Calomel SSL Validation

a Firefox Add-on extension grading SSL security

Calomel.org Home Page     RSS Feed

What does the "Calomel SSL Validation" extension do ?

The "Calomel SSL Validation" add-on grades the SSL cipher strength of the current connection. Access to a detailed summery of the SSL negotiation is supplied by a toolbar button. The button will change color depending on the grade from red (low score), to orange, to yellow, to blue and finally to green (high score). Standard http unencrypted connections will turn the toolbar icon gray as will any blank tabs.

In the options section you can enable the use of only the strongest 168 and 256 bit ciphers in high security mode in addition to disabling the Online Certificate Status Protocol (OCSP). Other tabs include speed optimizations like network pipelining, the ability to run off page and DNS prefetching, tab previews and an option to disable annoyances like blinking text and gif animations.

To install in Firefox, goto the Mozilla Firefox Add-on page for "Calomel SSL Validation". There you can find screen shots too!

Latest Version: 0.52

• The add-on is compatible with Firefox 17.0 (all beta revisions) and earlier.
• Disabled OCSP checking since it has a soft fail condition. According to Google, "So soft-fail revocation checks are like a seat-belt that snaps when you crash," he said. "Even though it works 99% of the time, it's worthless because it only works when you don't need it."
• When an option is turned off it will now be reset to browser defaults instead of being manually defined to a default value. This cleans up the code and purges any extraneous configuration options.
• An option which is disabled will never modify a config value. If the option was once enabled and then disabled the config value will be reset to the browser default on browser restart and never touched again.

Explaining the URL button drop down details box

For this example we are going take a look at the details in the current toolbar button drop down box for this site. Push the "green" URL button to see the box. If you do not currently see the toolbar button right click on the top tool bar, goto "customize" and scroll down to the bottom of the icon list. There you will see the "Calomel SSL Validation" button in gray. Just drag the button on to the toolbar. We like the placement to the left of the URL bar, but the position is completely up to you. You may need to refresh the page for the icon to turn the correct color after the install.

connection: SECURE (green 100%)

This is the overall state of the ssl connection. "SECURE" will only be shown if the SSL connection is established and is encrypted in some way. In the parentheses is the color description of the URL icon button and the score of the page up to 100%. The color description was added for users who are color blind and may not be able to distinguish red and green. The score gives a more detailed idea of how securely Firefox connected to this site.

certificate: verified ok (PASSED 30/30)

This describes the state of certificate response from the certificate authority server. If the cert was verified by the CA then this line will show up. Other possibilities are "revoked", "expired" or "unknown". Any certificate that is not "verified" is awarded a red URL button color and should be considered highly suspect. The "30/30" says that we have earned 30 points out of a total of 30 points. Take a look at the next section for the description on how we score the connection.

validation: Domain Validation, DV

Validation is the type of background check the certificate authority does to the buyer of the certificate. We bought a standard SSL certificate from Comodo and they award us a "Domain Validation" or "DV" certificate. This means that Comodo only verified that the owner of the domain, that is us, bought the cert for calomel.org. This is a very simple check.

The other type of validation is "Extended Validation". An "EV" certificate is for companies as the verification process is significantly more stringent and more expensive. While a DV cert might cost as little as 20 US dollars per year and EV cert cost hundreds of dollars per year.

We do _not_ score on this value though. The reason is anyone can get an EV cert if they have the money and the time. Most small sites and companies will not bother. But, organizations likes banks and financial institutions should.

URL Host: calomel.org

This is the address of the fully qualified domain name (FQDN) of the server that is shown in the URL bar. This should match the name of the host wanted to goto.

Common Name (CN): calomel.org (MATCH 10/10)

The "Common Name" is the full host name the SSL certificate is registered for. The "URL host" above and the "Common Name" should match for the SSL certificate to be valid. We do a test and if both hosts match then the tag, "(MATCH)" is printed. Since the URL and common name match we were awarded 10 out of 10 total points. Scroll to the next section for the description on how we score the connection.

symmetric cipher: AES-256 (STRONG 34/34)

This is the name of the symmetric cipher used between the client and server. We rate the strength of the cipher used and award it a score. For using a strong cipher 34 out of 34 points are given.

symmetric key length: 256 bits (STRONG 14/14)

The size of the symmetric cipher in bits. We also use this key size in rating the strength of the connection as seen by the 14 out of 14 points awarded.

