Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox SSL-Certificate Debate Rages On

kdawson posted about 6 years ago | from the four-screens-i-mean-really dept.

Mozilla 733

BobB-nw points out the ever more raucous debate over the way Firefox 3 handles self-signed certificates. The scary browser warnings have affected a number of legitimate sites (such as Google AdWords and LinkedIn) that didn't renew certs in time. Lauren Weinstein loudly called attention to the problem early in July. "If you visit a website with either an expired or a self-signed SSL certificate, Firefox 3 will not show that page at all. Instead it will display an error message... To get past this error page, users have to go through four different steps before they can access the website, which from a usability standpoint is far from ideal. This way of handling websites with expired or self-signed SSL certificates is bound to scare away a lot of inexperienced users, no matter how legitimate the website is."

cancel ×

733 comments

Sorry! There are no comments related to the filter you selected.

Worth it. (5, Funny)

Shaitan Apistos (1104613) | about 6 years ago | (#24703591)

As long as I get my awesome bar, I'll put up with anything.

Re:Worth it. (5, Insightful)

Bashae (1250564) | about 6 years ago | (#24703623)

Well, I can live with it, but they could at least patch this feature to make it less annoying with self-signed certificates. Show a warning, yes, but right now the error message is too creepy.

Re:Worth it. (4, Insightful)

gbjbaanb (229885) | about 6 years ago | (#24703649)

amen. The error message seems to be designed for people who know about these things, not mom and pop users.

They could improve the message significantly, explaining what the problem is and what to do about it. Then I think the issue wouldn't be so big anymore. People would still complain about the number of clicks to accept a self-signed cert, but at least it would appear as legitimate information instead of an 'error'.

Re:Worth it. (5, Insightful)

Anonymous Coward | about 6 years ago | (#24703955)

amen. The error message seems to be designed for people who know about these things, not mom and pop users.

I don't follow this sentence. That seems to describe *precisely* the old way of doing things, an easily dismissable box that only experts took note of and understood. The new method is *supposed* to bother users and get them to pay attention to the actual risk, while offering them a way to still accept it.

Whether or not you think being bothersome to users is a legitimate technique can and should be open to debate, but I don't think it targets experts at all...

Re:Worth it. (5, Insightful)

HungryHobo (1314109) | about 6 years ago | (#24704051)

They could do with a red-yellow-green warning system.

Red- sites with self signed certs which have changed since the last time you have visited them(keeping a record of all certs accepted to this point would be a good idea to help with this)
Yellow- Self signed cert. Warning first time you go to the site with accept/reject.
Green- Signed and verified by trusted 3rd party.

Sites which have a signed and verified cert and which have marked themselves as "should always be HTTPS" but which you are visiting with HTTP -should be red as well.
This way if some phisher sent you a link to http:\\paypal.com and paypal had registered with the trusted 3rd party that their site should always be using HTTPS then you get a red warning. Yes I know this would mean traffic to the trusted 3rd party whenever you visit any http site.

That's the point (5, Insightful)

Anonymous Coward | about 6 years ago | (#24704157)

amen. The error message seems to be designed for people who know about these things, not mom and pop users.

Mom and pop users should never, ever go to a website with self-signed or expired certs. It's true that there a lot of legitimate sites that fit the category, it might even be true that most of the self-signed sites are legit. The problem is that mom and pop users are not savvy enough to distrust anything, unless there's a big fat warning there.

Firefox 3 allows you to permanently accept those certificates. If you're computer literate enough to know about these things, you whitelist those sites. If you're a mom and pop user, you call a tech savvy family member / friend / neighbor / neighbor's kid to vouch the site for you and whitelist it.

Re:Worth it. (5, Insightful)

bunratty (545641) | about 6 years ago | (#24703713)

It's supposed to be creepy [johnath.com] , because it may be the only warning you're the victim of a DNS poisoning and you're not at the site you think you are, or you're the victim of a man-in-the-middle attack and your "encrypted" communications are being intercepted and read. At least in Firefox 3 you need to add an exception to see the site, so you see the warning only once. In Internet Explorer 7, you can see the site by clicking a link, but you will see the scary warning every time you visit the site. Users will disregard the warning if they see it very often, making the warning ineffective.

Re:Worth it. (3, Insightful)

HungryHobo (1314109) | about 6 years ago | (#24704079)

yes but it shouldn't treat a self signed cert worse than no cert unless it has changed since your last visit and if this is your first visit then it shouldn't be more creepy than simple http(no warning at all so your average mom and pop won't even think they're being scammed).

Re:Worth it. (5, Insightful)

mulvane (692631) | about 6 years ago | (#24703655)

Let's not expect site maintainers to actually keep their ssl certs up to date. Oh noes. We want customers to not trust ssl certs so they may fall victim to a scam.

Re:Worth it. (5, Insightful)

Cormacus (976625) | about 6 years ago | (#24703687)

I have to agree. Few things should be more important to a site administrator that handles personal information for their clients than getting their SSL certs updated in time.

Browsers that allow this kind of lax security atmosphere are part of the problem.

Re:Worth it. (5, Insightful)

phoenix321 (734987) | about 6 years ago | (#24703903)

Better yet: expect the non-technical crowd, the users, to put up with errors of the pro-technical crowd, the site maintainers.

Excellent shift of responsibility towards, right?

I think this is an issue of whiny webmasters, really. A proper certificate is around 10 bucks per year and although they issue it to anyone, it is security at a much higher level than using a self-signed crutch.

If you're a website owner, put up those 10 dollars and stop complaining. Keep your house clean and your certificates valid.

EVERYTHING you do by that is better than to accustom millions of non-technical users to click away any and all error messages when surfing. If all browsers would show these drastic certificiate errors AND all SSL-loving webmasters would keep their certs updated, we would have less issues in phising and scamming, much less.

