Linked by Thom Holwerda on Fri 29th Aug 2008 13:23 UTC, submitted by irbis
Mozilla & Gecko clones Firefox 3.0, released not too long ago, was generally well-received. It added a load of new features, while also providing much-needed speed improvements and better memory management. Some new features, however, have met more resistance - one of them is the rather complicated user interface thrown at users when they reach a website with an invalid or expired SSL certificate.
Order by: Score:
rklrkl
Member since:
2005-07-06

Firefox 3 definitely should warn the end-user about self-signed/invalid or expired secure certificates with *at least* 1 in-your-face dialogue box (and maybe more by default). The big problem I have with Firefox 3 is that advanced users can't configure the number of warning dialogues (i.e. they can't fine-tune it to behave closer or exactly like Firefox 2, at least not from the UI anyway).

As it stands, self-signed certificate acceptance in Firefox 3 is a horrendous maze of dialogue boxes, link clicks and button clicks (and occasionally page reloads) with seemingly no way to avoid any of them. Repeat for every machine you installed Firefox 3 on too (e.g. home vs. work)...

Reply Score: 4

Cert Authority System's Fault
by braddock on Fri 29th Aug 2008 13:50 UTC
braddock
Member since:
2005-07-08

This is not the fault of Firefox as much as it is the fault of the completely dysfunctional Certificate Authority system currently in place.

If I could AFFORD a valid cert, I wouldn't have a self-signed cert, and wouldn't direct all my users to use un-encrypted HTTP on my site.

The Mozilla foundation should step up to the plate and recognize a saner community-based non-profit certificate authority. They have the market share to make this happen. They control this now based on what certs they choose to ship with. Now is the time.

Reply Score: 4

RE: Cert Authority System's Fault
by VistaUser on Fri 29th Aug 2008 14:42 UTC in reply to "Cert Authority System's Fault"
VistaUser Member since:
2008-03-08

Luckily for you, you CAN afford a certificate from a verified CA. startcom offers free SSL certificates via http://www.startssl.com/ and it is recognised by Firefox.

Unfortunately, not many people know about this.

(Hopefully, CAcert will be recognised soon too, but that may not be soon enough for most people.)

EDIT: Unfortunately, startcom is not recognised as a valid SSL authority by other browser vendors (Microsoft IE, maybe Opera and Apple too), so it may not be a good fit.

Edited 2008-08-29 14:55 UTC

Reply Score: 4

braddock Member since:
2005-07-08

Wow, the price is right ($0) at www.startssl.com - thanks, I'll probably register.

CAcert sounds like the right community-based idea, but they are actually recommending people use a few words of l33t sp34k for their pass phrases!? I don't think I would be shipping their cert quite yet either...

Reply Score: 1

RE[2]: Cert Authority System's Fault
by CrLf on Fri 29th Aug 2008 15:25 UTC in reply to "RE: Cert Authority System's Fault"
CrLf Member since:
2006-01-03

That doesn't solve the problem for internal domains (the only solution is to create an internal CA and add its root certificate to the browser), not does it solve the problem for embedded web administration in a variety of devices (many of which don't even allow the certificate to be changed).

Reply Score: 2

RE: Cert Authority System's Fault
by GMFlash on Fri 29th Aug 2008 18:33 UTC in reply to "Cert Authority System's Fault"
GMFlash Member since:
2006-06-30

I pay $15/year for a valid cert which comes out to be less than a nickel a day. Surely you can find a way to fund this huge expense.

Edited 2008-08-29 18:38 UTC

Reply Score: 2

intangible Member since:
2005-07-06

Wildcard certificates are usually quite a bit more though :/

Reply Score: 2

Huge issue
by elzurawka on Fri 29th Aug 2008 14:05 UTC
elzurawka
Member since:
2005-07-08

Working in IT security this has become a bit annoyence to me. None of the devices which we connect to have valid certs so having to click through it each time sucks. As techies we manage to figure it out. End users ive found are at a loss and will give up unless told what to do.

Also when managing multiple devices, even though i tell firefox to remember the certs, it keeps forgetting them, and once in a while will block me out of a site until i clear all my certs for those devices.

