Certificate Patrol

About this Add-on

Your web browser trusts a lot of certification authorities and chained sub-authorities, and it does so blindly. "Subordinate or intermediate certification authorities" are a little known device: The root CAs in your browser can delegate permission to issue certificates to an unlimited amount of subordinate CAs (SCA) just by signing their certificate, not by borrowing their precious private key to them. You can even buy yourself such a CA from GeoTrust or elsewhere.

It is unclear how many intermediate certification authorities really exist, and yet each of them has "god-like power" to impersonate any https web site using a Man in the Middle (MITM) attack scenario. Researchers at Princeton are acknowledging this problem and recommending Certificate Patrol. Revealing the inner workings of X.509 to end users is still deemed too difficult, but only getting familiar with this will really help you get in control. That's why Certificate Patrol gives you insight of what is happening.

If you still think a MITM attack is unlikely to happen to you, read this user report.

Developer’s Comments

You'll see certificate information pop up whenever you visit a
new https: website, including https://addons.mozilla.org for
example. "New" is anything Patrol hasn't seen and stored yet.

You are also prompted whenever a web site updates its certificate
and given the opportunity to compare the two certificates side by
side, line by line. See the screenshot for an example.

Even if you do not fully understand what is shown to you, you
get a chance of distinguishing legitimate from suspicious changes.
Here's a little list of things to look out for:

If the old certificate is about to expire (Validity / Expires On),
it was necessary to replace it with a new one. CertPatrol
will check this for you.
In most cases web sites keep using the same certification
authority (Issued By) over time. Should the web site have changed
its certification authority, make sure the old certificate was
about to expire. CertPatrol will assist you with this.
You may want to consider the most popular CAs (like maybe CAcert, Entrust,
Equifax, GoDaddy, NetworkSolutions, Thawte and VeriSign.. to mention some)
to be less likely to help in MITM attacks, but that is only a guess.
Especially since in each country local CAs may be legitimately
well established.
Comodo, GeoTrust, GlobalSign, QuoVadis, RSA WebTrust and StartCom
are known to offer intermediate CA for money. Still StartCom is extremely
popular with small and private web sites for its free services.
If all certificates you see are always issued by the same
certification authority, you should be very suspicious. Try
searching for random https: sites and see if they still all seem
signed by the same CA.
In case of doubt install the Perspectives or Convergence add-ons to make further checks on the credibility of a certificate. The downside of these add-ons is, you reveal who you communicate with to an external service — so better only use it when necessary. In theory you could have some tech savvy friends run notaries for you, the more the better, but would you want to expose your surfing habits to them?
If the web site is important to you, make a research on the name of
the new CA. Make a phone call to the owner of the web site and ask them
to confirm the SHA1 fingerprint shown on your screen.
The fingerprint is currently close to impossible to falsify.
Ask them to send you future certificate fingerprints by snail mail
before they install it.
Some clustered sites such as bookryanair.com make things
more complicated by using several inconsistent certificates for the same
domain name. That will look unnecessarily suspicious. Usually such

certificates will look very similar to each other and appear to be
changing frequently. We can only hope for these companies to fix
their set-ups.

It is very important to understand that certificates do not make a statement about the trustworthiness of a web site, but whether that web site is indeed what you think it is. In practice you should always be very suspicious if there are problems with your electronic banking or other sites you trust for very important operations, whereas you can probably relax if a certification problem arises for a web site that you are merely intending to have a quick look at. The more a web site is important to YOU, the more you should be cautious! That is the most essential rule of thumb in dealing with the wild west of Internet certification today.

This extension is similar to the as yet unreleased 'Certlock'. More info on http://patrol.psyced.org.

Version Information

Version 2.0.16 Released April 30, 2017 78.8 KiB Works with Firefox 3.5 - 56.*, SeaMonkey 2.0 - 2.7a1, Thunderbird 3.0 - 10.0a1

Some UX improvements.

Source code released under Mozilla Public License Version 1.1

Download Now Download Anyway

See complete version history

Add-ons

Welcome to SeaMonkey Add-ons.

On the go?

Certificate Patrol 2.0.16 Requires Restart

by Carlo v. Loesch, tg(x), 20after4

About this Add-on

Developer’s Comments

Version Information

Version 2.0.16 Released April 30, 2017 78.8 KiB Works with Firefox 3.5 - 56.*, SeaMonkey 2.0 - 2.7a1, Thunderbird 3.0 - 10.0a1

Add-ons

Welcome to SeaMonkey Add-ons.

On the go?

Certificate Patrol 2.0.16 Requires Restart

by Carlo v. Loesch, tg(x), 20after4

About this Add-on

Developer’s Comments

Version Information

Version 2.0.16 Released April 30, 2017 78.8 KiB Works with Firefox 3.5 - 56.*, SeaMonkey 2.0 - 2.7a1, Thunderbird 3.0 - 10.0a1

Permissions

Report Abuse