Either you have security or you don't. Encrypting to someone is useless or even dangerous when you mistake the identity of the receiver.

Re:Worth it. (1)

erikina (1112587) | about 6 years ago | (#24704143)

Not really. It's how you force the site maintainers to upgrade, by annoying their users. Do you really think a company is just going to ignore the problem, if it's seriously effecting their userbase? But if you didn't push it on the end users, nothing would get done.

Re:Worth it. (2, Interesting)

erikina (1112587) | about 6 years ago | (#24703949)

That's really not the point. The point is, what's worse: Using NOTHING or using an expired/self-signed cert? Yes, self-signed certs introduces undetectable MiTM attacks, but they still stop listening (without actively changing every every packet being in the middle encrypted and decrypting from both sides).

In fact, all browsers really bitch about self-signed certs, which is why none of my websites use https - when it would clearly be more secure.

The only reason you would do that, is because people attach trust to https:/// [https] so I propose that all secure sites (valid certs) make the whole fricken browser light up yellow with a big ass padlock to show it's secure. Self-signed, and expired certs will just get https:/// [https] invalid certs will get a warning. And plaintext will get http:/// [http]

Everyone's happy, and people will feel secure going to their bank site with a *big* padlock (that should be noticable if absent).

Re:Worth it. (0)

Anonymous Coward | about 6 years ago | (#24703983)

Couldn't agree more - if sites such as Google cant get their act together to keep their SSL certificates valid, then they deserve to lose people.

Re:Worth it. (0)

Anonymous Coward | about 6 years ago | (#24704107)

Yeah, why should Googel be forced to renew ssl on time? whats up with that? why should anyone have to?
Even More reason to use FireFox.

ann-on-o-mus

Re:Worth it. (3, Interesting)

elrous0 (869638) | about 6 years ago | (#24704201)

And some of us WANT to be warned when we're dealing with a cheap-ass website whose people don't have their shit together. To me, a website who has let their certificate expire or is too cheap to spend $10 a year to get a real certificate is not a website that I want to be doing business with in the first place.

Two steps forward... (0, Redundant)

n3tcat (664243) | about 6 years ago | (#24703603)

...one step back. *sigh*

That's the point. (5, Insightful)

WPIDalamar (122110) | about 6 years ago | (#24703629)

Isn't scaring away inexperienced users from sites with questionable security the whole point of those warnings?

I mean a user friendly message that lets someone get past it really easily wouldn't exactly get the job done.

Re:That's the point. (1)

Bert64 (520050) | about 6 years ago | (#24703641)

Because not all of these sites are questionable...
All it does is force these sites to buy certificates from the existing ssl certificate cartel.

Re:That's the point. (5, Insightful)

Cormacus (976625) | about 6 years ago | (#24703725)

If we need to change the way SSL certificates are issued and who has control over it (etc) . . . that is one issue.

Encouraging web browsers to ignore security irregularities and allow users to access sites that handle private information *without* bringing it to the user's attention is just irresponsible.

Re:That's the point. (4, Interesting)

Anonymous Coward | about 6 years ago | (#24703791)

Because not all of these sites are questionable...
All it does is force these sites to buy certificates from the existing ssl certificate cartel.

Your site isn't questionable, but the business or sysadmin behind it IS. I'm sorry, but when you find you want/need to run SSL encryption, an SSL cert is around $150/year. Not exactly extortion when you consider all the other expenses to run a website (hardware, OS licenses, bandwith).

Re:That's the point. (4, Informative)

Shikaku (1129753) | about 6 years ago | (#24704109)

http://www.startssl.com/ [startssl.com] Except you can get it for free.

Re:That's the point. (0)

Anonymous Coward | about 6 years ago | (#24703811)

If you don't trust your network not to snoop, you can't trust it not to MITM. The only way a self-signed site isn't questionable is if it gives you the cert out-of-band, in which case Firefox wouldn't complain anyway.

I understand that people don't like this, and they're right not like it! Admins should fix their sites! I applaud Firefox for bringing attention to this problem that people have been ignoring out of convenience.

Re:That's the point. (0)

Anonymous Coward | about 6 years ago | (#24703669)

So, my wireless broadband router admin site needs to renew it's certificate every year? Self-signed certs are used for valid reasons.

Re:That's the point. (2, Insightful)

phoenix321 (734987) | about 6 years ago | (#24703957)

How do you know it is YOUR wireless broadband router admin site, then? It could be anyone who just managed to re-route your connection.

Why should you use encryption (securing transit lines) when you don't need authentication (securing transit endpoints)? When you're not sure if the endpoint you're talking to is the one you want, you could as well transmit everything in cleartext, because your receiving endpoint might as well be the eavesdropper himself.

Re:That's the point. (1)

morgan_greywolf (835522) | about 6 years ago | (#24704027)

So, my wireless broadband router admin site needs to renew it's certificate every year? Self-signed certs are used for valid reasons.

Can you trust everyone on your network? Hint: in most cases you can't if your running a wireless router.

Re:That's the point. (5, Funny)

Anonymous Coward | about 6 years ago | (#24703733)

Didn't scare me away. I just bought a laptop from neweggs.com for a fantastic price, and their cert was expired. They even added a second layer of security for credit card transactions, requesting my SSN and driver's license. I can appreciate that level of trust from a website.

Re:That's the point. (1)

Swizec (978239) | about 6 years ago | (#24703773)

Dude it scared ME away and I was using alternative browsers since before FF even existed. The problem isn't so much that the message is there, the problem is that it's way way too scary and once you get over the knee-jerk reaction of shitting your pants you're left with a cumbersome process of adding the website to a trusted list and whatever all that stuff is, I've never paid attention through the whole process.

