Tuesday, October 18, 2011

Browser Add-ons Part 4: Certificate Patrol

When you bank or shop online it is critical that the connection between your computer, and the server providing the services, is secure since you are passing sensitive information over the Internet in which normal traffic is open to sniffers, eavesdroppers, and man in the middle attacks. There are a few things you can do to confirm the security of your connection. Certificate Patrol is great browser add-on that aids in this process. But, before I talk about what it does let me explain a little bit about secure connections and what role certificates play.

A secure site uses what is known as Secure Socket Layer (SSL). SSL encrypts the data between the sender and receiver over the Internet. Sites using SSL are recognizable in several ways. Where to look for some of these features may vary slightly by browser, and browser version, but the most obvious is HTTPS in the address bar. The padlock in the address bar, or in the status bar at the bottom of the browser window, is also an indicator. The most recent visual effect includes more advanced security features, and is recognizable by the green address bar, or green text in the address bar. The green bar indicates that the site is using Extended Validation SSL Certificates. EV Certificates are a pretty good defense against phishing scams because the CA and the web browser providers have worked together to integrate better security into the browser making it harder for scammers and hackers to hijack your secure web session.

Businesses legitimize themselves by providing site certificates from a validating source. Site certificates, also known as SSL certificates, are issued by a number of Certificate Authorities (CAs). The role of a CA is similar to that of a Notary Public, but instead of vouching for you as a witness to a document signing, they validate that the certificates belong to the entity authorized to have it. Web browsers, by default, accept these certificates as being trustworthy because they come from a valid certificate authority.

To further complicate verification, a single site certificate isn't likely all a site would use. The main, or top level, certificate issued by a CA is known as the Root Certificate. But, sites also use subordinate certificates known as the "chain of trust". Subordinate certificates further define the security of a site, and since they are linked to the root certificate our browsers automatically trust these too.

In a perfect world, simply accepting a site certificate is all anyone would need to ensure a secure connection. But, because anyone can create a certificate, and there are legitimate circumstances for this, we can't blindly trust that the certificate we are given is the one we should have. A website, along with the padlock in the browser, and site certificates can be faked making the task of verification a bit more complicated. To protect ourselves we have to be vigilant in checking site certificates; with the help of Certificate Patrol the job of verifying site certificates just got a little easier.

Certificate Patrol is a Firefox add-on (https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/) with the main purpose of alerting you as to when a certificate changes. The first time you navigate to a secure site Certificate Patrol will alert you, with a box that appears below the browser's address bar, that a certificate is pending. You will be asked if you want to accept or reject the certificate. You can view the details of the certificate before making your decision.

When viewing a certificate look for these three main things: 1. Confirm that the website owner matches the entity you expected to have the certificate; 2. Confirm that the certificate was issued from a valid CA; 3. Look at the expiration date of the certificate. Most certificates are issued for one or two years.

Certificate Patrol also helps you manage subordinate certificates as well as alerting you to changes in previously accepted certificates. There are several customizable options for this add-on that lets you determine some of its behavior for pop-up windows and notifications. You can also decide if you want to store certificates while in private browsing.