Have Browser Notify You When a Site's SSL Certificate Changes - firefox

I am having to set up a site with an additional need for security over what I would normally have for an SSL site. To handle this, I am establishing a private CA for the client. Once the import the CA I create as trusted, it will allow them to use the site without SSL errors popping up all the time.
The problem that I have, is that I need to setup the client's browser so that it will notify them if the server certificate changes (browsers won't do this, as long as the new certificate is from a trusted source.)
So, what I am wondering is if there is a browser out there, or a plugin for an existing browser that will allow this functionality.

The Certificate Patrol plugin for Firefox does this (it is active for all sites, not a specific one, but you could easily modify it to suit).

Related

Does updating SNI config affect SSL Certificates and Validation

I'm developing an app for a non-tech client that has outsourced the backend to another developer. We'll be launching the app under 7 different branded app, over a series of weeks. Each app is exactly the same, sans for the domain the API end points are on (IIS hosted).
As part of our security, we validate the SSL certificate when we connect to the API, and ensure the key returned by the API server matches our hardcoded version of it, as to prevent man-in-the-middle attacks to sniff our REST calls. We have this functioning now for the current server (1 of 7 to be rolled out).
We've asked the backend guys to provide the certificates for the remaining 6 sites, so we can deploy the apps with the expected keys. However, they claim that as they will be rolling out the sites individually over the coming weeks, each time they bring a new a new site online, they said they are "updating the SSL certificate" which is required as they are "using SNI on the server, so each time a new site is added, the certificate will change, and the hardcoded validation for the existing sites will break".
Now whilst I'm no dummy, I'm also not a server admin, and only 99.9% sure that the SNI configuration to support another cert on the server, will not have any affect on the current certs already hosted for the existing domains. As a result, I wanted to explicitly confirm that the cert key we're validating as part of the SSL auth, is not going to change with each revision of the SNI config. The backend devs have essentially shut us down claiming we're paranoid, and going "beyond what is required" and to not expect "the same security a the major players offer" (as I mentioned that any decent commercial app validates its connection).
Is anyone able to confirm (or correct) my understanding of SNI as it relates to the certs, primarily that as they bring new sites online, that changes to the SNI have 0 impact on the existing certs for the current sites?
Edit: Whilst the use of multi-domain certs would regenerate the key, we can assume that they could generate/re-issue a multi-domain cert now in advance of the domains coming online. The question of if it's affected by the SNI config remains.
"updating the SSL certificate" which is required as they are "using SNI on the server, so each time a new site is added, the certificate will change, and the hardcoded validation for the existing sites will break".
This is a weird argument. The point of SNI is that they can have multiple sites (domains) on the same IP address where each has its own certificate. If they add a new site only a new certificate for the new domain need to be created and all the other certificates will continue to work: a client using SNI will tell which site it wants to visit and the server then can pick the appropriate certificate. If they instead could not rely on SNI then they would have to use certificates which cover all sites on the same IP address.
So while it can be that they have some process which requires this kind of reissuing certificates it is not a requirement because of use of SNI, but only because they designed their process this way.

Blocked requests by default to https self signed backend

On my staging server I am connecting to self-signed https api backend. And by default requests can't be made, because browser treat backend as danger.
I have to open backend url in browser
https://my-api-backend.elasticbeanstalk.com
my-api-backend.elasticbeanstalk.com:8443 uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name my-api-backend.elasticbeanstalk.com. Error code: SEC_ERROR_UNKNOWN_ISSUER
After manually confirm that is secure it works. It is fine for me to do this, but not for managers etc. Another thing I was thinking about blocking backend access from outside and allow access only from frontend.
Is there any solution to this problem other than buying domain a sign it properly?
If it is a staging environment it should reflect a production environment so you should use a real domain signed correctly.
Certificates are free through AWS ACM or LetsEncrypt.
Why not use a sub domain like staging.domain.com, it would be free as well. Otherwise domains are cheap and it shouldn't be worth the hassle.