Issued To: (currently blank)

This field is blank for us. Normally, you will see the name of the name of the company, individual or organization which has purchased the SSL certificate. This value is not used in the scoring of the site as it can contain any string. This field could contain the URL host, company name, individuals name or any variation.

: (currently blank)

This is supposed to say the location we added to our certificate. The problem is calomel.org currently uses an inexpensive cert from Comodo and they do not honor the location information from our CSR. For other sites you will see the location information that site registered their certificate for. For example, Google's location information is "Mountain View California US".

: SHA-1 With RSA @ 4096 bit (STRONG 6/6)

This is our hash the certificate from the certificate authority was signed with. The size of the key is 4,096 bits. The tag at the end, "(STRONG)" is the score. A SHA-1 hash of 2048 bits or more is considered strong. Anything lower is WEAK. We score on this value; 6 out of 6 points awarded.

Issued By: Comodo CA Limited

The name of the certificate authority who provides the certificate to the buyer; in this case the buyer is our site calomel.org, This is also the company who houses the ssl validation servers used by Firefox to verify that calomel.org is a valid hostname to use this certificate for. This value is not use in the scoring of the site. We may eventually do a check on this value for "mostly" trusted CA's. Some certificate authorities like the China Internet Network Information Center ( CNNIC ) are indirectly sponsored by the Chinese government.

: Salford Greater Manchester GB

The location of the certificate authority's corporate offices. In this case the location of Comodo's corporate identity is Salford Greater Manchester , Great Britain.

: SHA-1 With RSA @ 2048 bit (STRONG 6/6)

This is a hash the certificate from the certificate authority was signed with. The size of the key is 2,048 bits. The tag at the end, "(STRONG)" is the score. A SHA-1 hash of 2048 bits or more is considered strong. Anything lower is WEAK. We score on this value as seen by the 6/6 scoring.

Valid from: 12/22/2011 19:00:00

This is when the SSL certificate was first activated and allowed to be verified by browsers like Firefox. This value is not used in the scoring of the site, but if the "Valid from" date is in the future the certificate is invalid and a red button is awarded. Certs can not be used before or after their "valid" dates.

Valid until: 12/22/2014 18:59.59

This is the expiration date of the certificate by the certificate authority. This certificate can not be verified past this date. The site owner will have to buy a new cert after this date has passed if they wish to continue using SSL. This value is not used in the scoring of the site, but if the "Valid until" date is in the past the certificate is invalid and a red button is awarded.

How is the score of the SSL connection determined ? (URL button color)

The add-on will score the SSL connection and change the color of the icon in the URL bar. In the drop down box the details show the percentage score on the first line. The color of the URL button is currently red (none or weakest security) to orange, to yellow, to blue and finally green (strongest security).

The score of a site is currently made by:

Certificate Verification = 30%

The certificate must be able to be verified through the certificate authority (CA). If the certificate is verified the status message "verified ok" is received and the score of 30% is given. A tag saying "(PASSED)" is also printed. If there is a problem with the certificate or it can not be verified then the entire SSL connection is suspect. A suspect certificate awarded a score of negative 50 (-50) to guarantee a red URL icon. An example of the bad verification is a self-signed, expired or revoked certificate. The foundation of a SSL certificate is having a third party positively verify the cert is valid. If the certificate authority reports a problem with the cert or the cert is invalid then we can not trust it.

Domain Mismatch = 10%

The certificate is purchased and the buyer specifies the specific domain name they want this cert to support. If the website owning the domain is "www.google.com" then the certificate must be registered with the "Common Name (CN)" of "www.google.com" or at least "*.google.com". If the domains match the score of 10% is awarded and the tag "(MATCH) is seen in the detailed drop down box. If the domains to not match no points are given (0%) and the tag "(domain mismatch!)" is shown.

Symmetric Cipher Strength = 34%

A symmetric cipher is the algorithm used to encrypt the data. You want to negotiate with the remote server using the strongest ciphers available to both systems. In our case we are looking for the Advanced Encryption Standard (AES) at 256 bits or Camellia at 256 bits. These are the strongest ciphers and the connection get a score of 34% and a tag of "(STRONG)". If the SSL connection is negotiated at AES 128 bit, Camellia at 128 bit or even Triple DES at 168 bits the score goes down to 13% with a tag of "(MODERATE)". If the weak RC4 cipher is used the connection is awarded 5% and tagged "(WEAK)". If no cipher is used the score is 0% with a tag of "(VERY WEAK)". A very weak cipher would be an export controlled 40bit MD5 cipher for example.

