Certificate Patrol

CertPatrol implements ''pinning'' for Firefox/Mozilla/SeaMonkey roughly as now recommended in the User Interface Guidelines of the World Wide Web Consortium (W3C).

Certificate pinning may be considered annoying, but actually it is frequently reminding you that you should be more careful and paranoid.

[Flattr this]

What's New in Version 2.0

Welcome to Certificate Patrol 2.0. We introduced some improvements that we should first explain to you.

Before we even list the details of a certificate, we first show you the certification hierarchy. That is the most important clue for you to find out if you're being tricked. An intermediate authority can put any text in the certificate that you would like to see, but it cannot falsify the certificate checksums and its position in the hierarchy. Dangerous certificates are likely to be generated by a long list of authorities belonging to different companies or governments. Genuine ones are likely to be signed directly by a root certificate in your browser, or by an intermediate created by the same company. All the inbetween cases are likely to be legitimate, but you can't be sure. We are still taking guesses here, because we still don't know which root certificates in our browsers are worthy of trust. By keeping your eyes open and observing the patterns, you are a lot likelier to notice when you are being attacked. In case of doubt, compare (by telephone) the checksums with somebody that could not possibly be affected.

Another important change is that we now inspect certificates for all parts of a webpage, so you may see server names and domains coming up that you never thought you were visiting, just because they host some Javascript or media files.

It's also new that you can reject all new certificates when you see them. That doesn't mean that you will be protected from using them, because we don't have that much control over your browser. If you don't trust a site you still have to close the window yourself. But it means that if you bump into the same certificate again, you will be asked again. You could use this to see if a certain website always has the same certificate when you change Internet connection (like open it from work, then from home). Then again, if you store the certificate and Patrol doesn't complain next time you go to it, you're even safer that the certificate is the same.

Several websites have the bad habit of using multiple certificates for the same hostname. We consider it a configuration error on their side, but since they insist, you now have a little option of the certificate change pop-up to accept any certificate for that host as long as the issuer, that is the next higher level authority, stays the same. This should help in most cases, although I bet there are some which are even more misconfigured than that.

We have improved several other details:

  1. The certificate dialogs have been reorganized. The change dialog has a diff-like layout so you don't have to compare the certificates yourself. Patrol highlights what has changed.
  2. By adopting the standard certificate view details wizards, you can look at certificates in every little detail and also export certificates into a file on your desktop.
  3. Added CertPatrol to the 'Clear Recent History' dialog which deletes recently inserted/updated or all certs from the database..
  4. Added CertPatrol to the 'View Certificates' dialog in Preferences/Advanced/Encryption where you can view and delete the certificates stored by CertPatrol.
  5. Added a checkbox to its own preferences dialog for allowing CertPatrol to save certificates even when in Private Browsing Mode.
  6. We added green/yellow/red threat level indicators.

Newer version available here

Why So Paranoid?

Your web browser trusts a lot of certification authorities and chained sub-authorities, and it does so blindly. "Subordinate or intermediate certification authorities" are a little known device: The root CAs in your browser can delegate permission to issue certificates to an unlimited amount of subordinate CAs (SCA) just by signing their certificate, not by borrowing their precious private key to them. You can even buy yourself such a CA from GeoTrust or elsewhere.

Here's a friendly example of a certificate issued by an ICA. You never knew your browser trusts the Bavarian National Library, right? It is unclear how many intermediate certification authorities really exist, and yet each of them has god-like power to impersonate any https web site using a Man in the Middle (MITM) attack scenario. Researchers at Princeton are acknowledging this problem and recommending Certificate Patrol. Revealing the inner workings of X.509 to end users is still considered too hard, but only getting familiar with this will really help you get in control. That's why Certificate Patrol gives you insight of what is happening.

If you still think a MITM attack is unlikely to happen to you, read this user report. News: Mozilla is doing something about sub-CAs abused for man-in-the-middle surveillance of encrypted communications. Let's see if this approach at least reduces the amount of sub-CAs in the wild. It will certainly not stop governmental use of such tools.

Talking about government use, more News: Somebody noticed a company called MarkMonitor has taken control over the Internet's most essential services and brands. Here's a copy of the story for your convenience. Again, CertPatrol seems to be your best bet in defense of your civil liberties.

Certificate Patrol doesn't actually work in Thunderbird. Here's an interesting workaround if you want to pin down the certificate of your mail server.

What Does CertPatrol Do?

