Are there any plans to support Chromium-based browsers?

Hi,

when opening the extension on a page using http basic auth it displays user:pass@host rather than just host. This is also used for the SSL Labs test, the Run test link links to https://www.ssllabs.com/ssltest/analyze.html?d=user.pass@host

1. There are a log of space but it's truncated.
2. It's impossible to see other columns
3. Why it grows from the hamburger button while the gree button was pressed. It should look so:
   

Suggestion:

• where the yellow alert appears with text, don't make the text illegible.

Instead, maybe have the yellow alert over the relevant colour (e.g. green here at GitHub) – without the text.

Can you adopt another color for greater security (1.3)? For example, the color green.

On dark Firefox themes, the extension is barely visible.

The extension could show certificate transparency state.
Inspiration (not sure if it works):
https://addons.mozilla.org/en-US/firefox/addon/certificate-transparency/

Having a changelog so we know what major changes happen or happened when you make a new release for e.g. from 0.1.1 to 0.1.2 . I am not sure if there is possibility to do that in the addons but still would be nice to have such a file to know the changes and then test out things.

It might be worth it to show the HTTP version for the page, similar to https://addons.mozilla.org/en-US/firefox/addon/http2-indicator/ (however, please don't forget that v3 is coming soon)

Feel free to close if it is out of the scope for this extension.

As of the SSLeuth redesign, the main tab bottom right corner has a text:

Connected to: github.com (SSL Labs)

That makes it seem like the extension needs to connect to SSL Labs every time to work or display the popup contents. As you are actually using the Firefox's API for this, I assume that is not the case.

Hence I suggest removing the "connected to" text altogether (the main view tab's name and contents are obvious enough) and wording it like

Run SSL Labs test to see more info

When accessing an HTTPS address, display an open lock icon.

It can take a dark purple or gray color.

I get a TLS 1.3 gray icon with red line crossed on a site that shows all resources as being TLS 1.3:
https://www.cm-chamusca.pt/

Red - cannot be translated
Yellow - would be great if it was one sentence (instead of two separate strings), so it could be reordered

It would be nice if the icon would indicate that the algorithm being used on the main or other domains doesn't provide perfect forward secrecy, that is a non-ECDHE or DHE algorithm.

Hi there,

if your speak any other language than English or German, please help us translate IndicateTLS to your language. I have set up a team over on Transifex.

Let me know your username and I will add you to the team. You can also mail me your username in private to: [email protected]

Thank you so much!

By design the AWS and Cloudflare are MITM proxies. Websites relying on Cloudflare for caching and serving give up their certificates to the cloud provider allow this service to read every packet in the clear.

This itself would not be a problem, if it wasn't for NSA secret court orders and Amazon's and Cloudflare's involvement in government projects.

https://security.stackexchange.com/questions/151566/can-i-use-cloudflare-if-i-want-to-avoid-nsa-and-fisa-secret-orders/151572#151572

https://www.zdnet.com/article/fbi-withdrew-national-security-letter-after-cloudflare-lawsuit/

They received gag orders and national security letters. Even if they fight these, they wouldn't be able to tell if a national security letter was successful for years due to gag orders.

https://www.washingtonpost.com/news/business/wp/2017/11/20/amazon-launches-new-cloud-storage-service-for-u-s-spy-agencies/

https://d1.awsstatic.com/certifications/Information_Request_Report_June_2020.pdf

AWS run services for many three-letter agencies. And received 0-249 NSL.

You can ignore this feature request as the ramblings of a schizo, or you can consider it reasonable.
In any way, if we want to inspect TLS in a meaningful way, it is also worthy to look at issuers, always!

https://www.bleepingcomputer.com/news/security/mozilla-blocks-darkmatter-from-becoming-a-trusted-ca-in-firefox/
https://www.bleepingcomputer.com/news/security/google-outlines-ssl-apocalypse-for-symantec-certificates/

What I am actually suggesting:
Since this is a highly loaded topic, and people will trust each CA authority or cloud service differently. It would be very useful to create your own rules like:

Field: "Issuer" Contains: "Cloudflare"
or
Field: "Common Name" Contains: "sni.cloudflaressl.com"

Running a microscopic database in the background and checking against that to change the badge colour (purple etc.) is within reasonable coding work. It's simply your preference if you want to give the user this freedom to consider twice before sending data on a site that is part of cloud providers with involuntary or voluntary government ties. TOR users would certainly thank you.