Symmetric Key Length = 14%

The key length is in bits. The larger the key the higher the score. Keep in mind that the type of cipher used is significantly more important than the size of the key. A 256 bit key will get 14 points, between 256 and 168 bits gets 7%, between 168 and 128 gets 3% and anything lower gets 0%. A tag similar to the ones awarded to "Symmetric Cipher Strength" are also printed here.

Certificate Hash Type and Key Length = 12%

Both the subject (website) and certificate authority get 6% for a "(STRONG)" rating. A rating of "(WEAK)" get no points. This adds up to a total of 12%.

If the certificate uses SHA (SHA-1 through SHA-512) it is considered "(STRONG)". If MD5 is used the cert is rated as "(WEAK)". The length in bits of 2048 and above is considered "(STRONG)" and anything less is weak. In order for the certificate to be rated as "(STRONG)" both the hash and the key length have to be strong. If either one fails the entire hash rating is "(WEAK)".

RSA is a public-key cryptosystem for both encryption and authentication; it was invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman [RSA78]. Details on the algorithm can be found in various places. RSA is combined with the SHA1 hashing function to sign a message in this signature suite. It must be infeasible for anyone to either find a message that hashes to a given value or to find two messages that hash to the same value. If either were feasible, an intruder could attach a false message onto a site's signature. The hash functions SHA1 has been designed specifically to have the property that finding a match is infeasible, and is therefore considered suitable for use in this role. MD5 is considered too weak to be used for SSL certificate security.

In cryptography, SHA-1 is a cryptographic hash function designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm. The three SHA algorithms are structured differently and are distinguished as SHA-0, SHA-1, and SHA-2. SHA-1 is very similar to SHA-0, but corrects an error in the original SHA hash specification that led to significant weaknesses. The SHA-0 algorithm was not adopted by many applications. SHA-2 on the other hand significantly differs from the SHA-1 hash function.

In cryptography, MD5 (Message-Digest algorithm 5) is a widely used cryptographic hash function with a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files. However, it has been shown that MD5 is not collision resistant;[2] as such, MD5 is not suitable for applications like SSL certificates or digital signatures that rely on this property.

Explaining the "Preferences" menu

There is nothing secret or mystical about a Firefox Add-on, this one is no different. We will try to explain in detail all of the options we use and tell you which "about:config" values we trigger. This way you can make an informed decision whether to use them or not.

Security tab

use only HIGH strength ciphers (256/168 bit) without OCSP

This option enables only the highest grade SSL ciphers and disables the Online Certificate Status Protocol (OCSP) check against the certificate's OSCP URL preference. OCSP and CRL requests increase page load times and are susceptible to blocking by man-in-the-middle attackers or captive portals, websites commonly used by Wi-Fi access points to prevent HTTP connections before users authenticate. Google Chrome disables OCSP for this exact same reason. Not using OCSP should make SSL pages load faster as the median time for a successful OCSP check is around 300ms and the mean is nearly a second. Finally, disable SSL2 and SSL3 because of known vulnerabilities and only enable TLSv1.

You can find the "toggle high ciphers" menu option under the "Tools" menu. This will instantly turn on or off the high strength ciphers. This can be used for testing or to temporarily try a sites preferred security method. If you come across a page that can not use strong ciphers you can turn them off and reload the page using Firefox's default ciphers. When you are done you can then turn the high strength ciphers back on. Also, the toggle only temporary turns on or off the ciphers. When Firefox is restarted the option you preferred in the add-ons preferences will be restored.

These are the current high strength ciphers we enable:

• ECDHE-RSA-AES256-SHA (security.ssl3.ecdhe_rsa_aes_256_sha)
• ECHDE-ECDSA-AES256-SHA (security.ssl3.ecdhe_ecdsa_aes_256_sha)
• ECDH-RSA-AES256-SHA (security.ssl3.ecdh_rsa_aes_256_sha)
• ECDH-ECDSA-AES256-SHA (security.ssl3.ecdh_ecdsa_aes_256_sha)
• DHE-RSA-AES256-SHA (security.ssl3.dhe_rsa_aes_256_sha)
• DHE-RSA-CAMELLIA256-SHA (security.ssl3.dhe_rsa_camellia_256_sha)
• AES256-SHA (security.ssl3.rsa_aes_256_sha)
• CAMELLIA256-SHA (security.ssl3.rsa_camellia_256_sha)
• DES-CBC3-SHA (security.ssl3.rsa_des_ede3_sha)

