How to verify SSL Certificate in Firefox

Discussion in 'other software & services' started by IronLock, Oct 24, 2011.

Thread Status:
Not open for further replies.
  1. IronLock
    Offline

    IronLock Registered Member

    Hi,

    What's the best way to verify the authenticity of an SSL certificate in Firefox?

    For example, Internet Explorer has the option to view the "Certificate Status", and it says "This certificate is OK." if the certificate is valid.

    Is there something similar in Firefox that I'm missing?

    Thank you!
  2. Cudni
    Offline

    Cudni Global Moderator

  3. Daveski17
    Online

    Daveski17 Registered Member

  4. Baserk
    Offline

    Baserk Registered Member

    Another Firefox extension to monitor SSL certificates is Perspectives.

    'Perspectives is a new approach to helping computers communicate securely on the Internet. With Perspectives, public “network notary” servers regularly monitor the SSL certificates used by 100,000s+ websites to help your browser detect “man-in-the-middle” attacks without relying on certificate authorities.
    Because anyone can run a network notary server, you get to choose who you trust to validate SSL certificates, a powerful concept indeed! You can try it out using our Firefox Extension.'
    ...
    Perspectives takes a different approach to how the web browser determines if an SSL certificate is valid. Instead of requiring browser users to trust an anointed group of certificate authorities, Perspectives gives users the ability to pick a group they trust (e.g., the EFF, Google, their company, their university, their group of friends, etc.) and trust no one else.
    How is this possible? Perspectives has a decentralized model that let’s anyone run one or more “network notary servers”. A network notary server is connected to the Internet and regularly monitors websites to build a history of the SSL certificate used by each site. Notary servers or groups of notary servers may be operated by public organizations, private companies, or even individuals.


    Perspectives home page and extension page
    Mind you though, I sometimes experience that quite some 'notary servers' are periodically down which then negates the extension's usefulness.
    (Also, when I tried to report an issue with Perspectives, to report.networknotary.org, I got a warning that it's cert didn't match it's name, hehe. Minor issue though ;))
    ------------
    Also, make sure to read up on Moxie Marlinspike's Convergence approach;

    'Convergence is a secure replacement for the Certificate Authority System. Rather than employing a traditionally hard-coded list of immutable CAs, Convergence allows you to configure a dynamic set of Notaries which use network perspective to validate your communication.
    ...
    Convergence can be configured to require trust consensus amongst multiple notaries, preventing any single notary from having the ability to compromise security.
    ...
    Convergence is fully backward compatible with the existing deployment of certificates, and doesn't require website operators to change anything. Just install the Firefox add-on, select who you trust, and be done with Certificate Authorities forever. Everything will look exactly the same, and you'll never get a self-signed certificate warning again.
    '

    Convergence home page and extension page
  5. Dermot7
    Offline

    Dermot7 Registered Member

  6. CloneRanger
    Offline

    CloneRanger Registered Member

    @ Dermot7

    Thank you Sir :)

    Good to see Calomel being used, & also recommended :thumb: It's Very useful to have a permanent indication of SSL strength on show ;)
  7. BoerenkoolMetWorst
    Offline

    BoerenkoolMetWorst Registered Member

    OCSP isn't done by default unless Firefox is told to, and if it can't reach the OCSP server it allows it, To change this: Tools -> Options -> Advanced -> Encryption -> Validation -> Specify an OSCP server to verify all certs and check the option to treat cert as invalid when OCSP connection fails.
  8. Daveski17
    Online

    Daveski17 Registered Member

    Calomel looks really good, thanks guys. :thumb:
  9. J_L
    Offline

    J_L Registered Member

    I recommend Perspectives, simple because of slimmer interface and correction of Firefox false positives.
  10. IronLock
    Offline

    IronLock Registered Member

    Thank you everyone for your help! :D
  11. Ocky
    Offline

    Ocky Registered Member

    As Perspectives is totally useless for secure sites in this part of the world due to no notaries being found, I may go for Certificate Patrol which also doesn't reveal communication to an external service.

    Is this a 'good' choice, or are there any similar tools not yet mentioned in this thread ?
  12. Daveski17
    Online

    Daveski17 Registered Member

    I used to use CP on SeaMonkey, it's OK but I found that it became annoying on certain sites like Google, or even Mozilla's extension page where it seemed to be constantly informing me about the site's certificate status. As there was no way (as far as I know) to just whitelist these sites, I decided to uninstall it. I don't bank online so I uninstalled Calomel from Firefox as well. I can get enough certificate information from what's already built-in to the browser for my needs.
  13. Ocky
    Offline

    Ocky Registered Member

    You are right, I just tried it and also couldn't find a way to whitelist. On some sites many pop-ups - rather irritating. Thanks Daveski17.
  14. CloneRanger
    Offline

    CloneRanger Registered Member

    Since introducing Calomel to the forums a while back, i've found it works great for me, & others too :)
  15. Daveski17
    Online

    Daveski17 Registered Member

    You're welcome Ocky. Calomel is probably your best bet, it's a shame it isn't coded for SeaMonkey. If they could address some of the problems that Certificate Patrol has CP might be a good alternative. Like I said, unless you bank online or something I reckon Firefox gives you enough info.
  16. Ocky
    Offline

    Ocky Registered Member

    Calomel it is. Several useful optimisations. Thanks CloneRanger and Daveski17.
Thread Status:
Not open for further replies.