Developer reply by Carlo v. Loesch
Rated 4 out of 5 stars
This is an extension worth installing: it recognizes when the ssl/tls certificate of a site has changed, and will give warnings if this change looks suspicious.
From reading the source code, there are no surprises. It compares hashes from ssl/tls certs to hashes it has seen in the past. This means it will keep a list of https sites you have visited (including those visited while in private browsing mode), but this will stay on your computer and not be sent elsewhere.
The code quality is acceptable, but not excellent. For example, the code does not use braces around one-line if-statements, uses inconsistent indentation and one if...elseif really looks like it needs a final else statement.
The main logic for detecting if a certificate change is classed as "suspicious" is not commented and is difficult to follow. For example, time limits are coded in (billions of) milliseconds instead of human-readable days, and no explanation is given to the choice of these values or how they relate to real-world problems they want to warn about.
That said, I would still recommend installing as it does provide warning about many possible ssl/tls attacks.
The "inconsistent" indentation is meant to be KNF, the BSD Kernel Normal Form, with different indentation levels for code blocks and line continuations. The source however has seen several authors and isn't all consistent. Fixing that now. The main logic is commented in the upcoming version 1.8.3. Thanks for the recommendation. :-)
To create your own collections, you must have a Mozilla Add-ons account.