Firefox 3.0, released not too long ago, was generally well-received. It added a load of new features, while also providing much-needed speed improvements and better memory management. Some new features, however, have met more resistance – one of them is the rather complicated user interface thrown at users when they reach a website with an invalid or expired SSL certificate.
When I encountered the page for the first time, I was at a loss as to what to do. The OSNews backend apparently has an invalid security certificate, as well as various websites of my university, so whenever I re-install Firefox somewhere, I need to add an exception for each of these websites. The new Firefox 3.0 exception interface, however, is a four-step process that is wholly unclear (the “Or you can add an exception” is easily overlooked), and will be especially difficult to grasp for ordinary, normal users – exactly the group of users the feature tries to protect. As the Pingdom weblog explains:
The point of this change was to make web browsing safer, and that is a good thing. There is a lot of malware on the Web. However, the people most in need of a clear and explicit warning regarding SSL certificates are inexperienced users, and those are not very likely to understand the error message that Firefox 3 is displaying. A large portion will simply be scared away, thinking that the website is broken.
The problem is that Firefox doesn’t just give you this page following expired certificates, but also with self-signed certificates – something especially annoying for smaller websites. However, big websites are also affected, such as the official website for the United States Army. Heck, even Google forgets to update their certificates.
The Mozilla Foundation defends their decisions as being necessary to prevent malicious and fraudulent websites from carrying out their malintent. Jonathan Nightingale writes:
The question isn’t whether you trust your buddy’s webmail – of course you do, your buddy’s a good guy – the question is whether that’s even his server at all. With a CA-signed cert, we trust that it is – CAs are required to maintain third party audits of their issuing criteria, and Mozilla requires verification of domain ownership to be one of them.
With a self-signed certificate, we don’t know whether to trust it or not. It’s not that these certificates are implicitly evil, it’s that they are implicitly untrusted – no one has vouched for them, so we ask the user.
Personally, I agree with the fact that Firefox properly warns me that I’m visiting a site with an invalid or self-signed certificate, but it would be nicer if the user interface that I’m presented with is less complicated, clearer, and easier to use.