pilzadam / certificatewatch Goto Github PK
View Code? Open in Web Editor NEWA Firefox add-on that warns about changing certificates
License: Apache License 2.0
A Firefox add-on that warns about changing certificates
License: Apache License 2.0
Hello and great addon,
Issue and reproduction:
I'm having issues when using Certificate Watch in "URL mode", every new tab will have the red badge on the icon. Browser console and JS console don't show the error even when logging is enabled.
Thoughts and solutions:
Maybe you can isolate the 1st party domain like Gorhill does in uMatrix:
https://github.com/gorhill/uMatrix/blob/master/src/js/matrix.js#L182
It would only store:
www.example.com
but not:
images.example.com
scripts.example.com
And the "all certificates mode" is even worse sadly: It will store certificates of advertisement networks, just literally everything. Overwhelming the user with reviewing hundreds of certificate changes a year.
I suggest 1st party + subdomains, which is basically:
*.example.com
It is always okay to look into how uMatrix or uBlock isolate the 1st party + subdomain from a tab and re-purpose their code, it is free and open source and just asking to be re-used in other addons :)
I think my suggestions will not be extraordinarily hard to implement. I'm no JS coder so bear with me that I cannot provide more help.
However it would already be good to prevent the "internal error" from happening on every new tab. Gladly will I try to log it for you. If I have to enter a specific addon debug mode to do so, i will provide more help. I am using latest Firefox 73 stable, official windows builds as of now.
Anything along the lines of this?
about:debugging#/runtime/this-firefox
tmp.log.DEBUG=true
tmp.log.DEBUG=false
Kind greetings!
This will let you clear other pesky web storage pages, but keep your certificate storage!
Or other factors, like make the icon RED if the certificate is signed by a totally different authority than before and it was prematurely.
I think this is a great monitoring addon you have here!
I shouldn't have to go to the Web Storage option just to remove expired certificates! The system knows they are expired, they could be removed and replaced with a new one when you visit the site.
If there's no replacement, then the site hasn't updated and site is missing a certificate then Firefox will usually warn you that there's no valid certificate for the site and and if you just wanted to you could "Accept the risks"
But I think there are more dangerous scenarios. Like when the 3 or 4 of the fields to check change.
What if the fingerprint was the same but the Issuer and Serial number were different. That's some high level forgery right there and should be marked with a big RED mark.
This is really a HUGE opportunity to discover some of the lesser known flaws in our RSA system. Imagine something like this:
And you would need some way of setting up rules that trigger that kind of warning, for intance:
Or just have some of most probable and dangerous built in.
We MUST notice these "impossible" certificates so we notice the enemy is deploying. And many people hate the CA system, know it's broken and have a will to keep an active watch on it like this!
This could turn the whole CA trust issue thing around! Please add support!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.