Firefox automatically choose certificate, without ui dialog

Is there a way to choose the specific default client certificate for authentication on web-resources? In the prefs.js in firefox app data folder, there is a line:
security.default_personal_cert
I changed its value to:
Select Automatically
And now it is selecting the first certificate for site avaliable. I want basically to automatate this process (with imacros and few other tools). Is there a way i can set a SPECIFIC certificate as default client certificate? Maybe i have missed somethign else?
It is possible to implement this, but probably not very useful, and I do not believe it is implemented in Firefox.
Servers are usually configured with a specific CA certificate (or set thereof) to use for validating client certificates. The TLS Certificate Request message will usually advertise the Issuer Distinguished Names of these CA certificates in the certificate_authorities field, which the client will then use to select an appropriate certificate to supply in the Client Certificate message. In particular:
If the certificate_authorities list in the certificate request
message was non-empty, one of the certificates in the certificate
chain SHOULD be issued by one of the listed CAs.
An "always use this certificate" option would be useful only in the case where the server does not advertise which CA(s) it intends to use to validate client certificates (I have never seen this situation before). Normally, the Select Automatically heuristic will Do The Right Thing.
If you need an automated way to choose a particular certificate where you have multiple certificates for the same site, Firefox provides the option of multiple profiles. You can have a single certificate in each profile, which will be automatically chosen. It is inconvenient but I do not know of another way.

Why is Firefox saying that my website is using an "invalid security certificate"?

I have been using a wildcard SSL certificate for several of my company's B2B websites for some time. Recently, we noticed that Google Chrome started displaying a red unlocked lock with HTTPS crossed out for all of these websites. The solution I found was to reissue the certificate from the provider (Network Solutions). So, I did this, and updated the certificate for each of the websites, and the Google Chrome issue went away (HOORAY!). However, when visiting any of these websites in Firefox, it displays a security message stating the website is using an invalid security certificate:
How can I resolve this so that our users are not confused when visiting these websites?
P.S. These websites are running on IIS6.
It looks as if the certificate chain is incomplete and, thus, Firefox (and likely other browsers) cannot verify the site certificate. Normally browsers store intermediate certificates they have seen in the past - that might be a reason why it works in Chrome.
You can test using https://www.ssllabs.com/ssltest/analyze.html.
Depending on the server software (here, for Apache httpd and other servers which read the certificate in PEM/DER format), you can just paste the intermediate certificates together with the certificate in one .pem file (which is used as Certificate file).
The chain (intermediate certificates) is/are normally provided by your CA. In your case you could also use Chrome the review the certificate and then store/extract all intermediate certificates from the certificate view.
You can get this certificate is not trusted error if server doesn't send a required intermediate certificate.
Firefox automatically stores intermediate certificates that servers send in the Certificate Manager for future usage.
If a server doesn't send a full certificate chain then you won't get an untrusted error when Firefox has stored missing intermediate certificates from visiting a server in the past that has send it, but you do get an untrusted error if this intermediate certificate isn't stored yet.
You can inspect the certificate chain via a site like this:
http://www.networking4all.com/en/support/tools/site+check/
I followed the instructions at enter link description here, to import the intermediate certificates.
In IIS, there is an option under Directory Security to "Enable certificate trust list". I enabled it and added the "AddTrust External CA Root" to the CTL certificates list and this appears to have fixed the issue.

Accessing HTTPS content from out-of browser Silverlight 4 applications

I am using some of the local machine's resources using COM interop functionality provided in Silverlight 4.0. Hence, naturally I need OOB with elevated permissions. However, in my case I am consuming the WCF services hosted on HTTPS channel. Here is where I am facing the problem. The OOB with elevated permissions applied, doesn't allow me consuming the HTTPS service hosted on either different or the same domain, giving me a NotFound exception. Please note that I have used the self-signed certificate for the development environment. The same is also installed in the Trusted Root folder of the client machine on which I am testing.
Interestingly, when I set the Fiddler options (in Fiddler session, Toos -> Fiddler Options -> HTTPS tab) to intercept the HTTPS traffic, with Decrypt HTTPS traffic checkbox set, I am able to use the same HTTPS service without any exception. But for that, I was told by Fiddler to store a temporary certificate inside my user profile's Fiddler directory, and I must have at least one Fiddler session at that time. Hence, it seems to be a certification issue. But does it relate in anyway to signing of the XAP file with the required certificate ? I am not sure. I tried with a self-signed certificate and bind my layer service URL to use that certificate. Then I install the same certificate to Trusted root folder of the client. But i was not successful in signing the XAP with that certificate.
Please let me know if you have any work-around.
If the code is running in a different user's context, you need to put your "Self-signed" certificate into the Machine Trusted Root store. Start mmc.exe. On the File menu, choose to Add a Snap-in. Add the Certificates snap-in. Pick Local Machine. Import the Self-signed root into the Trusted Root store.
I had the same problem and found out, that the SSL settings in IIS were wrong.
I configured IIS 7.5 to SSL only and to accept client certificates. With this settings, I ended up with the service not found error in OOB. After setting IIS to ignoring client certificates the OOB Application works fine.

Resources