!!!!!!!!!!!!!!!!!!

This review is for a previous version of the add-on (1.3.1). 

Yes you could be very right I forgot to update defaults/preferences/CertPatrol.js – I did so in the upcoming 1.3.5 but I can't upload that yet while 1.2.5 is waiting for release. I can try to upload it as 'beta'.

Rated 4 out of 5 stars

Nice work, thanks a lot. Just curious if you'd considered crowd sourcing with this add-on? If Certificate Patrol made use of crowd sourcing and made publicly available the oldest known valid cert for any organization, so that it can be compared to the one a visitor just loaded on first visit to a site, that might be pretty useful as if the cert is already swapped that visitor who came later is not going to know.

This review is for a previous version of the add-on (1.3.1). 

'Perspectives' does something of that sort, but it does so using preset servers at cmu.edu. What we would need is some DHT and/or P2P features built directly into Firefox so that we could do anonymous crowdsourced certificate look-ups as one out of many applications of such an infrastructure. We also thought about announcement channels where certificates are announced, but how would we filter which ones could be of interest to you without exposing your browsing habits?