Questions & Answers.
Is there any way to export/import already added certificates between computers?
Whenever you aren't actively surfing and therefore possibly be encountering certificates, you can access and replace the CertPatrol.sqlite file in your Mozilla profile data. You can sync this file across computers and smartphones using a suitable technology. By using actual Sqlite tools you can access the file even while the browser is using it, because they take care of concurrent changes. Also since version 2.0 you can export certificates from the View Details and View Certificates functions.
As an addons.mozilla certificate was recently faked, it made me think: does anything prevent a fake update to CertPat from being pushed down during Firefox startup?
Unfortunately nothing prevents that. Firefox has no strategy for decentralized trust and getting addons from where they originally came from, so if the central provider is attacked, all Firefox users are at risk. You can only go back to upgrading manually (why would you expose your computing habits by letting your browser check for add-ons at each start-up, anyway?) and reading the source after download. By the way, it isn't hard to fake an addons certificate.. all you need is enough money and CAs will sell you a completely independent subordinate CA capable of officially signing anything. The X.509 trust model isn't working, it has become the trust in who has the money.
I am being MITM'd. Can I get a secure connection anyway, since I know the correct certificate?
No, if your HTTPS connections are being intercepted and certificates replaced, you weren't given real Internet. Your Internet is broken. You may be able to circumvent the problem with an SSH
tunnel or a proxy, if you know what those are. Or you may be entitled to take legal steps for an unencumbered Internet access. One day it will be a human right to have unencumbered Internet access.
Can you intercept forms that post to SSL sites? What about AJAX?
Forms may address any URL, so they could be leading to unknown sites with or without encryption. That is always a risk so you should only fill out critical forms when you trust the site.
In the case of AJAX you may not know exactly where the things are sent (although browsers seem to limit where an XMLHttpRequest is allowed to go).
In the case of a normal form it will load a result page, and in the process trigger Certificate
Patrol if that result page is on an https site we haven't seen yet. It is generally a bad habit of unencrypted websites to provide login forms that lead to
encrypted websites, since the unencrypted pages are trivial to modify in a MITM scenario.
Several addons warn you before you submit a password to an unencrypted site, I currently prefer "Safe"
None of these tools however warn you, if a form leads to an unknown and possibly dangerous https site.
To do so, tools like Safe would have to consult our CertPatrol database.
I'll put it on TODO. Not sure if it is easy to do however.
In the meantime, in case of doubt, submit the form with no data or false data and examine the certificate first, then go back and use it normally.
What if I'm being tricked into using unencrypted websites?
The "Safe" add-on tries to make it more visibly obvious when you are not on SSL, additionally to checking login forms like SSLPasswdWarning. Force-TLS tries to force you to use SSL when you should, but by means of an HTTP extension noone is using, apparently. Also the extension is a bit pointless as the website provider can achieve the same by means of a 301 permanent redirect. SSLGuard does the same as Force-TLS, but you have to maintain the list of sites that are forced to run on https yourself. At least it is useful for some frequently used candidates like Twitter and Facebook. HTTPS Everywhere from the EFF is similar to SSLGuard, but it comes with a large preset list of sites, which is practical.
Be aware however, that encrypted use isn't always better: Site owners can abuse SSL Session IDs to track you, similar to storing a cookie in your browser. But it only works short-term, so it's not that bad. Expect an upcoming paper on this from fippo of symlynX.
Should I disable OCSP checking?
OCSP is a protocol that was meant to allow web browsers to check authorities
in real-time if a certain certificate is still valid.
Under the current circumstances, OCSP isn't very helpful. If an attacker
doesn't want you to check OCSP it just needs to fake an error.
Several browsers will go on presuming the CA is having some problems.
You can fix this behaviour by activating "security.OCSP.require" in
OCSP however is leaking your privacy as it is telling the CAs each time
you access certain websites (see article above), so you may consider
turning it off altogether.
Again go to about:config and switch
"security.OCSP.enabled" to zero. It is so unlikely that an OCSP warning
would actually help you, it's probably not worth the privacy leakage.
Which other add-ons would you recommend?
It's impractical that it takes so many add-ons in order to have an almost safe web browsing experience.
I could try to come up with a list of ultimate tools for safety, but it's never ultimate.
Sometimes you even have to trade in some privacy for more security.
How could the general situation about web security be improved?
- Abolish expiration dates in certificates. They are a major cause of trouble and have completely failed to deliver security.
- Use the media, paper brochures, yes even the Yellow Pages to publish fingerprints of permanent certificates of sites your users may want to visit.
- Use the same channels to also announce when a private key has been breached and a new certificate needs to be issued. The current certificate revocation schemes are too privacy-unfriendly.
- Have a decentralized web of trust help you with confirmation and revocation of certificates.
- Consider implementing support for multiple redundant certification of the same public key.
How does this affect the certification industry?
It could become a fingerprint publication industry instead.
What can I do to support this?
Would you like us to continue working on this? You can donate or
help us implement "communism."
Communism is our codename for a distributed/social version of
Certificate Patrol that takes into account which certificates other people
have seen, without exposing your browsing habits to any central server.
Also we are working on a version integrated into our operating system so that any SSL/TLS-encrypted connection of any web browser, email or chat software can be patrolled, not just the ones Mozilla makes.
Since we live in capitalism however, please consider sponsoring our efforts
financially. Use the donation button on the addon page or follow this button
for contributing via Flattr:
Why do you suggest donating $10?
Because when you donate only $1 via Paypal, they keep 34 cents to
themselves. It's a bad deal. Via Flattr you are welcome to contribute
whatever you like.