Review for Certificate Patrol by joey2012
Rated 5 out of 5 stars
The issue with domains using changing certificates (e.g. www.google.com) has been fixed by allowing to either configure a check of site's certification authority's certificate (if it doesn't change) instead of the site's own, or by configuring the domain to be ignored (if the CA also change, as in some rare cases).
Improvement suggestion: A list of possible certs could be implemented per domain (instead of currently only one cert per domain). It would be useful for sites with changing certs – especially the ones also changing the CA – because the number of certs they use is still very limited. So that one then would not have to set the domain to be ignored, but would instead know that its cert is one of the list of the ones used by the domain. (This is an issue of those domains like google.com. Or maybe their desired behavior, to limit the worldwide damage in case a cert or its CA gets compromised.)
Note to Thunderbird: Unlike with Firefox, this add-on is not needed with TB. See http://forums.mozillazine.org/viewtopic.php?f=39&t=2687657 for information on how certificate pinning can be configured with Thunderbird itself.
Note to version 2.0.14: Since Firefox 19 (or so), the extension name is not shown under “Add-Ons”. “null 2.0.14” is shown instead. But the extension works as advertised nevertheless.
-------------------------
Update: Another suggestion: It would be great if it could also "pin" the certs of the update servers used by Firefox to search for new versions and update itself and its extensions.
To create your own collections, you must have a Mozilla Add-ons account.