Re:That's the point. (1, Insightful)

Anonymous Coward | about 6 years ago | (#24703803)

a) Experienced users can't be fscked adding exceptions all the time. Why isn't there an option in about:config to use as a workaround?

b) Most experienced users are very happy with self-signed certificates - they are mainly trying to avoid middleman secutiry issues (ISP, employer and other big brother types).

c) Most experienced users know exactly what kind of a farce the whole SSL certificate business is. There is no guarantee that if a certificate states that a website belongs to Google, that it really does. There is no verification done whatsoever and the entire thing is just a sham.

d) I have no intention of forking out cash for the abovementioned farcical certificates for those of my servers which require SSL. I just tell users to either just follow FF's instructions, use a different browser or buy me a certificate.

e) There are far more computer savvy FF users out there than technophobes... cater to your primary user base first hand or at least ensure that their usability is not affected.

f) At the very least, allow access to the site with the usually banner at the top that warns of authenticity issues.

g) I just set my Mom back onto Opera because of this.

Re:That's the point. (3, Insightful)

Goaway (82658) | about 6 years ago | (#24703917)

b) Most experienced users are very happy with self-signed certificates - they are mainly trying to avoid middleman secutiry issues (ISP, employer and other big brother types).

Uh, self-signed certificates are WIDE OPEN to MITM attacks. That's kind of the point here? Maybe you're not as experienced as you think?

Re:That's the point. (5, Informative)

swilver (617741) | about 6 years ago | (#24704135)

No, they are not. I'm afraid you are not as experienced as you think.

You see, self-signed certificates are only wide open to MITM attacks if the person monitoring you was replacing all certificates pro-actively before you even visited the website once. If you however have visited the site before, Firefox will warn you that the certicate has changed when a MITM changes it. At this point Firefox should display a big red warning.

Furthermore, and this is the part that people like you donot seem to grasp, there IS use for encryption beyond protection from MITM attacks. Using SSL encryption protects me from password sniffers that sit on my network, or in my wireless neighbourhood or from some comprimised router my request travels over. It protects me from some script kiddy running a network monitor seeing what I'm typing in HTTP forms. Yes, it does not protect me from a REAL MITM attack (unless of course I've been there before, and see that the certicate changed), however the sites providing simple SSL encryption just for the sake of not sending stuff in plain text are not worth attacking anyway.

Re:That's the point. (2, Insightful)

swilver (617741) | about 6 years ago | (#24703953)

Arguably, sites that use SSL are more secure than regular HTTP sites. Why then are no big red warnings displayed for every regular HTTP site visited?

Re:That's the point. (4, Insightful)

MiKM (752717) | about 6 years ago | (#24704155)

Unlike sites with self-signed certs, sites with vanilla HTTP make no claim about their security.

Re:That's the point. (0)

Anonymous Coward | about 6 years ago | (#24704019)

The point of the criticism is that the warnings should not make users more afraid than if they were connecting to a completely unsecured web site. As it is, an encrypted but not properly authenticating web site looks scarier than a website without any encryption and authentication.

What the browser should do is treat websites with self-signed certificates like unencrypted sites (no lock symbols, no url-bar color, etc., with one exception: Warn when the certificate is not the same as last time you connected to that server. An expired certificate on the other hand should be treated with utmost suspicion, because it could be an attacker using an old, compromised certificate. There should be stern warning even if the certificate hasn't changed. If the current certificate is expired and not the same certificate as last time, there should be no simple way to connect to the site at all.

Re:That's the point. (4, Insightful)

Timothy Brownawell (627747) | about 6 years ago | (#24704191)

Isn't scaring away inexperienced users from sites with questionable security the whole point of those warnings?

I mean a user friendly message that lets someone get past it really easily wouldn't exactly get the job done.

Plain http is even more questionable, and somehow it doesn't complain about that. Also, some people tend to think that CAs are more security theater than real security, and there are better ways to do things.

Security Is worth It With all the Troll Sites (5, Interesting)

curmudgeon99 (1040054) | about 6 years ago | (#24703631)

With all the sites out there just looking to steal information from you, and to introduce Cross-Site scripting elements, this is a good idea. I want my browser to warn me when I'm going into uncertain territory. And if a website owner screwed up and did not renew their certs--to hell with them. We're supposed to accept a security risk because they couldn't get off their asses as renew? I don't think so.

Re:Security Is worth It With all the Troll Sites (0)

Anonymous Coward | about 6 years ago | (#24703847)

We're supposed to accept a security risk because they couldn't get off their asses as renew? I don't think so.

I think the bigger issue is the self-signed SSL certificates; people that went through the trouble of encrypting your data but don't want to rely on to sign their certificates. Firefox forcing them to sign up, else they'll break their user experience.

Re:Security Is worth It With all the Troll Sites (3, Interesting)

swilver (617741) | about 6 years ago | (#24704021)

Unfortunately, you donot get it at all.

Those people using self-signed certificates could also simply run a normal HTTP server, and you'd be none the wiser. You donot get warnings for "regular" HTTP sites.

You are basically saying that a website with an expired certificate or self-signed certificate is WORSE than regular HTTP sites, while in reality they atleast provide you with an encrypted connection and a warning if the certificate changed since the last time you connected to that site (and when that happens, THEN you should get a BIG RED WARNING).

Absolutely right (2, Insightful)

Anonymous Coward | about 6 years ago | (#24703639)

Certificates are a usefull tool if used properly. Expired or self-signed certs have no value, one would expect admins to have the minimum awareness (professionalism?) to maintain them correctly? Or is even that too much to ask?

Re:Absolutely right (2, Insightful)

morgan_greywolf (835522) | about 6 years ago | (#24704093)

Expired or self-signed certs have no value, one would expect admins to have the minimum awareness (professionalism?) to maintain them correctly? Or is even that too much to ask?