I get TLS 1.3 everywhere, even on a site that don't have TLS v1.3
I'm testing this site : littlecaesars.com.tr

and this is the ssllab https://www.ssllabs.com/ssltest/analyze.html?d=littlecaesars.com.tr

I tried again with this https://cap5.gestour360.com/
and it say it use TLS 1.3
But this is the ssllab https://www.ssllabs.com/ssltest/analyze.html?d=cap5.gestour360.com

I even tried to run this extension in Private Mode, but I get the same results

It might be worth it to show IP version for the page, similar to https://addons.mozilla.org/en-US/android/addon/sixornot/

Feel free to close if it is out of the scope for this extension.

On many sites (example: https://www.kernel.org/ ) IndicateTLS (0.1.2) reports "Forward security: No", however Qualys SSL Labs shows it is properly supported:

https://dev.ssllabs.com/ssltest/analyze.html?d=www.kernel.org&s=147.75.58.133

Forward Secrecy | Yes (with most browsers)   ROBUST

IndicateTLS does not show any data for websites that only require a single request (e.g. websites that don't fetch images, stylesheets or fonts). The page action shows the grey default icon (see screenshot below).

Example: https://tls13.pinterjann.is or when downloading a single file (e.g. a PDF file) from a web server.

Howdy,
If possible, the address could add more info, like the date when the cert was issued and expires.

Thanks in advanced,

Some sites gives no report (only question mark) as they are Tls:
gmail
some github pages, not this page I'm writing but as example this one:
https://github.com/Catch-up-TV-and-More/plugin.video.catchuptvandmore/commits/dev
https://www.canalplus.com/programme-tv/
https://www.sfr.fr/cas/login?service=https%3A%2F%2Fwebmail.sfr.fr%2Faccueil%2Fj_spring_cas_security_check#inbox

Is it specific to Linux ?

Currently the addon isn't available for download to Firefox 68 for android.. That means it isn't compatible?

Please add support for legacy browsers (Firefox forks) and make a XPI file for manual download.

To see which Hosts support the upcoming ECH Standard, it would be great to have that info in the addon

As of the SSLeuth redesign, the main popup is split to two tabs. That means the user can get confused if they see a warning symbol on the icon but no warnings on the main tab.

Hence, I suggest showing the warning icon on the Resources tab too (or make the tab yellow overall, per #18).

Can you increase the size of the displayed numbers? The extension can be moved to the extension bar to make it larger.

You can also adopt a circular format for extension, to have a modern look.

This addon may display a badge showing "?" until you force refresh (ctrl+F5) or clear Firefox cache.
I think you could add a tip about cache invalidation when addon can't retrieve TLS info. Some inexperienced users may face this issue.

Thx for this excellent addon! :-)

Thank you!

Thank you for your project and software!

Thank you for maintenance in the past and in the future!

Kind regards and season's greetings!

getBackgroundPage() always returns null in a private window (https://bugzilla.mozilla.org/show_bug.cgi?id=1329304), this prevents the popup from working. Since it only seems to be used to load a couple of string maps the popup code could just use a local copy of the maps, or some other communication method if you don't want to maintain multiple copies.

Thanks for the great extension.

It appears that Firefox's new Proton UI refresh has new address bar styling, including spacing changes.

This affects this extension's URL bar indicator, making it arguably look a little unintentional and distorted post-update, as can be seen in the below screenshot. Specifically, it appears the indicator spacing is now taller and thinner.

Screenshot

Note that this new UI refresh can be turned on by setting browser.proton.urlbar.enabled (this only controls the URL bar, other proton prefs enable other parts of the theme) to true in Nightly in about:config.

While this is not enabled by default yet, it appears that it will make its way to release reasonably soon.

Thanks for working on this plugin. I very much missed having connection details in Firefox.
I am puzzled by something it reports though. On my personal home page I get a green 1.3 icon with yellow ! reporting:
"This website uses TLSv1.3 but includes content from services that only support less secure protocol versions."
It only shows a single connection to the site but reports information that conflicts with what Firefox reports in it's security tab i.e. the addon reports TLSv1.2 Key exchange P256. This does NOT match what SSL Labs reports for the site. SSL Labs gives it an A+ and for Firefox 67+ it used TLS 1.3 TLS_AES_256_GCM_SHA384 ECDH x25519 with FS. The Cloudfare TLS 1.3 client side test also passes for my browser. The images on it relatively links that are all local to the server so I don't know it is talking about. Firefox reports the connection is encrypted using TLS_AES_256_GCM_SHA384, 256 bit keys, TLS 1.3. Any idea why it is reporting this?
P.S. other than this it would be nice if the cipher details i.e. TLS_AES_256_GCM_SHA384 showed in the pop up.