This should be a major issue to revisit for the next point release.

Reply Score: 3

Everyone is missing the point
by justinbest on Fri 29th Aug 2008 16:10 UTC
justinbest
Member since:
2006-06-29

It seems everyone is missing the point here. Sites with invalid SSL certificates ARE broken. When inexperienced users visit these sites, and give up because they're unsure as to the authenticity of the site, that's a GOOD thing. It's exactly what is supposed to happen (users don't enter their personal info in a site they can't trust). It also encourages sites to actually maintain a valid cert from a trusted CA.

With SSL certificates issued by a trusted CA available for under $10 (http://www.namecheap.com/learn/other-services/ssl-certificates.asp) there's no excuse for failing to keep a valid SSL cert up on your site.

Reply Score: 3

RE: Everyone is missing the point
by voidspace on Fri 29th Aug 2008 17:41 UTC in reply to "Everyone is missing the point"
voidspace Member since:
2008-06-25

Nonsense. And that attitude is why we are in this mess...

Reply Score: 1

RE: Everyone is missing the point
by robinh on Sat 30th Aug 2008 11:27 UTC in reply to "Everyone is missing the point"
robinh Member since:
2006-12-19

Speaking as a web developer, I couldn't agree more. Mozilla are protecting *their* users and not *your* users, and this is exactly the correct thing for them to do.

Reply Score: 1

RE: Everyone is missing the point
by JoHa on Tue 2nd Sep 2008 08:50 UTC in reply to "Everyone is missing the point"
JoHa Member since:
2005-08-16

I just encountered FF's new process for the first time, and at first glance it did seem a bit clunky, but it wasn't any problem for me to step through and add an exception. Now, I was adding an exception for my own webmail system, but the extra steps made me think twice about doing it, even for that. I certainly applaud FF for making me think twice!

For regular users who have no clue about how SSL works, it's essential that they not just get the old one-screen click-thru. Users are way too conditioned to click through error messages and warnings that read like gobbledygook to them.

People need to understand that it's very easy to spoof or man-in-the-middle a site with an invalid cert or self-signed cert. They're worse than no cert in some ways, because they provide the illusion of security. Hackers stealing credentials usually set up bogus OWA, webmail, intra/extranet and hotspot login pages, the very thing lazy IT admins don't bother configuring a real cert for.

If you're running a serious ecommerce business, then you'll buy a Verisign cert and pay out the nose, but there are plenty of cheap options for other folks. If you're IT admin for a large number of internal systems and don't want to pay for certs, like a university, the *right* thing to do is just to make yourself a CA.

Reply Score: 1

Fewer popups, beautify the check box
by davidgurvich on Fri 29th Aug 2008 16:12 UTC
davidgurvich
Member since:
2005-11-13

I have no problem with the general approach taken in Firefox3. I do have a problem in that I have to click on 4 separate pop-ups to allow me access to a website I know is good.

What's wrong with having one pop-up with multiple check boxes? I suspect that someone prefers the appearance of buttons to check boxes and decided that annoying people with multiple pop-ups was better than having this one big ugly pop-up. Perhaps the solution would be prettier check boxes.

Reply Score: 3

SSL Security
by AndrewDubya on Fri 29th Aug 2008 16:12 UTC
AndrewDubya
Member since:
2006-10-15

Ok, I can see them adding an option to make it easier, but the complaint doesn't sound justified to me.

People do not know how to protect themselves on the Internet. What exactly do you mean when you say you were at a loss? The entire point of it was to make people _actually_ read the warning messages. Sure I was confused about the interface until I read it, and that was The Damned Point. Sometimes, usability is the opposite of what you want. Sometimes, you just need a nice confusing jolt to make the user pay attention to the message instead of letting them drift through the process.

Again, normal users _need_ this. It's a huge step toward making the web somewhat safer. If they want to make it easier, it should be through a buried browser option.

EDIT: Additionally, I'm sure you can add your own authority if you self-sign.

Edited 2008-08-29 16:14 UTC

Reply Score: 2

RE: SSL Security
by VistaUser on Fri 29th Aug 2008 16:30 UTC in reply to "SSL Security"
VistaUser Member since:
2008-03-08

There is a usability issue - the site looks broken and not many people would wait to read the text.