In order to communicate securely, a TLS client and TLS server must agree on the cryptographic algorithms and keys that they will both use on the secured connection. They must agree on these items:

• Key Establishment Algorithm (such as RSA, DH, DHE, ECDH or ECDHE)
• Peer Authentication Algorithm (such as RSA, DSA, ECDSA)
• Bulk Data Encryption Algorithm (such as RC4, DES, AES, or CAMELLIA) and key size from 40 to 256 bits
• Digest Algorithm for Message Authentication Checking (SHA1, SHA256)

There are numerous available choices for each of those categories, and the number of possible combinations of all those choices is large. TLS does not allow all possible combinations of choices from those categories to be used. Instead TLS allows only certain well-defined combinations of those choices, known as Cipher Suites, defined in the IETF RFC standards. We have selected the highest strength ciphers for this option.

How does the client and server pick the cipher to use ?

First, it is important to know the client and server need to support the same cipher to be able to properly negotiate a connection. The above ciphers are those that are available for our client on "high strength" mode. The server has another list of ciphers it was built with.

A TLS client and server negotiate a stateful connection by using a handshaking procedure. The handshake begins when a client connects to a TLS-enabled server requesting a secure connection, presenting a list of supported CipherSuites (ciphers and hash functions like the ones listed above). From this list, the server picks the strongest cipher and hash function that it also supports and notifies the client of the decision.

Note that some servers have been configured to use less secure ciphers over the more secure variant to save on CPU processing time. Google (https) is like this. They prefer using the weak RC4-128 cipher. Using the "high strength" option above will force Google to use greater strength encryption like AES-256.

Why do some sites not work when "high strength" mode is enabled ?

This is because the admin or owner of those sites prefer to use _only_ weak ciphers and do not offer the stronger ones. They probably only accept the RC4 or export controlled ciphers. These are very weak and not recommended due to the fact they can be cracked with today's computers. Some sites do not allow our client to negotiate with the strong encryption we request.

The only action is to toggle the "high strength" mode using the option under the "Tools" menu when you need to goto these sites. Just refresh the page and the site should come up using their preferred weak ciphers. Once you are done visiting the site just toggle the "high strength" mode back on. If you feel so inclined it would be a good idea to send email to the site asking why they do not support better security.

When you disable this option all of the ciphers return to their default values.

disable short URL keyword guessing

When you type in a short name like "calomel" in the URL bar Firefox does not know where to go. So it guesses. It infers you wanted to go to www.calomel.com; but this is not where our site is located. The site you wanted to actually goto was calomel.org. Firefox should not guess where the user wants to go and this could open up privacy and security problems.

Another problem is if the user types the URL wrong. What if you typed "centralbank" instead of your actual bank, "central-bank". You may be connected to a person typosquatting you financial institution. Typosquatting, also called URL hijacking, is a form of cybersquatting which relies on mistakes such as typographical errors made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to an alternative website owned by a cybersquatter.

We suggest disabling this option. The browser should not infer where the user wants to go. If we type the wrong URL into the bar then we want to see an error.

The following options are triggered:

• browser.fixup.alternate.enabled false (default true)
• keyword.enabled false (default true)

When you disable this option all of the option return to their default values.

Optimization tab

These are a collection of "safe" speed optimizations we found to increase the responsiveness of Firefox while reducing the CPU load and bandwidth usage. Keep in mind that these options a similar to what you find in FasterFox, but we only enable configurations considered safe and non-abusive to remote servers. If you enable these options the use of FasterFox would be unnecessary.

enable http pipelining requests (currently not available)

NOTE: Sadly, due to new rules by Mozilla we can no longer include the option to turn on or off pipelining. As a result you will not find the option to enable HTTP pipelining in the add-on anymore. You are welcome to read about pipelining and enable it manually if you wish. We highly recommend using it.

