Linked by Thom Holwerda on Fri 29th Aug 2008 13:23 UTC, submitted by irbis
Mozilla & Gecko clones Firefox 3.0, released not too long ago, was generally well-received. It added a load of new features, while also providing much-needed speed improvements and better memory management. Some new features, however, have met more resistance - one of them is the rather complicated user interface thrown at users when they reach a website with an invalid or expired SSL certificate.
E-mail Print r 2   · Read More · 23 Comment(s)
Thread beginning with comment 328526
To read all comments associated with this story, please click here.
Everyone is missing the point
by justinbest on Fri 29th Aug 2008 16:10 UTC
Member since:

It seems everyone is missing the point here. Sites with invalid SSL certificates ARE broken. When inexperienced users visit these sites, and give up because they're unsure as to the authenticity of the site, that's a GOOD thing. It's exactly what is supposed to happen (users don't enter their personal info in a site they can't trust). It also encourages sites to actually maintain a valid cert from a trusted CA.

With SSL certificates issued by a trusted CA available for under $10 ( there's no excuse for failing to keep a valid SSL cert up on your site.

Reply Score: 3

voidspace Member since:

Nonsense. And that attitude is why we are in this mess...

Reply Parent Score: 1

robinh Member since:

Speaking as a web developer, I couldn't agree more. Mozilla are protecting *their* users and not *your* users, and this is exactly the correct thing for them to do.

Reply Parent Score: 1

JoHa Member since:

I just encountered FF's new process for the first time, and at first glance it did seem a bit clunky, but it wasn't any problem for me to step through and add an exception. Now, I was adding an exception for my own webmail system, but the extra steps made me think twice about doing it, even for that. I certainly applaud FF for making me think twice!

For regular users who have no clue about how SSL works, it's essential that they not just get the old one-screen click-thru. Users are way too conditioned to click through error messages and warnings that read like gobbledygook to them.

People need to understand that it's very easy to spoof or man-in-the-middle a site with an invalid cert or self-signed cert. They're worse than no cert in some ways, because they provide the illusion of security. Hackers stealing credentials usually set up bogus OWA, webmail, intra/extranet and hotspot login pages, the very thing lazy IT admins don't bother configuring a real cert for.

If you're running a serious ecommerce business, then you'll buy a Verisign cert and pay out the nose, but there are plenty of cheap options for other folks. If you're IT admin for a large number of internal systems and don't want to pay for certs, like a university, the *right* thing to do is just to make yourself a CA.

Reply Parent Score: 1