pilzadam / certificatewatch Goto Github PK

Hello and great addon,

Issue and reproduction:
I'm having issues when using Certificate Watch in "URL mode", every new tab will have the red badge on the icon. Browser console and JS console don't show the error even when logging is enabled.

Thoughts and solutions:

1. Use different method than checking URL bar for 1st party domain to avoid errors?

Maybe you can isolate the 1st party domain like Gorhill does in uMatrix:
https://github.com/gorhill/uMatrix/blob/master/src/js/matrix.js#L182

2. Please give a different option for storing certs than the existing ones!
   This is not meant to be negative, but URL mode is not great at all. I try to constructively explain why:

It would only store:
www.example.com
but not:
images.example.com
scripts.example.com

And the "all certificates mode" is even worse sadly: It will store certificates of advertisement networks, just literally everything. Overwhelming the user with reviewing hundreds of certificate changes a year.

I suggest 1st party + subdomains, which is basically:
*.example.com

It is always okay to look into how uMatrix or uBlock isolate the 1st party + subdomain from a tab and re-purpose their code, it is free and open source and just asking to be re-used in other addons :)
I think my suggestions will not be extraordinarily hard to implement. I'm no JS coder so bear with me that I cannot provide more help.

However it would already be good to prevent the "internal error" from happening on every new tab. Gladly will I try to log it for you. If I have to enter a specific addon debug mode to do so, i will provide more help. I am using latest Firefox 73 stable, official windows builds as of now.

Anything along the lines of this?
about:debugging#/runtime/this-firefox
tmp.log.DEBUG=true
tmp.log.DEBUG=false

Kind greetings!

⚜️ Want to keep certificate information even when ☑️"Delete ALL cookies and ALL site data when Firefox is ❌ed"?

⚙️ There is an easy way you can do this:

1. Go to your Certificate Watch Storage page by clicking its icon.
2. Copy the URL.
3. Click "Manage Exceptions..." under Privacy and Security
4. Paste the Certificate Watch storage page into Address of Website (moz-extension://25b9c171-c26f-4a6c-8de1-8fd56be0f588/cw_storage.html)
5. Click Allow
6. You should see your Certificate Watch storage exception "moz-extension://25b9c171-c26f-4a6c-8de1-8fd56be0f588" next to "Allow" and it will persist through browser restarts.

This will let you clear other pesky web storage pages, but keep your certificate storage!

Or other factors, like make the icon RED if the certificate is signed by a totally different authority than before and it was prematurely.

I think this is a great monitoring addon you have here!

I shouldn't have to go to the Web Storage option just to remove expired certificates! The system knows they are expired, they could be removed and replaced with a new one when you visit the site.

If there's no replacement, then the site hasn't updated and site is missing a certificate then Firefox will usually warn you that there's no valid certificate for the site and and if you just wanted to you could "Accept the risks"

But I think there are more dangerous scenarios. Like when the 3 or 4 of the fields to check change.

What if the fingerprint was the same but the Issuer and Serial number were different. That's some high level forgery right there and should be marked with a big RED mark.

This is really a HUGE opportunity to discover some of the lesser known flaws in our RSA system. Imagine something like this:

And you would need some way of setting up rules that trigger that kind of warning, for intance:

Issuer changes but fingerprint IS SAME

Or just have some of most probable and dangerous built in.
We MUST notice these "impossible" certificates so we notice the enemy is deploying. And many people hate the CA system, know it's broken and have a will to keep an active watch on it like this!

This could turn the whole CA trust issue thing around! Please add support!