HTTP pipelining is a technique in which multiple HTTP requests are written out to a single socket without waiting for the corresponding responses. Pipelining is only supported in HTTP/1.1, not in 1.0. The pipelining of requests results in a dramatic improvement in page loading times, especially over high latency connections such as satellite Internet connections. Since it is usually possible to fit several HTTP requests in the same TCP packet, HTTP pipelining allows fewer TCP packets to be sent over the network, reducing network load. -Wikipedia

Normally, HTTP requests are issued sequentially, with the next request being issued only after the response to the current request has been completely received. Depending on network latencies and bandwidth limitations, this can result in a significant delay before the next request is seen by the server.

HTTP/1.1 allows multiple HTTP requests to be written out to a socket together without waiting for the corresponding responses. The requester then waits for the responses to arrive in the order in which they were requested. The act of pipelining the requests can result in a dramatic improvement in page loading times, especially over high latency connections.

Pipelining can also dramatically reduce the number of TCP/IP packets. With a typical MSS (maximum segment size) in the range of 536 to 1460 bytes, it is possible to pack several HTTP requests into one TCP/IP packet. Reducing the number of packets required to load a page benefits the Internet as a whole, as fewer packets naturally reduces the burden on IP routers and networks.

The following options are triggered:

• network.http.pipelining true (default false)
• network.http.pipelining.ssl true (default false)
• network.http.proxy.pipelining true (default false)

The number of requests pipelined by default is four(4). There is no ideal number of requests that should be pipelined at once so this should be fine. If one increased the pipelined requests much higher they could suffer slowdowns if the remote server does not support this option properly.

When you disable this option all of the pipelining options return to their default values.

enable dns lookups over SOCKS5 (SOCKS v5) when using a proxy

When you use a proxy server you are sending you http and http requests through the remote machine. It make sense to also send you dns requests through the proxy. If you do not, then even if your web traffic is proxied your DNS requests are not. This means the DNS admin at your location can look at what DNS requests you have made and infer where you are going.

For privacy and security this option send your DNS requests over the proxied connection

This option is especially useful if you setup a ssh tunneling proxy. You can find our detailed tutorial at Calomel.org's Proxy Firefox through a SSH tunnel.

The following option is triggered:

• network.proxy.socks_remote_dns true (default false)

When you disable this option all of the proxy options return to their default values.

wait up to 2000ms before page rendering

Firefox renders web pages incrementally. It displays the parts of the page that has been received before the entire page has been downloaded. What you see is the same web page being re-rendered every time another object, like a picture, has been received. This a CPU intensive task since the start of a web page normally doesn't have much useful information to display. A better solution is if Firefox should wait a short interval before first rendering a page.

We set the delay to 2000 milliseconds. This is the maximum amount of time Firefox will wait to start rendering the page. If all of the parts of the page are received before this time the page is displayed immediately. We will also set the notification interval of the browser rendering engine to 1 million microseconds (1 second) before the total of 5 refreshes is reached. The overall effect is pages using less CPU time and rendering the complete page more quickly.

The following option is triggered:

• nglayout.initialpaint.delay 2000 (default 250 milliseconds)
• content.notify.interval 1000000 (default 120000 milliseconds)
• content.notify.backoffcount 5 (default -1; unlimited refreshes)
• content.notify.ontimer true (default false)

Lower values will make a page initially display more quickly, but will make the page take longer to finish rendering.

When you disable this option all of the options return to their default values.

disable prefetch of unvisited links

Link prefetching is when a web page hints to the browser that certain pages are likely to be visited next. Firefox downloads them immediately so they can be displayed from cache _if_ the user requests them.

Though this sound like a great idea it adds a lot of CPU overhead and uses excessive bandwidth. You may prefer to only download pages for which you ask for, and only when you ask for them.

The following option is triggered:

• network.prefetch-next false (default true)

When you disable this option all of the options return to their default values.

enable tab preview switching (Ctrl-Tab)

Enabling this preview feature will add a new button to the right side of the Firefox tab bar. This button will display an overlay window that contains thumbnail previews of all open tabs in Firefox. A click on any tab thumbnail will make that tab the focus in the web browser. There is also a search box at the top of the window. This will automatically choose the tab that is closest to your search query.

Using Ctrl-Tab with this option enabled will change the default CTRL-Tab feature in Firefox. If you press CTRL-Tab by default in Firefox the browser will cycle through the open tabs in the web browser. The new action will show a visual tab switcher displaying thumbnail images of the current and the five most recent tabs with an option to quickly flip through them by pressing Ctrl-Tab again. The same preview contains an option at the bottom of the window to display all open tabs.

Using this option may make other addons like "FoxTab" unnecessary.

