An add-on for Mozilla Firefox to give additional information when visiting secured sites.

In short, the Conspiracy browser extension will show you flag symbols, for each country (up to 7) involved in issuing the X.509 certificate, which is used by a https site you visit, or that you recently visited (within the last couple of seconds, knowingly, or implicitly as part of redirects).

FYI: This extension is also being hosted at

See end of page for Changelog.

Unfortunately, the purpose of this extension isn't easy to explain. The following is an attempt to do so.

Whenever you visit a secured web site, using the https/SSL protocol, your browser decides whether the site should be shown as secured or not. The browser chrome may show a padlock icon, different background colors for the web site's address, etc.

The decision will be based on trust for certain Certificate Authorities (CA) that are shipped with your browser, or which might be installed on your operating system. This may include your personal or you employer's modifications to that predefined trust.

It's important to note what kind of trust this is about. It's not about being good or bad. It's about who you are talking to, and whether it can be verified. Maybe those who can be identified are less likely to do very bad things, because they can be tracked down. But can you rely on that?

You probably shouldn't, you are on your own. If you make business with a site, and you learn it treats you bad, you can learn from your mistakes and avoid that site in the future. You may even report it to public authorities or sue the operators of a business. But that's not what we're looking at here. We want to look one level above, we want to talk about CAs.

In order to get added to the list of trusted CAs that are shipped with Firefox, a CA has to comply with the Mozilla CA policy.

CAs are supposed to give certificates only to those people who can proof they are the legitimate owners of an Internet domain name, or, when talking about the higher level EV or augmented certificates, can proof they are the real owners of a registered corporation, which they would like to get a certificate for.

Usually, this level of verification should be fine for most scenarios and people. CAs have an interest to be trustworthy, otherwise they would lose their status of being included in browsers by default, and consequently would lose their business.

However, for some environments the above is not sufficient. Some people are worried about conspiracy between CAs and Governments. (I have no idea whether there actually is such conspiracy.)

How would such a conspiracy work? Let's say, you live in a country where the government wants to restrict what people talk about, or at least know what information people exchange. Let's call an example of such a country "X".

Let's say, a person living in country X wants to circumvent the powers of government X by using an email service in another country, potentially promising more freedom, and by using encryption between the personal computer and the email server. Let's call such a potentially better country "Y", and let's call the email service in that country "EM".

The user may feel secure, because the browser shows the indicators that suggest the session is secured, the peer has been verified.

Now let's say, country X operates a CA that gets added to the browser (named X-CA). How does this (potentially) change things?

Let's say the government of X puts pressure on X-CA. It might be able to do so, because the people who run X-CA live in X.

The government of X may "ask" X-CA to issue a false certificate for EM!

If anyone could proof that X-CA issued such a false certificate for EM, then the maintainers of the browser would immediately remove any trust from X-CA. But, the question is, would anyone notice that a false certificate has been issued?

Let's say the false certificate was issued and X's government abuses its powers, and acts as a "Man in the middle" (MITM) beween the individual and the real EM service, then X is able to read all data, passwords and emails exchanged between the individual and EM.

If the government of X doesn't do this all the time, maybe only for selected sessions, then it might be very difficult for invididuals to detect there is an MITM. Yes, it's possible already, even without this extension. It requires to inspect security information for your current page, and verify who issued the cert. Then it's necessary to make an educated decision, whether the issueing CA is the one that is to be expected. But, how many people know this, take the time to inspect this information every time, and will actually notice an unexpected issuer from X-CA in X, while you'd really should expect, say, issuer Y-CA from Y?

Maybe it's too unlikely that such a MITM attack will get noticed.

Let's say you suspect you may become a victim of such a conspiracy. Let's say you want to know which countries were involved in verifying the site you're currently visiting. You want to know that each time. You want to see that easily, without having to search for it every time you visit a secured page.

That's what this extension tries to do for you. It will show you country flags or country names in the status bar of your browser. Whenever you visit a secured page, it will examine the chain of trust, from the page's certificate up to the CA that was included in the browser, and which was used to issue a page's cert.

There is a limitation, this extension will show you up to 7 countries in the status bar, and if there are more involved, it will also inform you about it, so you can look it up yourself in the detailed security information your browser makes available. However, it will always include the country of the root CA involved, the country mentioned in the page's certificate, plus the additional countries that are be involved in the middle of the trust chain. But usually 7 countries should be sufficient. However, the list may fill up quicker, if you visit a lot of different secure sites within a short period of time, where the sites use certs issued in different countries.

Disclaimer: This extension is provided as is. There are no promises it will really work. If there are software problems (bugs), I'm sorry. Use at your own risk. When in doubt, double check using the detailed security information made available by your browser.

Disclaimer: All abbreviations are fictionial and are not intended to relate to a particular country. In my opinion, the above could theoritically apply to any country and any CA. Who knows what Secret Services do? I don't know.

Warning: Please consider that the fictional country X may trick you into believing you are safe, despite using this extension. If such attacks are really happening and you download from within country X, they may have the power to send you a modified version of this extension, that doesn't show (potential) fraud originating from X-CA.

If you think this may be helpful and you wish to try it out, click on the download link to install it into Firefox. It may also work for SeaMonkey.

Download/install the Conspiracy extension

Alternative you may download from (won't ask you to confirm installing from a site, but will ask you to confirm installing an experimental addon).

When creating this extension, I reused a lot of code and resources found in the WorldIP extension.

Should you ever run into a CA abuse scenario and want to collect evidence, you could use the Cert Viewer Plus add-on to save fraudulent certificates to your computer. You could report such incidents (including the evidence) to the newsgroup.

Kai Engert

2010-03-18: Update to version 0.2.2 - Recently seen CAs are included in the display (previous 60 seconds). The intention is to make users aware of recent redirects that went through other sites. As this could involve a bigger number of countries, the number of flags shown has been increased to 7. The recent flags will also still be shown if you navigate to a site without protection (plain http).
2010-03-18: Update to version 0.2.3 - Don't cleanup flags when switching tabs (only navigation will trigger cleanup).
2010-03-22: Update to version 0.2.5 - Switched to JSON API, in order to avoid using JS eval. Fixed SeaMonkey support.
2010-03-22: Update to version 0.2.6 - Updated Icon and added kudos to base WorldIP extension creator Alex Aster.
2010-03-24: Update to version 0.2.7 - Fixed a bug where countries from one tab were added to another tab's countries.
2011-04-05: Update to version 0.3.0 - now displaying name of current CA. Adjusted labels.