How to verify SSL Certificate in Firefox

Discussion in 'other software & services' started by IronLock, Oct 24, 2011.

Thread Status:
Not open for further replies.
  1. IronLock

    IronLock Registered Member

    Joined:
    Oct 24, 2011
    Posts:
    10
    Hi,

    What's the best way to verify the authenticity of an SSL certificate in Firefox?

    For example, Internet Explorer has the option to view the "Certificate Status", and it says "This certificate is OK." if the certificate is valid.

    Is there something similar in Firefox that I'm missing?

    Thank you!
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
  3. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
  4. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Another Firefox extension to monitor SSL certificates is Perspectives.

    'Perspectives is a new approach to helping computers communicate securely on the Internet. With Perspectives, public “network notary” servers regularly monitor the SSL certificates used by 100,000s+ websites to help your browser detect “man-in-the-middle” attacks without relying on certificate authorities.
    Because anyone can run a network notary server, you get to choose who you trust to validate SSL certificates, a powerful concept indeed! You can try it out using our Firefox Extension.'
    ...
    Perspectives takes a different approach to how the web browser determines if an SSL certificate is valid. Instead of requiring browser users to trust an anointed group of certificate authorities, Perspectives gives users the ability to pick a group they trust (e.g., the EFF, Google, their company, their university, their group of friends, etc.) and trust no one else.
    How is this possible? Perspectives has a decentralized model that let’s anyone run one or more “network notary servers”. A network notary server is connected to the Internet and regularly monitors websites to build a history of the SSL certificate used by each site. Notary servers or groups of notary servers may be operated by public organizations, private companies, or even individuals.


    Perspectives home page and extension page
    Mind you though, I sometimes experience that quite some 'notary servers' are periodically down which then negates the extension's usefulness.
    (Also, when I tried to report an issue with Perspectives, to report.networknotary.org, I got a warning that it's cert didn't match it's name, hehe. Minor issue though ;))
    ------------
    Also, make sure to read up on Moxie Marlinspike's Convergence approach;

    'Convergence is a secure replacement for the Certificate Authority System. Rather than employing a traditionally hard-coded list of immutable CAs, Convergence allows you to configure a dynamic set of Notaries which use network perspective to validate your communication.
    ...
    Convergence can be configured to require trust consensus amongst multiple notaries, preventing any single notary from having the ability to compromise security.
    ...
    Convergence is fully backward compatible with the existing deployment of certificates, and doesn't require website operators to change anything. Just install the Firefox add-on, select who you trust, and be done with Certificate Authorities forever. Everything will look exactly the same, and you'll never get a self-signed certificate warning again.
    '

    Convergence home page and extension page
     
  5. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ Dermot7

    Thank you Sir :)

    Good to see Calomel being used, & also recommended :thumb: It's Very useful to have a permanent indication of SSL strength on show ;)
     
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    OCSP isn't done by default unless Firefox is told to, and if it can't reach the OCSP server it allows it, To change this: Tools -> Options -> Advanced -> Encryption -> Validation -> Specify an OSCP server to verify all certs and check the option to treat cert as invalid when OCSP connection fails.
     
  8. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    Calomel looks really good, thanks guys. :thumb:
     
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    I recommend Perspectives, simple because of slimmer interface and correction of Firefox false positives.
     
  10. IronLock

    IronLock Registered Member

    Joined:
    Oct 24, 2011
    Posts:
    10
    Thank you everyone for your help! :D
     
  11. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,713
    Location:
    George, S.Africa
    As Perspectives is totally useless for secure sites in this part of the world due to no notaries being found, I may go for Certificate Patrol which also doesn't reveal communication to an external service.

    Is this a 'good' choice, or are there any similar tools not yet mentioned in this thread ?
     
  12. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    I used to use CP on SeaMonkey, it's OK but I found that it became annoying on certain sites like Google, or even Mozilla's extension page where it seemed to be constantly informing me about the site's certificate status. As there was no way (as far as I know) to just whitelist these sites, I decided to uninstall it. I don't bank online so I uninstalled Calomel from Firefox as well. I can get enough certificate information from what's already built-in to the browser for my needs.
     
  13. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,713
    Location:
    George, S.Africa
    You are right, I just tried it and also couldn't find a way to whitelist. On some sites many pop-ups - rather irritating. Thanks Daveski17.
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Since introducing Calomel to the forums a while back, i've found it works great for me, & others too :)
     
  15. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    You're welcome Ocky. Calomel is probably your best bet, it's a shame it isn't coded for SeaMonkey. If they could address some of the problems that Certificate Patrol has CP might be a good alternative. Like I said, unless you bank online or something I reckon Firefox gives you enough info.
     
  16. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,713
    Location:
    George, S.Africa
    Calomel it is. Several useful optimisations. Thanks CloneRanger and Daveski17.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.