> Some firefox add-ons to help defend against mitm:
In theory yes, but not more than 10 minutes ago Cert Patrol noticed that Amazon have changed the CA for the SSL cert for an image server.
What am I supposed to do? It is interesting info, but if I reject the cert then I can't be sure my connection is secure. If I accept it... I can't be sure my connection isn't MiTMed.
The nature of certificates means a site can use more than one. If you use such a site, you can try to notice the pattern of which certs they use and if it changes, but it's not going to be perfect. If you choose to only use sites which use one certificate it might be a big help. Here are some more useful plugins for Firefox:
Certificate Patrol is kind of useless for all Google properties, since they constantly swap out certificates on most of their domains every few days. Ironically, these are probably the most important sites you need to be worried about MITMs with, but you'll constantly be ignoring them with Certificate Patrol.
I use Certificate Patrol at home. For Google this is not a very useful add-on as the certificates change all the time. Especially for Google I lost track whether these changes are legitimate or not. Since I only search with Google and have no account with them that's a fine enough trade-off for me. Where I using more sensitive services I'd be worried.
I've tried using Certificate Patrol, but Google and Facebook use loads of different certificates for the same URLs -- I guess it's a side-effect of large CDNs. Guess which websites I read the most? I ended up clicking Yes without reading, defeating the purpose of the tool -- a bit like what usually happens with NoScript.
Certificate Patrol (notifies you when certs change) https://addons.mozilla.org/en-us/firefox/addon/certificate-p...
Force-TLS (force websites to always use HTTPS) https://addons.mozilla.org/en-us/firefox/addon/force-tls/
Perspectives (compare certs with peers to verify authenticity) https://addons.mozilla.org/en-us/firefox/addon/perspectives/