Internally in a network where you can trust all the traffic, self-signed certs aren't much of a problem. In fact, they work just fine. Yes, it would be nice if we could do away with them and generate our own through our own internal root CA, but then some devices just don't let you add your own cert.

But, yes, self-signed certs have a time and a place. You have to be careful and validate the cert's fingerprint -- possibly even by hand.

Dunno (1)

Kangie (975603) | about 6 years ago | (#24703647)

I have a bit of a mixed opinion of this - Certainly it's useful on untrusted websites... but I often have to use firefox with various exchange webmail servers... All using self-signed certificates. It gets slightly annoying... But at the same time, I'd rather be asked about accepting self-signed certificates than not... Perhaps Something similar to the IE7 warning page is in order?

Entirely legitimate (1, Insightful)

Anonymous Coward | about 6 years ago | (#24703651)

So, major sites fail at keeping correct, valid, up-to-date certs. Firefox (legitimately) refuses to say the site is properly identified and that's Firefox's fault...?

Yes, this is a change in behaviour, but in the long run it will force certs to mean something.

http://blog.johnath.com/2008/08/05/ssl-question-corner/ [johnath.com]

Re:Entirely legitimate (1)

jacquesm (154384) | about 6 years ago | (#24703717)

amen. Firefox works just fine. If those companies can't be bothered to update their certificates and firefox refuses to show the pages then I think that's fantastic news.

If all browsers would take such a strict approach then I'm pretty sure certificate lapses would occur much less frequently, especially not with such large companies.

If overriding security features is made too easy then you may as well do away with them completely.

There's another hassle too (4, Informative)

oDDmON oUT (231200) | about 6 years ago | (#24703665)

Try going to multiple Linksys devices (WRT54Gs come to mind) with the same self-signed certificate.

This is what you'll see:

You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information:

Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.

(Error code: sec_error_reused_issuer_and_serial)

You'll only be able to set up an exception for the first one, the rest of them... so sorry so sad... unless you manually dump the certificate each time.

FF2 did not have this "feature", you could set multiple exceptions and not have to worry about it again.

Total PITA if you're working with residential users.

Re:There's another hassle too (5, Insightful)

bunratty (545641) | about 6 years ago | (#24703817)

Why doesn't Linksys provide the certificate used to sign the certificates on all those routers? Then you could add that certificate to your root certificates and no longer get any warnings at all. It looks to me like Linksys dropped the ball on this one. Perhaps the changes to Firefox 3 and Internet Explorer 7 will help companies get more serious about ensuring security.

Re:There's another hassle too (0)

Anonymous Coward | about 6 years ago | (#24704211)

The real question is: why doesn't Firefox allow the exception? I really detest the new policy, and it's primarily because of this. Throwing up such a strongly worded error message; okay, it's ridiculous and unnecessary, but I can live with it.

But when I explicitly go through so many clicks to add an exception, it's just stupid for the browser to STILL refuse to add it. This isn't the browser looking out for my safety anymore; it really crosses the line.

Re:There's another hassle too (1)

uberdilligaff (988232) | about 6 years ago | (#24704199)

I have the exact same problem with Netgear routers that have SSL protection for their remote administration access. This is a good thing. But the certs Netgear used are self-signed and embedded in firmware, and all have the same serial number. I would have no problem with the Firefox default behavior if there were some documented configuration option (even a complex, well hidden from the masses, takes 10 arcane steps procedure) that I could do manually. Just let me do it once to create a saved exception for the several routers I administer remotely. But no. I know what the issues are, I know what I am doing, and I really want to use my preferred browser to do it... but no.

Remind me a previous post... (1)

Janos421 (1136335) | about 6 years ago | (#24703667)

We already had a debate on that topic [slashdot.org] .

Why (1)

eneville (745111) | about 6 years ago | (#24703673)

Why is this anything of a problem? Can't people use one of the free signing authorities out there?

Re:Why (1)

Hyppy (74366) | about 6 years ago | (#24703993)

Name one free signing authority that is accepted by default in FF or IE.

This is the RIGHT solution... (5, Insightful)

volxdragon (1297215) | about 6 years ago | (#24703677)

If you EVER want to combat man in the middle attacks and phishing sites, this is the best solution. Sites whining that people are being scared away??!? Get a fucking grip, and get a real certificate from a real certificate authority so your users can actually trust you. People/companies are cheap and lazy, and unfortunately this leads to a whole host of problems...keeping your certificate legitimate and up to date should be no different than taking care of your insurance or other critical infrastructure.

Re:This is the RIGHT solution... (3, Insightful)

jacquesm (154384) | about 6 years ago | (#24703735)

exactly. Every time people jump through the hoops required to accept a lapsed certificate all the valid certificates in the world lose a little bit of value because the user just got conditioned a little bit more to see certificates as nothing but a hassle.

Re:This is the RIGHT solution... (1)

dkf (304284) | about 6 years ago | (#24703975)

keeping your certificate legitimate and up to date should be no different than taking care of your insurance or other critical infrastructure

I agree, though I note that for some organizations, this would still mean letting things lapse. I've heard some real horror stories with (non-)maintenance of critical infrastructure or relinquishment of insurance. Too often people aren't just cheap, but actively saving in one place only for the costs to jump right back at them elsewhere and massively larger. (This isn't a new phenomenon though; people have been stupid this way for thousands of years.)

Re:This is the RIGHT solution... (1)

kevin_conaway (585204) | about 6 years ago | (#24704017)

If you EVER want to combat man in the middle attacks and phishing sites, this is the best solution. Sites whining that people are being scared away??!? Get a fucking grip, and get a real certificate from a real certificate authority so your users can actually trust you

What about the military?