You'll see certificate information pop up whenever you visit a new https: website, including https://addons.mozilla.org for example. "New" is anything Patrol hasn't seen and stored yet. Click the screenshot for more details.

screenshot of a certificate patrol report

You are also prompted whenever a web site updates its certificate. Then you will be shown the differences between the two certificates - old content shown in red, new content in green. Click the screenshot for an example:

screenshot of a certificate patrol modification report

Even if you do not fully understand what is shown to you, you get a chance of distinguishing legitimate from suspicious changes. Here's a little list of things to look out for:
  1. If the old certificate is about to expire (Validity / Expires On), it was necessary to replace it with a new one. CertPatrol will check this for you.
  2. In most cases web sites keep using the same certification authority (Issued By) over time. Should the web site have changed its certification authority, make sure the old certificate was about to expire. CertPatrol will assist you with this.
  3. You may want to consider the most popular CAs (like maybe CAcert, DigiCert, Entrust, Equifax, NetworkSolutions, Thawte and VeriSign.. to mention some) to be less likely to help in MITM attacks, but that is only a guess. Especially since in each country local CAs may be legitimately well established.
  4. Comodo, GeoTrust, GlobalSign, QuoVadis, RSA WebTrust and StartCom are known to offer intermediate CA for money. Still StartCom is extremely popular with small and private web sites for its free services. One Comodo reseller was hacked into, resulting into a plethora of counterfeited certificates for Gmail, Skype, Hotmail, Yahoo and Mozilla. GoDaddy has been notoriously lax in checking the validity of signing requests. DigiNotar is entirely unknown except for the MITM attack on Gmail run within Iran.
  5. .
  6. If all certificates you see are always issued by the same certification authority, you should be very suspicious. Try searching for random https: sites and see if they still all seem signed by the same CA.
  7. In case of doubt install the Perspectives or Convergence add-ons to make further checks on the credibility of a certificate. The downside of these add-ons is, you reveal who you communicate with to an external service — so better only use it when necessary. In theory you could have some tech savvy friends run notaries for you, the more the better, but would you want to expose your surfing habits to them?
  8. If the web site is important to you, make a research on the name of the new CA. Make a phone call to the owner of the web site and ask them to confirm the SHA1 fingerprint shown on your screen. The fingerprint is currently close to impossible to falsify. Ask them to send you future certificate fingerprints by snail mail before they install it.
  9. Some clustered sites such as bookryanair.com make things more complicated by using several inconsistent certificates for the same domain name. That will look unnecessarily suspicious. Usually such certificates will look very similar to each other and appear to be changing frequently. We can only hope for these companies to fix their set-ups.
It is very important to understand that certificates do not make a statement about the trustworthiness of a web site, but whether that web site is indeed what you think it is. In practice you should always be very suspicious if there are problems with your electronic banking or other sites you trust for very important operations, whereas you can probably relax if a certification problem arises for a web site that you are merely intending to have a quick look at. The more a web site is important to YOU, the more you should be cautious! That is the most essential rule of thumb in dealing with the wild west of Internet certification today.

With version 2.0 you are given some nice extras. Here's the 'Preferences' box with the 'Clear Recent History' dialog open, which lets you clean out recently acquired certificates from the CP data base.

screenshot of certificate patrol preferences and clear recent history dialogs

The 'Certificate Manager' lets you review your entire Patrol data base. Click on 'View Certificates' in the 'Preferences' dialog to get there. This also lets you unselect 'CA-only checking' if you activated it by mistake.

screenshot of certificate patrol's certificate manager

Install.

CertPatrol is designed to work with Firefox and SeaMonkey (click to go to the appropriate installation page). We have configured it to also install into Thunderbird, Sunbird and Fennec, but we haven't explicitely tailored it for use with these applications (yet).

Installiere die deutsche Version. Installa la versione italiana.

Source code.

git clone git://git.psyced.org/git/certpatrol (Code repository).

You can also look at these files after installation, they are in the extensions/CertPatrol@PSYC.EU folder in your Firefox/Mozilla configuration.

Credits.

Prototyped by 20after4 (Mukunda Modell), first reengineered by Aiko Barz, again (since 2.0) by tg (Gabor Toth). Originally conceived, planned and continously refined by the lynX (Carlo v. Loesch).

About us.

We're developers of an open-source decentralized messaging, chat and social networking technology called PSYC. We were working on improving privacy and encryption in our own technology, noticed this little quirk in the security model of popular web browsers and decided to write up a few lines of Javascript to improve on that. So this started as a side project for people who enjoy a delicate taste of paranoia.

Contact us.

Feel free to enter our webchat should you have any question or suggestion.

Support.

Would you like to support our work? We have great future plans! Scroll down to the end of this page for details.

Testimonials.

Chris Palmer, Technology Director at the Electronic Frontier Foundation, recommends Cert Patrol. Others do it, too.

Reviews.

