[Alpha Release, testers only!]
This software enhances the display of TLS connections by displaying at-a-glance the Root Certificate Authority that your browser trusts to certify the connection.
Future releases will include country-of-jurisdiction display, enhanced and user-friendly certificate pinning, Intermediate Certificate Authority display, and other requested features (submit your ideas here!).
For maximum effectiveness, replace the blank, empty spacer that exists OOTB in Firefox between your URL bar and the navigation buttons with this add-on's badge. (Chrome support pending on CH#1187713.)
https://archive.is/o/www.wired.com/2010/03/packet-forensics/#selection-2513.25-2513.243
https://www.eff.org/observatory#:~:text=650-odd%20organizations%20that%20function%20as%20Certificate%20Authorities%20trusted%20%28directly%20or%20indirectly%29%20by%20Mozilla%20or%20Microsoft.
According to tech blogger Ryan Singel, writing for Wired magazine in 2010, privacy researcher Christopher Soghoian found a brochure at a wiretapping conference in which Packet Forensics, LLC advertised a device that [emphasis added]:
“[Gives users] the ability to… generate ‘look-alike’ [SSL] keys designed to give the subject a false sense of confidence in its authenticity”
When the editors tried to reach out to Packet Forensics about this, their spokesman, Ray Saulino, allegedly (and hilariously):
initially denied the product performed as advertised, or that anyone used it
then added that
“…there is nothing special or unique about it… Our target community is the law enforcement community.”
I intend to follow in the footsteps of the paper (linked in the appendix below) which Dr. Soghoian wrote alongside Dr. Sid Stamm analyzing the threat models presented by this device, and in particular intend to write the spiritual successor to their software introduced therein, CertLock.
In particular, this software will be written under the following assumptions:
- Mr. Saulino is lying through his teeth here (presumably under NDA)
- Both Mr. Singel and Dr. Soghoian are being truthful in their reports
- The brochure acquired at the conference was both genuine (actually published by Packet Forensics) and truthful (the product it advertises performs as claimed)
- ssl-mitm.pdf
- defconssliverse.pdf (Search for “Number of trusted certificate signers” - wow!)