You forget that software applications for the military nearly always use SSL and those SSL certificates are signed by some root CA at the DOD. That cert is not in your browser nor will it be any time soon.

xpi (1)

Rinisari (521266) | about 6 years ago | (#24703681)

I'm curious as to why no one has created an extension which cures this. Sure, only the folks who need it will use it, but if there's this much hullabaloo about it, why doesn't someone do something about it?

I would, but I lack the know-how.

Re:xpi (1)

bunratty (545641) | about 6 years ago | (#24703979)

They have. It's called MitM Me [mozilla.org] , for users who want to become victims of man-in-the-middle attacks. It's probably not a good idea to use it.

Cancel or Allow? (1, Insightful)

Gothmolly (148874) | about 6 years ago | (#24703683)

So like I went to a website, and the computer goes like *beep* and like I get a screen about a certificate or something where I like click Next, Next, Next, OK, and then the computer goes like *boop* and like, my paper was totally gone.

Sorry folks, given the way SSL certs work, there's something going on when someone has a self-signed cert. Users, sadly, have to be aware of this sort of thing. The personal computer really isn't a toaster (yet).

Another Solution to Self Signing? (3, Interesting)

txoof (553270) | about 6 years ago | (#24703685)

Obviously, self signing is meaningless for anonymous strangers. It works just fine for you and your friends/colleagues, but not for anyone outside your immediately trusted group.

What are the free alternatives to VeriSign's hefty [verisign.com] fees? Some kind of community effort to create trust, much like PGP key signing seems like it would be a good solution.

Besides being expensive, it looks like any shmo can register with verisign and then conduct all sorts of questionable practices behind their cert. It doesn't look like there's any sort of vetting in the process. I didn't complete the signup process, but it looked like once they had my money, they'd send me a certificate. While the connection is secure, that doesn't tell me a darn thing about what they are going to do with my data, or weather or not they're going to try something malicious.

Re:Another Solution to Self Signing? (2, Informative)

elfguy (22889) | about 6 years ago | (#24703981)

There are such things, like CAcert. Organizations that start offering community based free certificates. The problem is if certs are not being sold for money, Mozilla will not include them. CAcert asked in 2003 to be included as a CA in Firefox. To this day, the bug is still open in bugzilla and awaiting inclusion.

Re:Another Solution to Self Signing? (1)

blueg3 (192743) | about 6 years ago | (#24703987)

You need a cert that applies to a domain you control in order to do SSL. Obviously they have no way to check or police what goes on in that domain and what you do with the data. That's not the function of a signed certificate; it's just to ensure that when you think you have an encrypted connection to www.joessite.com, it's really going to www.joessite.com.

An EV certificate says more about the certificate-holder, and some people (like Newegg) actually have them.

Re:Another Solution to Self Signing? (1, Informative)

Anonymous Coward | about 6 years ago | (#24703997)

What are the free alternatives to VeriSign's hefty fees?

Hefty fees? Jesus fucking christ, you can get certificates from Godaddy or QuickSSL that are accepted by all browsers for $20 a year or less.

Besides being expensive, it looks like any shmo can register with verisign and then conduct all sorts of questionable practices behind their cert. ... While the connection is secure, that doesn't tell me a darn thing about what they are going to do with my data, or weather or not they're going to try something malicious.

Absolutely correct. Signed SSL certificates only promise two things:

- your web browser is actually talking to the website you think it is talking to
- your web browser is using encryption to talk to the website

That's all SSL does. What the website does with your information after you give it to them is completely out of the scope of SSL.

Here's an analogy. You have a large pile of cash. You hire an armored car company with armed guards to pick up your cash and deliver it to your bank. The armored car company picks up the cash, signs for it, drives to the bank, then certifies to you that they delivered the cash to the actual bank and deposited it into your account. BUT, someone creates a fake debit card and steals money from your account - THIS IS NOT THE FAULT OF THE ARMORED CAR COMPANY. The armored car company did everything correctly.

Re:Another Solution to Self Signing? (3, Informative)

csnydermvpsoft (596111) | about 6 years ago | (#24703999)

StartSSL [startssl.com] offers free certificates, and their root cert is included with Firefox.

Re:Another Solution to Self Signing? (4, Informative)

bunratty (545641) | about 6 years ago | (#24704055)

The point of a certificate is not to guarantee that the owner won't do something malicious. The point is to guarantee that the only person who can decrypt the communications is the site you think you're talking to. It's a guarantee that someone else will not listen in on the conversation.

For a free certificate that works in Firefox, you can use StartSSL. For a cheap certificate that works in all browsers, you can use RapidSSL.

Re:Another Solution to Self Signing? (1)

Hyppy (74366) | about 6 years ago | (#24704061)

While the connection is secure, that doesn't tell me a darn thing about what they are going to do with my data, or weather or not they're going to try something malicious.

What, do you expect the CA to do a full background check on every employee in the business? What about if it's an individual? Should the CA kidnap the children of the certificate applicant and threaten to behead them if the applicant does something "malicious?"

Re:Another Solution to Self Signing? (1)

devman (1163205) | about 6 years ago | (#24704123)

People complain about the 'SSL Cartel' and Verisign's hefty fee's yet fail to check there competitors. There are ALOT of CA's out there for you to choose from.
One of MANY examples. https://www.godaddy.com/gdshop/ssl/ssl.asp [godaddy.com]

$27/year is not what I would call hefty.

Re:Another Solution to Self Signing? (1)

wmorse (1082007) | about 6 years ago | (#24704183)

When Verisign was vetting our application for a certificate, we had to jump through a fair number of hoops. This is partly because the phone company has for years had the wrong info on file for our organization, and partly because we changed our name.

But we didn't just pay them $300 and they didn't just hand out the certificate. If you have a D&B number, and you can show that you have business relationships with known companies (i.e. banks, utilities) then you can probably get a certificate from a major CA. without a hassle.