The following options are triggered:

• browser.ctrlTab.previews true (default false)
• browser.allTabs.previews true (default false)

When you disable this option all of the options return to their default values.

enable caching only to ram (128meg); not to the hard drive

If you have a decent amount of ram (i.e. 2gig or more) in your system then you may want to think about caching _only_ to RAM. Normally, Firefox will cache most of the objects from a web page onto the hard drive. You can speed up browsing very slightly by caching those objects into ram only. Caching to RAM is also attractive if you clear cache frequently, clear all caches when Firefox closes or want to make sure nothing is put on the hard drive for privacy reasons.

By default, Firefox will look at how much RAM you have in your machine and will decide how much RAM for cache purposes it will use. Firefox automatically decides the maximum memory to use to cache decoded images and chrome objects based on this table.

browser.cache.memory.capacity="-1" autoset

Physical RAM 	 Memory Cache
   32 MB           2 MB 
   64 MB           4 MB
  128 MB           6 MB
  256 MB          10 MB
  512 MB          14 MB
    1 GB          18 MB
    2 GB          24 MB
    4 GB          30 MB
    8 GB and up   32 MB

To make ram caching work we simply disable disk caching. This forces Firefox to place all web page objects that would normally be cached on disk, into ram. We also increase the amount of cache in RAM to 128 megabytes from the amount specified in the table above. If the amount of objects that need to be cached exceeds the amount of RAM cache you have, Firefox will simply gets rid of the oldest unused objects. Lastly, we disable offline disk cache.

NOTE: we do not recommend using this option is you have less than 1 gigabyte of ram in your system. The reason is we allow Firefox to use up to 128 meg to cache objects and if the system does not have a lot of RAM you may start to use swap on the hard drive. To check what Firefox is caching you can use the Calomel sub menu under the "Tools" menu.

The following options are triggered:

• browser.cache.disk.enable false (default true)
• browser.cache.disk.capacity 0 (default 250 megabytes)
• browser.cache.memory.enable true (default true ; we are making sure ram caching is enabled)
• network.http.use-cache true (default true ; we are making sure caching is enabled for http and https)
• browser.sessionhistory.cache_subframes true (default false)
• browser.cache.check_doc_frequency 3 (default 3; make sure 3 is enabled as 2 messes up caching)
• browser.cache.memory.capacity 131072 (default -1 ; auto-configure according to the table above)

When you disable this option all of the caching options return to their default values.

Privacy tab

do not show tab titles or icons

This option will clear the title and icon normally seen in the current tab. If you are concerned with people looking over your shoulder at your browser to see what sites you have open, this is a good idea. If you take advantage of this option, the use of a add-on like "Page Title Eraser" would be unnecessary.

There is also a toggle option under the "Tools" menu. The toggle only temporary turns on or off tab titles and icons. When Firefox is restarted the option you preferred in the add-ons preferences will be restored.

disable safe browsing for privacy and speed

Firefox incorporates the "Google Safe Browsing" extension in its own "Phishing Protection" feature to detect and warn users of phishy web sites. This sounds great, but most of the time you will never see the result of this feature. In fact, unless you are normally going to the darker edges of the Internet you may have never seen this Firefox error pop up.

There are two reasons we see to disable this function. Privacy and speed. Every time you goto a site, change a URL or do anything that information is sent to Google to be checked. This is violation of privacy as Google will track everything your ip does and everywhere you go. Disabling this option is also a way to gain some much needed response times. Every time you goto a new URL Firefox send a request to Google and this takes time. Once the request has been received from Google it is cache locally, but looking up the request in the look up file also takes time.

The following option is triggered:

• browser.safebrowsing.enabled false (default true)
• browser.safebrowsing.malware.enabled false (default true)

If you are worried about shady sites it is much more secure to turn off all Java scripting than use the "safe browsing" option. Take a look at the NoScript add-on. It will keep you much safer than this option ever could; and it won't track your every click.

When you disable this option all of the options return to their default values.

disable geo location reporting to webpages

When you visit a location-aware website, Firefox will ask you if you want to share your location. If you allow geo reporting, Firefox gathers information about nearby wireless access points and your computers IP address. Then Firefox sends this information to the default geolocation service provider, Google Location Services, to get an estimate of your location. That location estimate is then shared with the requesting website.

