Welcome to Certificate Patrol 2.0. We introduced some improvements that
we should first explain to you.
Before we even list the details of a certificate, we first show you the certification hierarchy.
That is the most important clue for you to find out if you're being
tricked. An intermediate authority can put any text in the certificate
that you would like to see, but it cannot falsify the certificate checksums
and its position in the hierarchy.
Dangerous certificates are likely to be generated by a long
list of authorities belonging to different companies or governments.
Genuine ones are likely to be signed directly by a root certificate in
your browser, or by an intermediate created by the same company. All the
inbetween cases are likely to be legitimate, but you can't be sure. We are
still taking guesses here, because we still don't know which
root certificates in our browsers are worthy of trust. By keeping your
eyes open and observing the patterns, you are a lot likelier to notice when
you are being attacked. In case of doubt, compare (by telephone) the
checksums with somebody that could not possibly be affected.
Another important change is that we now inspect certificates for all parts
of a webpage, so you may see server names and domains coming up that you never
thought you were visiting, just because they host some Javascript or media
files.
It's also new that you can reject all new certificates when you see them.
That doesn't mean that you will be protected from using them, because we
don't have that much control over your browser. If you don't trust a site
you still have to close the window yourself. But it means that if you bump
into the same certificate again, you will be asked again. You could use
this to see if a certain website always has the same certificate when
you change Internet connection (like open it from work, then from home).
Then again, if you store the certificate and Patrol doesn't complain next
time you go to it, you're even safer that the certificate is the same.
Several websites have the bad habit of using multiple certificates for the
same hostname. We consider it a configuration error on their side, but since
they insist, you now have a little option of the certificate change pop-up
to accept any certificate for that host as long as the issuer, that is the
next higher level authority, stays the same. This should help in most cases,
although I bet there are some which are even more misconfigured than that.
We have improved several other details:
- The certificate dialogs have been reorganized. The change dialog has a diff-like layout so you don't have to compare the certificates yourself. Patrol highlights what has changed.
- By adopting the standard certificate view details wizards, you can look at certificates in every little detail and also export certificates into a file on your desktop.
- Added CertPatrol to the 'Clear Recent History' dialog which deletes recently inserted/updated or all certs from the database..
- Added CertPatrol to the 'View Certificates' dialog in Preferences/Advanced/Encryption where you can view and delete the certificates stored by CertPatrol.
- Added a checkbox to its own preferences dialog for allowing CertPatrol to save certificates even when in Private Browsing Mode.
- We added green/yellow/red threat level indicators.
![[Flattr this]](img/flattr-badge-large.png "Flattr this"){kind=icon}