(The threshold for the $15 personal use certificate is completely different. You just need an e-mail address and a credit card.)

Is this really a debate at all? (1, Interesting)

Anonymous Coward | about 6 years ago | (#24703695)

Some guy on some blog somewhere seconds another blog post.

If Google and LinkedIn didn't care about the message, why should you?

This is far from my biggest complaint about firefo (1)

Sir_Real (179104) | about 6 years ago | (#24703703)

Plugin incompatibility, unsupported flash, java shennanigans, the 32/64 bit crapfest, have fun trying to get a java vpn client working... Under ubuntu with AMD64 you need to run a 32 bit version of the firefox2 browser and java 5 to get the most popular java based vpn client on the planet to work.

Flash is simply BROKEN. I'm not blaming firefox for this one. The easiest workaround is to run firefox.exe from wine.

Re:This is far from my biggest complaint about fir (1)

spacefight (577141) | about 6 years ago | (#24703837)

Java based VPN Client? OMG.

Re:This is far from my biggest complaint about fir (1)

Hyppy (74366) | about 6 years ago | (#24704083)

My thoughts exactly.

What's next, a payroll system written in vbScript?

Re:This is far from my biggest complaint about fir (1)

Hal_Porter (817932) | about 6 years ago | (#24703907)

Plugin incompatibility, unsupported flash, java shennanigans, the 32/64 bit crapfest, have fun trying to get a java vpn client working... Under ubuntu with AMD64 you need to run a 32 bit version of the firefox2 browser and java 5 to get the most popular java based vpn client on the planet to work.

Flash is simply BROKEN. I'm not blaming firefox for this one. The easiest workaround is to run firefox.exe from wine.

What's wrong with running the 32 bit version of Firefox on a 64 bit OS?

http://linuxhaters.blogspot.com/2008/07/my-browser-needs-16-exabytes.html [blogspot.com]

No Excuses (4, Insightful)

allcar (1111567) | about 6 years ago | (#24703715)

Fundamentally, the people at fault here are the so-called professionals who allow their certificates to expire. Why should I trust their site's security if they can't manage a simple administration function like that. Thawte and Verisign provide you with enough reminders that your certs are about to expire, so you don't even need to diarise it yourself.
I do have more sympathy with self-signed certificates.There is no excuse for corporates to be using them, but for small, non-profit sites, self-signed is understandable. Mozilla could help this situation by providing support for CACert [cacert.org] and similar organisations, by including their signing certs in their browsers, by default.

Re:No Excuses (2, Interesting)

devman (1163205) | about 6 years ago | (#24704171)

IIRC, Mozilla has already said that they would if CACert would meet all their auditing requirements.

No solution (1)

kriss (4837) | about 6 years ago | (#24704193)

Are there similar organizations with reasonable security though? CAcert certainly hasn't [shortpacket.org] and including them in Mozilla would be particularly bad due to this. Other free alternatives would be nice, but lacking that, $15 for a year for a cert isn't beyond the reach or any non-profit.

GOOD! (3, Insightful)

nweaver (113078) | about 6 years ago | (#24703727)

Conditioning the users to accept self-signed certs is a BAD thing.

I think self-signing is great for HTTP and with SSH-style leap of faith. But self signed is far less useful than a real cert (because even when social engineered, a real cert allows you to say "registrar X f-ed up".) for HTTPS. And conditioning users to accept self-signed certs for HTTPS is a mistake.

Re:GOOD! (1)

Reece400 (584378) | about 6 years ago | (#24703897)

Agreed, if people paid attention to the less invasive messages this wouldn't be and issue. Unfortunatly most people are so click happy these days that your need something this invasive to actually make them look at it before clicking 'ok'.

Re:GOOD! (1)

arevos (659374) | about 6 years ago | (#24703915)

And conditioning users to accept self-signed certs for HTTPS is a mistake.

I disagree. A self-signed certificate is better than no encryption at all. I'd just have browsers accept all certificates, but only display the signature yellow address bar and padlock icon for certificates signed by registered third parties.

Re:GOOD! (1)

Nevyn (5505) | about 6 years ago | (#24704047)

Better? Maybe. Good enough? No.

Having the bar change color is basically worthless security, on the other hand the user still has to be trained to see that they are using https instead of http when on a "security" site ... and that is still not obvious enough.

Re:GOOD! (1)

nweaver (113078) | about 6 years ago | (#24704103)

No its not. Because if you condition users to it, they will always accept it, which allows you a trivial downgrade attack to self-signed HTTPS.

Its like the padlock icon: we conditioned the users to "see the padlock, its safe", and so all you need to do is put a padlock icon IN THE PAGE and the users think its safe.

Re:GOOD! (1)

Hyppy (74366) | about 6 years ago | (#24704137)

At least most decent SSH clients store the certificate, and then throw an absolute fit if it changes.

expected behaviour (5, Insightful)

AndyST (910890) | about 6 years ago | (#24703751)

This way of handling websites with expired or self-signed SSL certificates is bound to scare away a lot of inexperienced users, no matter how legitimate the website is.

Well that's the point. The certificate is not valid and there is no way to tell the website is legitimate. If one would insist on using TLS/SSL for HTTP with a self-signed certificate, have users install your own CA keys you gave them through another secure channel, or at least let them check the fingerprint. Nobody keeps you from doing that. It's sad that some of these things are so widely misunderstood that it actually reduces privacy and security:

  • login forms on http: URI, posted to https: URI. Please, the website should identify first.
  • Session Cookies which are sent for both secure and unsecure connections.
  • people asking me to sign their openPGP keys they sent via e-mail wondering why I call them in return to verify the fingerprint. (This guy had a Ph.D. in computer science and after a heated exchange on the phone and e-mail I just gave up. He hates me ever since.)

The new behavior of Firefox 3 is not a problem, it's people failing to security-enable their website the right way.