The following option is triggered:

• geo.enabled false (default true)

When you disable this option all of the options return to their default values.

disable dns prefetch of unvisited sites

DNS resolution is dominated by latency instead of bandwidth and the time to resolve a host is getting longer now that DNSSEC is being used. This makes DNS lookups a perfect candidate for speculative pre-fetching. The advantage is in the latency improvement; instead of waiting for a hostname lookup when you click on a link, do the lookup while you are reading the page the link is embedded in. The cost of the lookups is small compared to time saved when waiting for the hostname to be resolved after clicking on that link. By keeping DNS prefetching enabled you may gain 1% to 3% speed increase, but this gain is not likely to be noticed. This sounds like a great option! So, what is the problem?

When you goto a web page, Firefox will look at all of the links to all of the sties on that page. Then the browser will ask for the ip address for every one of those hosts. If the owner of the DNS server of the domain, the owner of the DNS server you are querying and anyone listing to the network wanted to profile your browsing habits they would only need to list out your requests by ip. Once the data is correlated they could get a good idea on not only the sites you goto, but also the pages on those sites. Remember that even if the web page you went to is SSL encrypted the DNS requests are not.

The prefetcher does the opposite of its promise. It actually slows down the browser by looking up hundreds of domains a user will not click on. A good example is news.google.com which spawns around 375 DNS lookups. All this dns overhead to save one(1) dns lookup the user actually clicks and requests. In essence, we have traded one perceived performance advantage for an increase in system load, browser speed and network bandwidth.

So, what are the implications to privacy using prefetching? The best case scenario is that this prefetching introduces some noise into any logs made by the DNS server. The worst case scenario is that this enables a finer granularity of information to be inferred from the logs. For example, if a.com/a.html is the only page that has a link to b.com, and a user requests DNS records for both a.com and b.com in a short period of time, we can infer that he visited a.html.

For more information on DNS prefetching and its impact on privacy take a look at the study called, "DNS Prefetching and Its Privacy Implications".

To try to retain some privacy and reduce system load we offer the option to disable DNS prefetching.

The following options are triggered:

• network.dns.disablePrefetch true (default false)
• network.dns.disablePrefetchFromHTTPS true (default false)

When you disable this option all of the options return to their default values.

Annoyances tab

disable blinking text

This option simply disables the browser's ability to blink any HTML text. This was something you would normally see in the old BBS boards and web sites designed in the nineties and is no longer needed in today's web. One could go as far as saying blinking text is just bad web design.

The following option is triggered:

• browser.blink_allowed false (default true)

When you disable this value all of the options return to their default values.

disable animated gif and ads

This option disables the browser's ability to cycle animated images. An example would be an advertisement or a little icon in someones signature. If you dislike seeing obnoxious ads animating over and over this is a great solution.

Understand that this does not stop flash or movies from playing.

The following option is triggered:

• image.animation_mode none (default normal)

When you disable this value all of the options return to their default values.

disable pop-up tips under the mouse cursor

A "Tool Tip" is the little box that pops up under the mouse cursor and shows some text about the image you are hovering over. Most of the time the tool tip is useless and may be distracting. This is simple an option to to this function off.

The following option is triggered:

• browser.chrome.toolbar_tips false (default true)

When you disable this value all of the options return to their default values.

enable ICC color correction for all images

In digital imaging systems, color management is the controlled conversion between the color representations of various devices, such as image scanners, digital cameras, monitors, TV screens, and media. The primary goal of color management is to obtain a reasonable match across all color devices. A video which should appear the same color on a computer LCD monitor, a TV screen, and on a printed frame of video. Color management helps to achieve the same appearance on all of these devices, provided the devices are capable of delivering the needed color intensities. Most of the time this option will be too subtle to notice, but it is easy to use and only slows down the rendering of the page a few percentage points.

This option enables ICC color correction to be applied to all images on the page not just those will an ICC flag. An excellent wordpress post at Dria.org called, "Firefox 3: Color profile support" has pictures detailing what you see with and without ICC support.

If you enable this option the system default color profile will be used which should be perfectly fine for 99% users. The default rendering "intent" is perceptual. This directs Firefox to render the image to preserve detail throughout the tonal range of the image. Especially useful for general purpose display of images in typical cases like photographs and other pictures.

The use of this option may negate the need for another add-ons like "Color Management" for example.

