Reviews for Certificate Trust
Certificate Trust by devmni
Review by Steven
Rated 4 out of 5
by Steven, a month agoHello,
thank you for this add-on, this (almost) looks like what I was looking for, however I was was not able to find the repository containing the source code to review. Could you please link it?
Are you open to feature request?
Consider this scenario: "myimportantdomain.tld" is protected by TLS, and the certificate has been issue by some trustworthy.
It could happen that a single one (of the many!) CAs that are trusted by Firefox (and need to be trusted just to be able to browse the internet), turns and issues a certificate for "myimportantdomain.tld" to a malicious party. Then, the browser would happily accept the rogue certificate.*
It would really be helpful to have a way to specify a list of CAs that have been "manually vetted" and enjoy a higher level of trust. In this way the user can distinguish from "default trust" and "high trust". If a CA turns rogue, and issues a certificate for "myimportantdomain.tld", then this add-on would only show "default trust", alerting the user.
It would be even better to enforce the requirement that some (user specified) domains must have "high trust" (and display a warning page if that is not the case). One could take this further and allow the user to specify a list of domains and, for domain in the list, choose which CAs to trust.
The original cerdicator add-on (which appears to be dead) has "enhanced and user-friendly certificate pinning" listed among the planned features, which very much sounds like what I described above.
* There are *SOME* mitigations in place, such as certificate pinning, but they are also less-than ideal.
thank you for this add-on, this (almost) looks like what I was looking for, however I was was not able to find the repository containing the source code to review. Could you please link it?
Are you open to feature request?
Consider this scenario: "myimportantdomain.tld" is protected by TLS, and the certificate has been issue by some trustworthy.
It could happen that a single one (of the many!) CAs that are trusted by Firefox (and need to be trusted just to be able to browse the internet), turns and issues a certificate for "myimportantdomain.tld" to a malicious party. Then, the browser would happily accept the rogue certificate.*
It would really be helpful to have a way to specify a list of CAs that have been "manually vetted" and enjoy a higher level of trust. In this way the user can distinguish from "default trust" and "high trust". If a CA turns rogue, and issues a certificate for "myimportantdomain.tld", then this add-on would only show "default trust", alerting the user.
It would be even better to enforce the requirement that some (user specified) domains must have "high trust" (and display a warning page if that is not the case). One could take this further and allow the user to specify a list of domains and, for domain in the list, choose which CAs to trust.
The original cerdicator add-on (which appears to be dead) has "enhanced and user-friendly certificate pinning" listed among the planned features, which very much sounds like what I described above.
* There are *SOME* mitigations in place, such as certificate pinning, but they are also less-than ideal.
Developer response
posted a month agoHi, thanks for your feedback :-)
Sorry for my late reply.
I didn't have a repository for this yet, but I've created one.
You can find it here:
https://github.com/devmni/Certificate_Trust
If you open the add-ons directory (Firefox -> about:profiles -> your profile -> extensions folder), you can add/delete trusted/untrusted (green icon) CAs in "/db/IncludedCACertificateReport.json." The downside is that you have to do this manually each time you want to add or remove a CA. An add-on UI would actually be useful for management purposes. There could then be "customer-friendly" a option implemented to mark some official CA's as "personally trusted" - as like you suggested. The add-ons root directory also contains a Python update script (ca-updater.py.txt) that retrieves the current list of trusted root CAs from Mozilla and converts it to JSON.
I have to be honest, though, that I actually work in a different development area (and am not a web developer). So please have mercy. I simply cleaned up some old Cerdicator code, added my own code, added some nicer icons, and then packaged the whole thing.
So, if you take a look at the repo: There may be some code comments in my native language (German). Since I originally only forked this for myself - I'll replace them with english comments soon.
Sorry for my late reply.
I didn't have a repository for this yet, but I've created one.
You can find it here:
https://github.com/devmni/Certificate_Trust
If you open the add-ons directory (Firefox -> about:profiles -> your profile -> extensions folder), you can add/delete trusted/untrusted (green icon) CAs in "/db/IncludedCACertificateReport.json." The downside is that you have to do this manually each time you want to add or remove a CA. An add-on UI would actually be useful for management purposes. There could then be "customer-friendly" a option implemented to mark some official CA's as "personally trusted" - as like you suggested. The add-ons root directory also contains a Python update script (ca-updater.py.txt) that retrieves the current list of trusted root CAs from Mozilla and converts it to JSON.
I have to be honest, though, that I actually work in a different development area (and am not a web developer). So please have mercy. I simply cleaned up some old Cerdicator code, added my own code, added some nicer icons, and then packaged the whole thing.
So, if you take a look at the repo: There may be some code comments in my native language (German). Since I originally only forked this for myself - I'll replace them with english comments soon.
1 review
There are no reviews