Move to different browser like Safari (-1, Troll)

Anonymous Coward | about 6 years ago | (#24703761)

If Mozilla continues to be arrogant towards its own users, they will go somewhere else. Opera, Safari, etc...

I have a feeling that browsers based on WebKit (not Gecko) are the future for the web.

That's what they call "security" (1)

BhaKi (1316335) | about 6 years ago | (#24703785)

This way of handling websites with expired or self-signed SSL certificates is bound to scare away a lot of inexperienced users, no matter how legitimate the website is.

And the ways used by other browsers will not scare people even if the site is illegitimate. Great security model!!

I'm Firefox, I'm IE (4, Insightful)

MosesJones (55544) | about 6 years ago | (#24703823)

This is a switch of the "Cancel/Allow [youtube.com] " Mac/PC ad.

Here we have FF3 saying

"You have tried to access a secure site with a dodgy certificate, Cancel or Allow?"

IE meanwhile troops on regardless giving a better "user experience"

Oh until the machine goes down because the site was a trojan site using a self-signed certificate.

The issue here isn't that Firefox is making this hard, its that ANYONE ever made this easy. If a site has an expired certificate then that would worry me as it implies their IT support is a bit dodgy. If someone wants my credit card details and is using a self-signed certificate then I'm VERY worried.

There are functional issues (the duplicate cert problems of Linksys has been mentioned here) that should be addressed. But the basic problem of warning users very strongly that a site is self-signed or has an expired certificate is a good thing.

I'm using Firefox, I'm on a Mac and this problem just hasn't irritated me the way that Vista does because this does it when there is a REAL problem caused by a 3rd party, not a potential problem caused by me hitting a button. Expired or self-signed certs are a real 3rd party problem, not a scare story.
 

As a Safari user (4, Insightful)

Tibor the Hun (143056) | about 6 years ago | (#24703833)

As a Safari user, i find that reading mainstream media and "security researchers" fucking hurts my head.
First Safari is bad because it doesn't have anti-phishing.
Then FireFox is bad because because it throws a fit on un-signed certificates.
WTF do they all recommend? Exploder?

I guess it all fits with the flow of uneducated American populace, too ignorant to learn to use a computer properly, so "Security Experts" need to be babysitting them.

(for those of you wondering why I use Safari, it's because of its superb in page find feature.)

Re:As a Safari user (1)

ckthorp (1255134) | about 6 years ago | (#24703911)

In fact, the Safari in-page find was so nifty that FF3 more or less ripped it off. :-)

Re:As a Safari user (1)

bestinshow (985111) | about 6 years ago | (#24704041)

I am using Safari on Windows at the moment, it's nice.

Apart from random pauses in its operation for up to 10 seconds at a time. I think the Javascript JIT or something causes the application to lock up whilst it is doing its thing. Some work needed there.

I also ran into the Firefox self-signed certificate issue and found the 4 stage process to be rather ridiculous myself. A self-signed certificate is not bad, it still allows secure data transfer between the client and the server, however it loses the verification of the server aspect - which you may not even care about. I found the wording on the Firefox SSL certificate warning page to be rather over the top, and rather vague at the same time.

Clear and present danger (2, Insightful)

I cant believe its n (1103137) | about 6 years ago | (#24703839)

I think FF should just clearly show a warning sign and tell the user that any communication he or she has is encrypted, but that the receiver could be anyone. Therefore the user should not engage in any sensitive communication over this connection such as visiting banks etc.

I feel that there is too much scaremongering going on. Usually programs will tell you, "you are about to do something really dangerous/stupid/embarasing, proceed yes or no?". It is better to inform the user why this is dangerous/stupid/embarasing and let him or her make up their own mind. Otherwise you are just putting the blame on the user for when things go wrong without him/her being able to make an informaed decision. Many users may act less than perfect, but at least give them a chance to understand.

Yes I know that the new FF is much better at informing the user than older browsers where, but it is still too alarmist in my opinion.

What do you think?

Serious problem with web-enabled devices (1)

Anon E. Muss (808473) | about 6 years ago | (#24703853)

The new Firefox behavior is probably the right choice for sites on the public Internet. However, it's hell when dealing with embedded devices. Many network devices offer an HTTPS management interface, and almost all use a self-signed certificate. Some offer the option to install a "real" certificate, but many don't. Even if the option is available, it's only really usable by organizations with their own internal Public Key Infrastructure. Firefox needs a better way of dealing with routers, switches, webcams, etc.

As long as we're complaining about browsers (3, Informative)

The MAZZTer (911996) | about 6 years ago | (#24703885)

Let's complain about how easy it is for you to navigate to a malicious page in IE and get malware on your PC.

Seriously people, this isn't a huge deal. Err on the side of security rather than the other side, I would say.

I think Firefox's solution is the best we can hope for. If you or me can get a self-signed cert, a phishing site author certainly can. Then all of a sudden if Firefox were to accept self-signed certs, phishing sites over HTTPS look legitimate, and they look the same as every other HTTPS site that shelled out $$$ to get their certs signed by a trusted root authority. Hell it doesn't even cost $$$, there are a few root authorities that'll sign certs for free, and one is accepted by Firefox (I forget the name). So that's always an option. If you don't like adding exceptions to your own pages, get on Google and figure out how to fix it!

Re:As long as we're complaining about browsers (1, Interesting)

Anonymous Coward | about 6 years ago | (#24704121)

So big guy, I've tried to find these free root authorities. I've found plenty of free trials. Fuck off with that, I want real honest to fuck long time certificates. Not 30 day fuck around and come back and pay $150 a year (which is more then the *hosting*).

So yeah, got any links to these free root authorities?

