Install HTTPS Everywhere

You need a reason to engage in all this hard work. Install the EFF's HTTPS-Everywhere add-on which will automatically redirect you to encrypted version of many popular websites. Blanket rules for doing this tend to break things, and the EFF has put some good work into making this usable. Everyone should have it installed.

Reducing the Trusted Roots

Qualys SSL labs, and the EFF SSL Observatory both have data sets which identify the top root certificates in use across the internet. The interesting finding their research highlights is that the top 10 root certificates (note, some CAs have multiple root certificates) account for over 90% of the Internet. This means we can safely cut his number down from the nearly 200 currently in Firefox to 24. I'll be publishing a more detailed analysis on SensePost's blog, but in the meantime, the 24 most commonly used I went for (which accounts for approximately 98% of all certificates is use) are:

• AddTrust External CA Root
• COMODO Certificate Authority
  
• AAA Certifice Services
  
• DigiCert High Assurance EV Root CA
• Entrust.net Secure Server Certification Authority
• Entrust.net Certification Authority (2048)
• Equifax Secure CA
• Equifax Secure Global eBusiness CA-1
• GeoTrust Global CA
• GlobalSign Root CA
• GTE CyberTrust Global Root
• Network Solutions Certificate Authority
• SecureTrust CA
• StarField Class 2 CA
• StartCom Certification Authority
• Thawte Server CA
• Thawte Premium Server CA
• thawte Primary Root CA
• Go Daddy Class 2 CA
• UTN-UserFirst-Hardware
• http://www.valicert.com/ (Class 2 Policy Validation)
• Verisign Class 3 Public Primary Certification Authority - G5
• Verisign Class 3 Public Primary Certification Authority
• Verisign Class 3 Public Primary Certification Authority - G2
  

Note that these are specific certs, not CAs. You can manually configure these in Firefox by going to Preferences->Advanced->Encryption->View Certificates and manually editing the trust for every certificate. This is a pretty tedious process, and so you can rather download the preconfigured certificate database from me here (SHA 512: e184e5750ccab4b9ea6ef4d67e813fcdbe8515ac9aafc9ded1fa27eb59c8bfe111cba5d424d33721f830b2d2b5ff3a388a4885502a93f6d805041ecbcaf31c05). This will overwrite any existing certificates you may have trusted or imported, so I'd recommend you do it on a new clean profile. Just copy it into your Firefox profile directory. A profile directory is usually several random alphanumeric characters followed by the profile name e.g. xxxxxxxx.default. On different operating systems the file should be placed in:

• OSX ~/Library/Application Support/Firefox/Profiles/xxxxxxxx.default/cert8.db
• Windows %APPDATA%\Mozilla\Firefox\Profiles\xxxxxxxx.default\cert8.db
• Linux ~/.mozilla/firefox/xxxxxxxx.default/cert8.db

I've been surfing with this configuration for a day or two now with no problems. Your browser will validate the entire chain, so if a certificate is signed by an intermediary you don't trust, but which is eventually signed by a root you do trust, then your browser won't give you a certificate error. This means the impact of this change is limited and basically prevents some of the stranger CAs like Booz Allen Hamilton or The Chinese Gov from issuing certs you will trust, but wouldn't prevent a compromised intermediary (as in Comodogate) attack. If you've decided not to trust Comodo post Comodogate, you can untrust the Comodo and AAA certificates, although will receive many untrusted cert errors.

Forcing OCSP verification Checks

There are two ways for your browser to check whether a certificate, validly signed by a certificate authority, has been revoked. The first is to check the CRLs embedded in a certificate, and the second is to do a dynamic lookup over the Online Certificate Status Check Protocol (OCSP) (one can also subscribe to CRL lists, but this is currently an onerous and complete process). By default this is not forced each time, and must be enabled by manually toggling the option in about:config through a config option. The trade off is that the OCSP provider can see what sites you are visiting. If you're being surveilled you may not want to do this, but for your average user it may be worth it given the current compromises.

To do this:

1. Type "about:config" in your URL bar
2. Click "I'll be careful I promise" when you see the warning
3. Add a new Boolean key named security.OCSP.require
4. Ensure the value is set to "true"

1. Navigate to Preferences->Advanced->Encryption->Validation
2. Select both checkboxes referring to using an OCSP server, and marking failed validations as invalid
3. Choose the first radio button about using OCSP if a cert specifies it (hopefully a trusted entity will run a decent OCSP server we can validate all certs against soon)
   

Monitoring for Certificate Changes

Your browser now provides a little more certainty that you can trust the random certificate it has been presented, however, it is still useful to know when a certificate has changed. This will give an indication that either a validly signed certificate is being used in a man in the middle attack, as is the case with some lawful intercept products, or as in the case of Comodogate. For example, my use of certificates on this website has nothing to do with valid signatures and relies on the fact that the exact same certificate that I trust is in use. For this monitoring I used to use Petnames, however, this has not been updated for Firefox 4, and so I found Certificate Patrol (thanks Ivan). This too is not compatible with the final release of Firefox 4, however, it is with a beta, and so disabling Firefox add-on compatibility checking using the add-on compatibility reporter will allow it to be installed.

What Certificate Patrol does when you first visit a site and are presented with a certificate, is to display a pop-up showing the certificates details. This forces you to actually evaluate the certificate for common-sense indicators e.g. is it assigned to the company it should be or "Iranian Secret Police". The really useful feature however, is when you next visit the site, it will check that the certificate is the same as seen before, and if there is a mismatch (i.e. the certificate has changed) it will warn you. Thus, for example, if you are in a wireless hot-spot and find you get a "certificate changed" warning on every SSL site you visit, that's a clear indication that someone is intercepting your traffic. If you get it on your banking website with no warning, it should make you look for an announcement from the bank about it, and if not, ask them for one.

To disable add-on compatibility checking and install Certificate Patrol, do the following:

1. Got to about:config as described in the previous section
2. Find the key named extensions.checkCompatibility.4.0
3. Toggle the value to false

1. Install the "Add-on compatibility reporter" to allow you to install & report on plugins not yet marked as compatible with FF4
   
2. Navigate to the Certificate Patrol page, and click "Download Now"
3. Restart Firefox when prompted

If you want to take it a step further, there is the Perspectives add-on. What this does is contact a specialised notary that comments on how long the certificate presented by the site has been "seen". The add-on will them assign a "trustworthyness" based on how consistent the answers between notaries are, and how long the certificate has remained the same. Thus, if you are being man-in-the-middle'd the certificate presented would be different from any the notaries had seen and a failure would be issued.

Update: Updated to avoid about:config changes.
Update II: Added SHA sum of cert trust DB and fixed some spelling.
Update III: Referenced perspectives