Add-ons
Reviews for Certificate Patrol
68 reviews for this add-on
Rated 5 out of 5 stars
This is an awesome extension, just what I was looking for. It would be nice if you could add an option to disable the warnings for new certs and only warn on changed certs, even if the preference didn't have a GUI. The new cert dialog pops up so much I dug into CertPatrol.js and commented out the openDialog for outnew... but I'll need to repeat for each update until you add it as a feature.
Update 2011-01-20: Thanks! The new version is great, except I am constantly getting false positives for Google Docs. Unfortunately, this is also a very important site that I want Cert Patrol's protection. They're obviously using multiple certificates on different servers, and as I'm swapped between servers I keep seeing updates.
So... how hard would it be to add the ability to keep multiple versions of the same certificate? Or, alternatively, to say that I trust a specific CA for google (in this case, Google has its own intermediate CA) but want to be notified if I see any others.
To give you an idea of the false positive problem, I get this several times a day, to the point that I find myself trained to ignore the warnings.
Do you encounter so many new certificates all the time? I'll find a solution. It should be better than just to ignore first encountered certificates since MITM may already be happening then, but also better than to disturb the user with pop-ups if they are definitely too many.
Update: I uploaded 1.3.5beta which has options to make less intrusional notification boxes instead of pop-ups for all lesser threatening events. :)
Rated 5 out of 5 stars
Here's a good reason to install this extension: http://www.wired.com/threatlevel/2010/03/packet-forensics/
This review is for a previous version of the add-on (1.2).Rated 5 out of 5 stars
Hi!!!!!!!!!!!!!!!!!!!!!!!
I'm using this addon into my project factorBEE!!!!!!!!!!!!
I would like to email you, to ask you some things (and, perhaps, to suggest you features you could add to Certificate Patrol!!!!).
Well, i haven't found your email address anywhere!!!!!!!!!!!!!! my email address is written here: http://honeybeenet.altervista.org/factorbee/?id=800000 so you should email me first!!!!!!!!!!!!!!!!
~bee!!!!!!!!!!!!!!!!
in the PSYC chatroom ( https://psyced.org/PSYC/ or psyc://psyced.org/@welcome or xmpp:*welcome@psyced.org or irc://psyced.org/welcome ) linked from the *actual* homepage of the add-on, which is http://patrol.psyced.org
Rated 5 out of 5 stars
Great idea, just what I was looking for!
If there was an option to switch between "admin/learning mode" (current way of working) and "user/working mode" (deny access on unknown cert), this would be absoultely PERFECT.
re: "is it really important to show certificate details the first time when I visit an https site?"
Yes, yes it is, if you actually care whether it's the real site you want or whether it's a phishing impostor, you should verify with the site owner that the certificate fingerprints are correct. Unfortunately, only a few people actually do that, as this should be done through a different (secure) channel than the browser, e.g. through a snail-mail letter or over the phone. Example: I go to https://mybank.example.com/ , I get a "new certificate" warning. I call MyExampleBank's support and check the certificate fingerprints with them. If they don't match what I'm seeing, the site is most probably a fake.
Hey Jan & eyv, thanks for Kudos! We only get to the certificate data "after the fact," that is - after the certificate got accepted. So should Patrol think you ran into an evil certificate it would have to do funny things in order to keep you from accessing it anyway, like closing the page for you. Is this something we would want? Maybe there are other/newer hooks that I am not aware of, though.
Rated 5 out of 5 stars
Great idea, just what I was looking for!
If there was an option to switch between "admin/learning mode" (current way of working) and "user/working mode" (deny access on unknown cert), this would be absoultely PERFECT.
re: "is it really important to show certificate details the first time when I visit an https site?"
Yes, yes it is, if you actually care whether it's the real site you want or whether it's a phishing impostor, you should verify with the site owner that the certificate fingerprints are correct. Unfortunately, only a few people actually do that, as this should be done through a different (secure) channel than the browser, e.g. through a snail-mail letter or over the phone. Example: I go to https://mybank.example.com/ , I get a "new certificate" warning. I call MyExampleBank's support and check the certificate fingerprints with them. If they don't match what I'm seeing, the site is most probably a fake.
Rated 4 out of 5 stars
I love the idea of notifying users when certificates change, but is it really important to show certificate details the first time when I visit an https site? If you really feel it is vital, I would encourage you to make it a preference value (enabled by default).
Otherwise, good idea and good job. Thanks!
We've had it in the 1.3beta series for a while, now it is public with version 1.4: New certificates do not pop up by default any longer, and there is a preference switch to change that.
Rated 5 out of 5 stars
works flawlessly on ff 3.0.10
This review is for a previous version of the add-on (0.6).Rated 3 out of 5 stars
please make it support FF 3.0.5, thanks a lot.
This review is for a previous version of the add-on (0.4.0.5).fixed in version 0.4.0.5 or .6. forgot to mention...
To create your own collections, you must have a Mozilla Add-ons account.
