Linked by Thom Holwerda on Fri 29th Aug 2008 13:23 UTC, submitted by irbis
Mozilla & Gecko clones Firefox 3.0, released not too long ago, was generally well-received. It added a load of new features, while also providing much-needed speed improvements and better memory management. Some new features, however, have met more resistance - one of them is the rather complicated user interface thrown at users when they reach a website with an invalid or expired SSL certificate.
Permalink for comment 328893
To read all comments associated with this story, please click here.
RE: Everyone is missing the point
by JoHa on Tue 2nd Sep 2008 08:50 UTC in reply to "Everyone is missing the point"
JoHa
Member since:
2005-08-16

I just encountered FF's new process for the first time, and at first glance it did seem a bit clunky, but it wasn't any problem for me to step through and add an exception. Now, I was adding an exception for my own webmail system, but the extra steps made me think twice about doing it, even for that. I certainly applaud FF for making me think twice!

For regular users who have no clue about how SSL works, it's essential that they not just get the old one-screen click-thru. Users are way too conditioned to click through error messages and warnings that read like gobbledygook to them.

People need to understand that it's very easy to spoof or man-in-the-middle a site with an invalid cert or self-signed cert. They're worse than no cert in some ways, because they provide the illusion of security. Hackers stealing credentials usually set up bogus OWA, webmail, intra/extranet and hotspot login pages, the very thing lazy IT admins don't bother configuring a real cert for.

If you're running a serious ecommerce business, then you'll buy a Verisign cert and pay out the nose, but there are plenty of cheap options for other folks. If you're IT admin for a large number of internal systems and don't want to pay for certs, like a university, the *right* thing to do is just to make yourself a CA.

Reply Parent Score: 1