In Firefox they are three default themes: light, dark, system.

If set to system and using a dark system theme, the icon still uses light theme icons. It should uses the dark theme ones. ;)

I would love to be able to easily differentiate between DV and other types of certificates.
IMO DV certificates are far too easy to obtain nowadays, therefore I'd love to see the certificate type in the popup.
And if it is an Organization or Extended Validation certificate, why not show the name of the organization as well.

Thanks a lot for this add-on. It helps a lot.

When I open a new tab, open a page and then check the extension I'm greeted with the following values:

Sometimes this was fixed after a reload.

On another page I noticed it had an old certificate expiration date in there claiming that the cert expired nearly 90 days ago. Force-refreshing (cache override) seems to have fixed this issue.

Is this a firefox issue or an extension issue?

Is it possible to list all (sub)domains in subject alt names?
(*.domain.tld for wildcard cert or a list with www.domain1.tld, mail.domain1.tld, www.domain2.tld, etc. if all using the same cert)
I believe it's possible since "Certainly Something" does it.

Add HTTP server signature (web server used and version) to the addon.

Currently we seems only allowed to sort by protocols

can you add a toolbar icon too?
this way I can disable the address bar icon and use the toolbar.
this way is more is smooth because icon that are always shown are in toolbar and icon that sometimes shown based on address are shown in address bar (like rss support and htttp3 indicator and addons like that).

I use Collection to install this Extension on Firefox for Android Nightly but it did not display

As TLS 1.0 and 1.1 are getting disabled (someday), it is time to consider new colors to use to better highlight the differences.

• Ideally, perfect security must be transparent, therefore I suggest using the same gray color for 1.3 as Firefox itself uses for the padlock (black with opacity 0.6).

• Mixed protocols could perhaps use an icon crossed with a red line, similar to the broken padlock).
  A simple line should obstruct the number less than the previous warning triangle.

• Could 1.2 be yellow now? It's not specifically bad until proven that a site uses insecure ciphers and it is still a recommended default. Maybe use a cross for bad configurations and 1.3 coloring for the rest?

• 1.0 and 1.1 should be bright red while they still exist, but is that enough?

• Wait, why is SSL 3 still in this extension?

• Unknown icon could be inverted, as it doesn't give much info anyway.

It would make sense to set an add-on ID in the manifest.json as it's still used in some areas in firefox (e.g. for addon sideloading).

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/browser_specific_settings

"browser_specific_settings": {
  "gecko": {
    "id": "[email protected]"
  }
}

I don't know much about it, but I've heard it does help verify the authenticity of the site on DNS level. So it would be nice if this was shown.

Inspired by https://addons.mozilla.org/en-US/firefox/addon/dnssec/ and https://addons.mozilla.org/en-US/firefox/addon/httpspluschecker/

Hello,

when looking at cloudflare certs there seems to be a " error from the parsing. See screenshot 👍

At least this point doesn't respect WCAG color contrast recommendation:

https://contrastchecker.com/?c=ffffff&b=fbc02d

The extension frequently causes the following error to be displayed in the browser console:

20:13:31.782 can't access property "protocolVersion", tabMainProtocolMap.get(...) is undefined 2 background.js:54
    loadSavedSecurityInfoAndUpdateIcon moz-extension://18647e97-ca2d-4bbb-979a-557087b95623/background.js:54
    apply self-hosted:1870
    applySafeWithoutClone resource://gre/modules/ExtensionCommon.jsm:614
    fire resource://gre/modules/ExtensionChild.jsm:775
    recvRunListener resource://gre/modules/ExtensionChild.jsm:779
    recvRunListener self-hosted:844
    _recv resource://gre/modules/ConduitsChild.jsm:78
    receiveMessage resource://gre/modules/ConduitsChild.jsm:169
    run resource://gre/modules/ConduitsChild.jsm:160
    receiveMessage resource://gre/modules/ConduitsChild.jsm:161
    map self-hosted:240
    receiveMessage resource://gre/modules/ConduitsChild.jsm:161

This happens on Firefox Nightly with, among other things, fission enabled.

Most likely broken by ea5d372ef0d1620097457134fb6312c9d2f4cc91:

 async function loadSavedSecurityInfoAndUpdateIcon(details) {
-    cached_version = tabMainProtocolMap.get(details.tabId);
+    cached_version = tabMainProtocolMap.get(details.tabId).protocolVersion;
     if (typeof cached_version !== "undefined" && cached_version !== "unknown") {