Je suis content d'utiliser CertPatrol

Certificate Patrol can really save your pocket says Paolo Campegiani.

al_9x suggests we should combine CertPatrol with Perspectives in a single add-on, but they already do great team work side by side, no?

factorbee provides the advice to install CertPatrol when going on a tour using the Tor, because some Tor exit nodes will try MITM attacks against you.

Phocean was unhappy about the number of "false positives" with CertPatrol. So was tanstaafl. In our idea of safety, paranoia comes first, but if we can safely reduce the number of messages, we will. In fact we did recently with 1.2.3 and will with the upcoming versions and betas. Do try out the beta versions if you need more intelligent Patrol immediately.

It's all about trust! says d0mber.

Schneelocke has "no idea why these things aren't done by the browser by default, anyway."

Related Articles.

How is SSL hopelessly broken? Let us count the ways.

Goverments using internet to spy on their civilians is not a myth. Patrol pop-ups can be annoying, but if you depend on it, please stay alert and be patient with it while we keep improving it.

Syrian Man-In-The-Middle Attack against Facebook.

Very technical story on Detecting Certificate Authority compromises and web browser collusion since CRLs do not work and OCSP exposes your surfing habits while also not being secure: If an attacker can man in the middle your SSL connections, she can certainly intercept OCSP and other certificate revocation strategies like CRLs, too. See below on how to disable OCSP in your browser.

It's easy to obtain a *.apple.com certificate and using the right strategy you can even fake any "extended validation" certified website, says Peter Gutmann.

Yet another reason to install Cert Patrol: Mozilla developers do not remember why the "RSA Security 1024 V3" root certificate was added. Orphaned root authorities! Can you imagine? It's "sleeper cells" for your web browser. (via Jan/fefe)

Law Enforcement Appliance Subverts SSL.

phobos on Life without a CA.

Some articles in German:

Flash-Player als Spionagesystem (Heise, 2010-09-06): Your flash plug-in might activate camera and microphone for a man in the middle attacker if you accept a suitably false certificate for Adobe's web-based settings manager.

fefe, Ich möchte gerne, dass Firefox mir mitteilt, wenn ich zu einer SSL-Site gehe, bei der ich schon früher mal war, und sich der Schlüssel geändert hat. Und fefe will, dass das Firefox auch ohne add-ons kann. Ich denke wir können Firefox forken, das geht schneller und ist zuverlässiger.

Isotopp, Ein paar Worte zu SSL.

ManIP hat es bereits selbst erlebt: Firmen fangen systematisch alle SSL-Verbindungen ab.

putzo schreibt über PKI, CNNIC und RSA Security 1024.

Kai Ravens Empfehlungen zum "Tuning" von Firefox.

Christian Gresser probiert's einfach mal aus.

Financial Cryptography, 2004-09-01: "VeriSign is offering protection from snooping, and on the other hand, is offering to facilitate the process of snooping."

Since 2000: Public Key Infrastructure considered harmful

Related Work.

The heise SSL Guardian does a related job. It makes sure the sites aren't using an insecure debian #define PURIFY certificate. SSL Blacklist is similar, checking for insecure MD5 algorithm being used in the certificate chain. Not sure if it is helpful to block such a certificate however.

This is a good tool to consult when a Certificate Patrol warning looks suspicious: Perspectives for Firefox asks external notaries to ensure an address comes with the same certificate from several parts of the Internet. Makes self-signed certificates a legitimate tool again. This even detects MITM attacks using officially signed certificates. Now you only need to make sure the notaries are not in a conspiracy against you. ;)

And then there was Certlock with its interesting idea that certain governments may be more trustworthy than others, therefore we should only be patrolling Chinese and Persian certificates while trusting the American CAs fully. An implementation never actually showed up.

Questions & Answers.

Is there any way to export/import already added certificates between computers?

Whenever you aren't actively surfing and therefore possibly be encountering certificates, you can access and replace the CertPatrol.sqlite file in your Mozilla profile data. You can sync this file across computers and smartphones using a suitable technology. By using actual Sqlite tools you can access the file even while the browser is using it, because they take care of concurrent changes. Also since version 2.0 you can export certificates from the View Details and View Certificates functions.

As an addons.mozilla certificate was recently faked, it made me think: does anything prevent a fake update to CertPat from being pushed down during Firefox startup?

Unfortunately nothing prevents that. Firefox has no strategy for decentralized trust and getting addons from where they originally came from, so if the central provider is attacked, all Firefox users are at risk. You can only go back to upgrading manually (why would you expose your computing habits by letting your browser check for add-ons at each start-up, anyway?) and reading the source after download. By the way, it isn't hard to fake an addons certificate.. all you need is enough money and CAs will sell you a completely independent subordinate CA capable of officially signing anything. The X.509 trust model isn't working, it has become the trust in who has the money.