The following option is triggered:

• gfx.color_management.mode 1 (default 2)

When you disable this value all of the options return to their default values.

enable spell check on all text boxes

Normally, firefox will only spell check a text box if that text box is two(2) lines or greater. This option simply enables spell checking on all text boxes. This means when you type something into Google's search box, post a twitter post or anything which is entered on a single line Firefox will spell check the entry. You will see a red wavy line under the misspelled word. Just right click on the word in question and see Firefox's suggestions for the correct spelling.

The following option is triggered:

• layout.spellcheckDefault 2 (default 1)

Lastly, if you want to install dictionaries for more languages goto Mozilla's Dictionaries & Language Packs page.

When you disable this value all of the options return to their default values.

disable internal DNS cache

Firefox will internally cache up to 20 hostname to ip address pairs for 60 seconds. This is done to help speed up browsing to some sites. The main problem is if you use Firefox to test servers in a production environment and those hostname to ip address change frequently. It is a pain to have to wait till Firefox clears it's own cache or remembering to clear the cache manually every time you test a new server.

The other problem is many of the busiest sites have significantly more than 20 links to 20 different hostnames so internally caching is really not that helpful.

This option just disables Firefox's internal DNS cache completely and directs Firefox to check an external DNS server. The external DNS server could be your OS if you have that setup or it could be you local LAN DNS server.

If you setup your own DNS caching, validating and resolving server like Unbound or BIND then Firefox will use those directly. We find that querying our private Unbound DNS server is significantly faster than using the internal cache.

If you are using Firefox on Windows then Windows contains a client-side Domain Name System (DNS) cache. If you want to, you can disable this cache by searching on google for "disable windows dns cache". Once Firefox's cache is disable and Windows cache is disable then you should be querying your external LAN DNS server.

You many want to test this option yourself on your network to see if you want to use it.

This option is exactly what the Firefox add-on "DNS Cache" does and basically negates the need to manually clear the DNS cache like what the add-on "Clear Cache Button" does.

The following options are triggered:

• network.dnsCacheEntries 0 (default 20 hostname to ip address pairs)
• network.dnsCacheExpiration 0 (default 60 seconds)

When you disable this value all of the options return to their default values.

About tab

show help page after update

This simply opens up a tab and loads this help page when the add-on is updated. When changes are made you can read about them here in detail after Firefox is restarted. You can also get to this page using the link at the bottom of the pop-up box after clicking the URL icon button.

When you disable this value the help page will not open on upgrades.

Questions?

I have a question, comment or suggestion about the add-on.

On the Mozilla Firefox page for the add-on,"Calomel SSL Validation" there is a review box. You are welcome to write a review, grade the add-on and add any addition comments you have concerns about. This is not a bug reporting tool, but should serve this purpose fine. We would be happy to hear about any way to improve the extension.

I notice when I open a blank tab there is a saying in the drop down box.

When there is not an active connection in a tab the drop down box does not really do much. So, we thought we would put a saying or phase in there to honor our favorite science fiction or movies phrases.

What can I do about Adobe Flash cookies which are NOT controlled by Firefox ?

If you setup Firefox in "Private Browsing" mode and delete cookies when you shut the browser down, Flash cookies will NOT be deleted. A flash cookie, or Local Shared Object, is a file a website using Adobe products stores on your computer, outside of the control of your browser settings. This is different from a regular cookie. These are associated with Adobe flash which is used by many websites. Unfortunately, they are also used to store tracking information. This data can be accessed by sites who did not originally set them as well as back up data from regular cookies stored by your browser; which should have been deleted. This is a HUGE privacy violation.

In Ubuntu and many Linux distributions, Adobe Flash settings are stored in ~/.adobe and the cookies themselves in ~/.macromedia folders. We suggest symlinking these to /dev/null so anyone trying to write to these folders does not get an error message, but nothing ever gets written to disk.

We use the following commands to link Adobe to /dev/null

1. rm -rf ~/.adobe ~/.macromedia
2. ln -s /dev/null ~/.adobe
3. ln -s /dev/null ~/.macromedia

Eventually, HTML5 should be able to replace Adobe Flash video and some other Adobe functions. We hope this day comes sooner then later when a company like Adobe does sneaky actions like these.

Finally, we prefer simple solutions, but if you do not want to setup the directories to link to /dev/null then there is a add-on that can help. Take a look at "BetterPrivacy" on the mozilla site. It has this ability to delete these types of Flash 'SuperCookies'.

Questions, comments, or suggestions? Contact Calomel.org or Google+