Linked by Thom Holwerda on Fri 29th Aug 2008 13:23 UTC, submitted by irbis
Mozilla & Gecko clones Firefox 3.0, released not too long ago, was generally well-received. It added a load of new features, while also providing much-needed speed improvements and better memory management. Some new features, however, have met more resistance - one of them is the rather complicated user interface thrown at users when they reach a website with an invalid or expired SSL certificate.
Thread beginning with comment 328503
To read all comments associated with this story, please click here.
Cert Authority System's Fault
by braddock on Fri 29th Aug 2008 13:50 UTC
braddock
Member since:
2005-07-08

This is not the fault of Firefox as much as it is the fault of the completely dysfunctional Certificate Authority system currently in place.

If I could AFFORD a valid cert, I wouldn't have a self-signed cert, and wouldn't direct all my users to use un-encrypted HTTP on my site.

The Mozilla foundation should step up to the plate and recognize a saner community-based non-profit certificate authority. They have the market share to make this happen. They control this now based on what certs they choose to ship with. Now is the time.

Reply Score: 4

VistaUser Member since:
2008-03-08

Luckily for you, you CAN afford a certificate from a verified CA. startcom offers free SSL certificates via http://www.startssl.com/ and it is recognised by Firefox.

Unfortunately, not many people know about this.

(Hopefully, CAcert will be recognised soon too, but that may not be soon enough for most people.)

EDIT: Unfortunately, startcom is not recognised as a valid SSL authority by other browser vendors (Microsoft IE, maybe Opera and Apple too), so it may not be a good fit.

Edited 2008-08-29 14:55 UTC

Reply Parent Score: 4

braddock Member since:
2005-07-08

Wow, the price is right ($0) at www.startssl.com - thanks, I'll probably register.

CAcert sounds like the right community-based idea, but they are actually recommending people use a few words of l33t sp34k for their pass phrases!? I don't think I would be shipping their cert quite yet either...

Reply Parent Score: 1

CrLf Member since:
2006-01-03

That doesn't solve the problem for internal domains (the only solution is to create an internal CA and add its root certificate to the browser), not does it solve the problem for embedded web administration in a variety of devices (many of which don't even allow the certificate to be changed).

Reply Parent Score: 2

GMFlash Member since:
2006-06-30

I pay $15/year for a valid cert which comes out to be less than a nickel a day. Surely you can find a way to fund this huge expense.

Edited 2008-08-29 18:38 UTC

Reply Parent Score: 2

intangible Member since:
2005-07-06

Wildcard certificates are usually quite a bit more though :/

Reply Parent Score: 2