I am being MITM'd. Can I get a secure connection anyway, since I know the correct certificate?

No, if your HTTPS connections are being intercepted and certificates replaced, you weren't given real Internet. Your Internet is broken. You may be able to circumvent the problem with an SSH tunnel or a proxy, if you know what those are. Or you may be entitled to take legal steps for an unencumbered Internet access. One day it will be a human right to have unencumbered Internet access.

Can you intercept forms that post to SSL sites? What about AJAX?

Forms may address any URL, so they could be leading to unknown sites with or without encryption. That is always a risk so you should only fill out critical forms when you trust the site. In the case of AJAX you may not know exactly where the things are sent (although browsers seem to limit where an XMLHttpRequest is allowed to go). In the case of a normal form it will load a result page, and in the process trigger Certificate Patrol if that result page is on an https site we haven't seen yet. It is generally a bad habit of unencrypted websites to provide login forms that lead to encrypted websites, since the unencrypted pages are trivial to modify in a MITM scenario. Several addons warn you before you submit a password to an unencrypted site, I currently prefer "Safe" over SSLPasswdWarning. None of these tools however warn you, if a form leads to an unknown and possibly dangerous https site. To do so, tools like Safe would have to consult our CertPatrol database. I'll put it on TODO. Not sure if it is easy to do however. In the meantime, in case of doubt, submit the form with no data or false data and examine the certificate first, then go back and use it normally.

What if I'm being tricked into using unencrypted websites?

The "Safe" add-on tries to make it more visibly obvious when you are not on SSL, additionally to checking login forms like SSLPasswdWarning. Force-TLS tries to force you to use SSL when you should, but by means of an HTTP extension noone is using, apparently. Also the extension is a bit pointless as the website provider can achieve the same by means of a 301 permanent redirect. SSLGuard does the same as Force-TLS, but you have to maintain the list of sites that are forced to run on https yourself. At least it is useful for some frequently used candidates like Twitter and Facebook. HTTPS Everywhere from the EFF is similar to SSLGuard, but it comes with a large preset list of sites, which is practical.

Be aware however, that encrypted use isn't always better: Site owners can abuse SSL Session IDs to track you, similar to storing a cookie in your browser. But it only works short-term, so it's not that bad. Expect an upcoming paper on this from fippo of symlynX.

Should I disable OCSP checking?

OCSP is a protocol that was meant to allow web browsers to check authorities in real-time if a certain certificate is still valid. Under the current circumstances, OCSP isn't very helpful. If an attacker doesn't want you to check OCSP it just needs to fake an error. Several browsers will go on presuming the CA is having some problems. You can fix this behaviour by activating "security.OCSP.require" in Firefox's about:config.

OCSP however is leaking your privacy as it is telling the CAs each time you access certain websites (see article above), so you may consider turning it off altogether. Again go to about:config and switch "security.OCSP.enabled" to zero. It is so unlikely that an OCSP warning would actually help you, it's probably not worth the privacy leakage.

Which other add-ons would you recommend?

It's impractical that it takes so many add-ons in order to have an almost safe web browsing experience. I could try to come up with a list of ultimate tools for safety, but it's never ultimate. Sometimes you even have to trade in some privacy for more security.

How could the general situation about web security be improved?

  1. Abolish expiration dates in certificates. They are a major cause of trouble and have completely failed to deliver security.
  2. Use the media, paper brochures, yes even the Yellow Pages to publish fingerprints of permanent certificates of sites your users may want to visit.
  3. Use the same channels to also announce when a private key has been breached and a new certificate needs to be issued. The current certificate revocation schemes are too privacy-unfriendly.
  4. Have a decentralized web of trust help you with confirmation and revocation of certificates.
  5. Consider implementing support for multiple redundant certification of the same public key.

How does this affect the certification industry?

It could become a fingerprint publication industry instead.

What can I do to support this?

Would you like us to continue working on this? You can donate or help us implement "communism." Communism is our codename for a distributed/social version of Certificate Patrol that takes into account which certificates other people have seen, without exposing your browsing habits to any central server. Also we are working on a version integrated into our operating system so that any SSL/TLS-encrypted connection of any web browser, email or chat software can be patrolled, not just the ones Mozilla makes. Since we live in capitalism however, please consider sponsoring our efforts financially. Use the donation button on the addon page or follow this button for contributing via Flattr:

[Flattr this]

Why do you suggest donating $10?

Because when you donate only $1 via Paypal, they keep 34 cents to themselves. It's a bad deal. Via Flattr you are welcome to contribute whatever you like.