Developer reply by Carlo v. Loesch
Rated 5 out of 5 stars
Great idea, just what I was looking for!
If there was an option to switch between "admin/learning mode" (current way of working) and "user/working mode" (deny access on unknown cert), this would be absoultely PERFECT.
re: "is it really important to show certificate details the first time when I visit an https site?"
Yes, yes it is, if you actually care whether it's the real site you want or whether it's a phishing impostor, you should verify with the site owner that the certificate fingerprints are correct. Unfortunately, only a few people actually do that, as this should be done through a different (secure) channel than the browser, e.g. through a snail-mail letter or over the phone. Example: I go to https://mybank.example.com/ , I get a "new certificate" warning. I call MyExampleBank's support and check the certificate fingerprints with them. If they don't match what I'm seeing, the site is most probably a fake.
Hey Jan & eyv, thanks for Kudos! We only get to the certificate data "after the fact," that is - after the certificate got accepted. So should Patrol think you ran into an evil certificate it would have to do funny things in order to keep you from accessing it anyway, like closing the page for you. Is this something we would want? Maybe there are other/newer hooks that I am not aware of, though.
To create your own collections, you must have a Mozilla Add-ons account.