It may be, but not in the same way that "page cannopt be found" means that the page is not there.

When I first moved to the Firefox 3 betas, it took me a while to realise that it was improperly signed sites causing the issue and NOT that the site was down.

A page similar to the the red page "potential malicious site page" would have been better as it does not look the same as a 404.

Reply Score: 4

voidspace
Member since:
2008-06-25

https is used for two different reasons - encryption and identification.

If you are connecting to a site that you don't really know then identification serves no purpose *anyway* but encryption may be very useful.

I would say that in *most* cases it is the encryption that people use https for.

Firefox is insisting on both. Their exception system is basically unusable - awful.

Reply Score: 2

flypig Member since:
2005-07-13

It's worth bearing in mind, though, that without certificate authentication there's the possibility of someone performing a man-in-the-middle attack (e.g. I sit in the middle of the connection between you and your bank, decrypting the data with my self-signed certificate and then re-encrypting it with your bank's certificate). This means that your apparently encrypted link isn't actually as secure as it looks.

Because of this the authentication part is needed for fully secure encryption too.

I'd still agree that a self-signed certificate used for encryption is better than using no encryption at all.

Reply Score: 3

intangible Member since:
2005-07-06

My solution:
Two separate warnings:
1. Invalid or expired certificates: always bad... like current behavior
2. Self-signed or unknown certificate authorities: allow a simpler way to accept cert on first visit to a site (with some explanation about how only encryption is enabled but no identity verification has been done), but keep track whenever a site's certificate has changed on subsequent visits and show warning about man-in-middle attacks.

Easy!

Edited 2008-08-29 23:41 UTC

Reply Score: 3

Panajev Member since:
2008-01-09

If you are connecting to a site that you don't really know then identification serves no purpose *anyway* but encryption may be very useful.


I'd say that encryption would be quite useless in this case unless you are worried that people sniffing on the network might laugh too loudly at the crap the untrusted site is exchanging with you ;) .

Reply Score: 1

braddock Member since:
2005-07-08


I'd say that encryption would be quite useless in this case unless you are worried that people sniffing on the network might laugh too loudly at the crap the untrusted site is exchanging with you ;) .


The content you are exchanging without encryption or strong authentication is still enough to put you in jail or on a watchlist in many countries.

Nearly ALL internet traffic should be encrypted. Period.

A man-in-the-middle attack is 10 times harder than sniffing, is easily detectable, and has legal implications which require a warrant for governments in most countries.

We've lost a lot of ground since 10 years ago when the FreeS/WAN project seriously aimed to get most routine internet traffic encrypted by now and PGP was slowly becoming an accepted mail protocol.

Reply Score: 1

When Usability "Experts" Strike
by TheBadger on Fri 29th Aug 2008 19:48 UTC
TheBadger
Member since:
2005-11-14

As usual, I suspect that the "experts" have been asked to weigh in on the interface, resulting in the ridiculous and confusing cascade of messages and buttons with stupid labels. "Get me out of here!" - what is that supposed to mean? Ignore the error, close the tab/window, forget about ever visiting that site, what? At least, once you've got the pop-up window, it takes you through the process in a half-reasonable way.

And if CAcert isn't supported in some way - I haven't really checked - then the Mozilla people really have been caught napping.

Reply Score: 3

perspectives
by netpython on Sat 30th Aug 2008 08:12 UTC
netpython
Member since:
2005-07-06
WLAN hotspots and SSL
by Novack on Sat 30th Aug 2008 10:56 UTC
Novack
Member since:
2006-04-24

The major annoyance with this feature for me is when I use WLAN hotspots that have a login page you need to complete prior to getting full access to Internet.

These systems redirect whatever you have as your homepage to their login page. I happen to have an SSL secured webpage as my homepage, so when this redirection occurs, Firefox shows this SSL error page. This is of course natural, but it makes it very hard to access the page without having to add an SSL exception. You need to copy the login.whatever.net address you're getting redirected to from the error message to the address bar and switch the protocol type to normal HTTP.

Reply Score: 1