Actually, that's a massive problem with the whole SSL/TSL system. Getting a cert costs more then the entire freaking hosting! $10 a month will get you a sweet deal (a "business" account even) at a number of places. But if you want to run a commercial operation and/or take personal details or whatever (or are promoting security), then you need to pay more then what you pay for your hosting.

It isn't going to happen.

At the current place, there is the option for "shared" certs, but that is something like ssl.hostingcompany.example.com/yourdomainhere.info which doesn't really look so pro. (Even if it beats not having security at all.)

Certificate hijacking (5, Informative)

elfguy (22889) | about 6 years ago | (#24703929)

SSL Certificate hijacking is a real issue so it should not be underestimated. Users should not be able to just dismiss a warning dialog like they can do with IE. However I do think self signed certs shouldn't be discriminated this way. Learn more with presentation #11 here:

http://www.securitypresentations.com/#11 [securitypr...ations.com]

Lone ranger it is not... (1)

certain death (947081) | about 6 years ago | (#24703939)

Firefox is not alone in it's new Robot "Warning will robinson" type of messages...Internet Explorer does this as well. Pick on them both over it will ya?

Before everyone posts the 'so obvious' facts... (5, Insightful)

Anonymous Coward | about 6 years ago | (#24703951)

Before all the security fanatics start telling everyone to "just spend ten bucks on a cert"...

1. Embedded appliances (you know, the hundreds of millions of routers, firewalls, etc.) cannot use an authority cert. The choice is between self-signed and no encryption only, and Firefox is pushing manufacturers towards the less secure option.

2. Typically, you first encounter a self-signed cert in a secure context (for example, setting up such an appliance by plugging it directly into your PC and visiting the web interface). After that, all you care about is whether the cert changes. The whole man-in-the-middle thing is NOT a guaranteed problem with self-signed certs.

3. Real cert authorities are not the invulnerable swiss banks everyone thinks they are. They can and have issued certs when they shouldn't have. And that isn't just new certs; last week there was a story about a Firefox-trusted cert authority that issued a Microsoft live.com domain cert to someone. So those who think authority certs are secure are deluding themselves.

In the end, Firefox's current behavior does not promote security; it simply makes life hard and annoying for legitimate users.

It need not be annoying (1, Interesting)

Anonymous Coward | about 6 years ago | (#24703969)

If you need to run a lot of SSL'd sites, do the following and become your own Certificate Authority:

1. Make a CA cert
2. Import your CA cert into your browser
3. Make certs for all the sites you need to sign
4. Sign them with your own personal CA
5. All browsers you administer stop complaining about your sites
6. (optional) Get your CA cert included in the standard list that the various flavors of Linux, Firefox, Apple and Microsoft use and start selling certs to people over the internet (doing proper identity verification first).
7. Profit

Besides, 4 separate dialogs are more likely to make the people who blindly click to make dialog boxes go away perhaps actually read them first. Or maybe less likely to read them, who can say?

Do it right... (0)

Anonymous Coward | about 6 years ago | (#24704037)

If you can't do it right why use SSL at all? There is no debate here, just another flame war.

Why we have certificate authorities (4, Informative)

Minupla (62455) | about 6 years ago | (#24704077)

I'm going to assume that there is a sizable minority here who doesn't actually understand what is going on with SSL certificates and why they are important. So here goes:

Assume you're trying to access your online bank, and that Dr Evil is your ISP's systems admin (or anyone else who can get between you and your bank).

In the normal course of things, your web browser makes an SSL connection to your bank, validates the certificate is signed by one of the certificate authorities that your browser trusts and you're good to go.

The certificate authority check is there to prevent Dr. Evil from setting up a server in between you and your bank. In that scenario, you would connect to Dr Evil, get his key, encrypt your username and password using his key. Dr Evil then decodes the user/password and sends it onto the bank in another connection. Then he bridges the two connections, walks off with your password and you're none the wiser.

Because of SSL certificates, if Dr Evil did try it, you'd get the nasty certificate warning, and hopefully not give Dr Evil your banking passwords.

Min

In my opinion, it's not the warning message... (2, Insightful)

w4rl5ck (531459) | about 6 years ago | (#24704095)

which is the problem here.

FF2 had a warning message about self-signed certificates, too. The problem in my opinion is the way it is presented, and how the "exception" thing is handled from a user perspective.

In FF2, you simply had to accept the certificate, and "go" for it. So far so good. Warning message, "OK, I know what I'm doing".

Downside: anyone just klicks "yes" in ANY message, so where's the security in that?

Anyway, with the new scheme, it's simply annoying, even if you know what you are doing. I.e. I need to use some development installations of software for testing purposes, and of course, whe have to test the ssl-encrypted parts, too. Buying certificates for all this development setups would be stupid (like, throwing the money out of the window).

Why do I have to click FOUR times to simply say "this site is OK for me", while I only have to click once for popups, for auto-fillin for login data, and so on?

Just one simple "add an exception" that does the trick WITHOUT forcing me to:

- *manually* (!!!) FETCH and DISPLAY the certificate before I can accept it (hell, I KNOW it's valid, I generated it myself! And a "normal user" can't understand ANYTHING in the certificate details, so what's the point? And no, they won't "learn", either!)
- yes, I'm sure, I want an exception
- yes, for real, I ...

Oh my god. (3, Funny)

Vexorian (959249) | about 6 years ago | (#24704169)

What the heck is wrong with mozilla? Everybody knows convenience of web developers is more important than actually making the whole SSL stuff worth it. Who cares if allowing sites to sign their own certificates makes the whole SSL thing extremely pointless? What's important here is the webmasters' comfort.

Re:Oh my god. (1)

Shados (741919) | about 6 years ago | (#24704217)

Your post is probably going to be the only one worth reading in the entire discussion, flooded in a deluge of "OMG VERSIGN R TEH GREEDIES!", which, while true, doesn't change the point.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>