Just ran into this again (I must have to add exceptions on average 3 times a week?) and I have to agree with the people critiquing it; it definitely *isn't* good for security. What *would* be good is if the security exception page was deferred until you submit data through that page.
Surely there's no risk until you start giving out your details? I don't get error pages every time I view a page without certificates, I don't see how that's any more secure. I shouldn't have to add an exception (and desensitise myself further to these security issues) if I'm just viewing a page with a bad certificate.
Lucas says:
> Surely there's no risk until you start giving out your details?
Yes, but you can start giving out your details from the first request. Think GET arguments, cookies, Referer: headers etc. You should also be able to trust an HTTPS-served form before entering (not submitting!) any data - it shouldn't be too difficult to use some javascript event handlers/AJAX/whatever to grab your input and post it somewhere else (plain HTTP, so you won't even see a certificate warning) behind your back.
Jan Schmidt says:
I can imagine cases where you rely on the information being given to you being correct based on the fact that it's coming from a trusted server.
It's hard to imagine what benefit someone might gain by feeding misinformation from a server that you thought was authenticated, but deferring the security dialog would allow it.
Robert says:
Yes this is "Firefox certificate nonsense", but the other way around, people are crying because they have to do a few more clicks (that is what I call nonsense), but do not think that if you use that server frequently, you will get used to do Ok Ok Ok Ok Ok (old dialog) everyday you visit it, and if someone one month later start a man in the middle attack, you will just do OK and OK and OK again, and you call that good for security, hahaha. With the new way, you only authorize the bad certificate (or self signed) and if someone try to trick you to a rogue server, you will be notified of it
Michael says:
I don't get what's the problem... the current design in firefox 3 works really really well, it's great to be warned of potential problems/risks before anything can happen.
Trusting GNOME bugzilla is fine but blindly doing so is not. SSL is there for a reason you know...
Michael Schurter says:
Its annoying, but can't you just add an exception and be done with it? I don't understand why you'll see it numerous times a week forever unless you're hitting sites that constantly regenerate certs -- which is just silly.
Godaddy (who is not my favorite company in the world but whatever) has SSL certs for $30/yr and lower.
Also, doesn't cacert.org sign certs for free? You could use them so you only have to add 1 exception (their root cert).
From how much complaining on this issue I see on various planets and /. you'd think firefox had disabled self-signed certs altogether! While the old dialog was a bit quicker to use click-wise, I prefer the new one to a modal dialog box.
Elroy Coltof says:
Invalid certificates have annoyed me for a while already; the current Firefox thing changed nothing for me. Especially when it happens on sites that want you to leave personal info, which in case of a invalid certificate I won't. No matter what privacy disclaimers they have, if you cba to even have your certificate in order, how am I to trust you to do what's needed to protect my data?
But I can see how a self signed one is handy. Some friends and I run a website where we can all log into. We all know the one that signed that self signed certificate and to us it's as good as if any CA had signed it. We don't need a CA because our site isn't for general use. So any browser should deal with these in a sane way, meaning add them to a list and don't bother me with them again until something changes.
Chris Lord says:
To those that have argued with this, I think you're missing the point. Regardless of whether it's a common use-pattern or not, I do see this multiple times a week, and apparently so do others. And seeing as sites probably aren't going to change overnight, all this 'certificates are cheap' talk means nothing to me. It's not my site that has a certificate error, it's the sites that I visit.
I've not heard a reason why Firefox shouldn't handle secure sites with an invalid certificate the same way it handles insecure sites (and an extra warning when you try to submit/it tries to pull data that only a secure site would have access to). Surely this would be desirable behaviour?
For the majority of cases, you're only viewing data on these sites. When your secure information comes into it, sure, do all this stuff then, but don't make me go through it when there's absolutely no need. If this wasn't an issue, people wouldn't be complaining.
Claes says:
Of course there is a potential security risk even without you submitting information using the browser. If you trust the information given on the page, it could fool you on anything that web page is about.
Adam Williamson says:
For Jan Schmidt, and Chris:
https://www.missionimpossibleteam.org/
Good afternoon, agent. Your mission today, should to choose to accept it, is to kill...
ethana2 says:
When you go to a broken site, it's your responsibility to inform the webmaster of the breakage. If more people took the time to do that, they may get fixed.
Dan says:
Well, I thought your idea was brilliant, but these people do bring up good points.
Perhaps some kind of extension that could toggle to this behavior, with some logic, combined with NoScript...
/me starts scribbling code
michele says:
I'm tired too. I'm not against protecting users, but the implementation is really lacking in usability, 99% of the times I switch away from the "Certificate" since I overlook it for the "Address Not Found" page, they are really similar color wise and even as layout...
As much as I really love the new "save password" system I would like such a thing to be adopted even in this case, maybe instead of using a gray bar at the top of the page you're visiting FF3 could present a red one with an advice regarding the page security and the option to add an exception or get out of that page... they could even present it so that you can't actually click on the page if you don't take a decision (greying it out like many modal javascript dialogs are doing).
So I actually see two big problems:
1) Not presenting the real site page but a FF page that looks way too similar to the address not found one
2) Too many clicks to get along
This is a big problem for people visiting many opensource project's sites.
Robert says:
michele, the look of the error page to change it to something distinguishable from the "Address Not Found" page is reasonable, but completing at least one request to the page (in order to show the page) can give too much info to a malicious server (for example stored cookies)
Gen Kanai says:
Johnathan Nightingale, who works at Mozilla developing the security user interfaces has a blog post about this very issue:
http://blog.johnath.com/2008/08/05/ssl-question-corner/
Gen Kanai says:
This is not an endorsement but StartSSL provides FREE certs and is in the root store for Firefox 3.
http://www.startssl.com/
David Adam says:
Would people please stop writing how much they dislike this decision, and instead just write "Q: I think you are dumb."
greg says:
FF3 went a good direction, but I think a minor change would greatly improve the usefulness. I regularly have to add exceptions for various sites for mailing lists and the like and I do not want to add them permanently. You can skip that by removing the check box in the popup where you add the exception. But the method I personally think there should be is to have a small link on the self-signed error page that says 'accept it just this once'. If you go there and its where you wanted to be and you are comfortable with the site you can readily click on the site identity button (where the fav-icon is) and then tell it to add an exception for the site. Of course stating this here doesn't do much good, but ahh well :)
Dan says:
The problem I have is that a self-signed certificate is neither invalid nor broken. It's a perfectly valid, perfectly useful certificate for many reasons. It is not valid for one purpose - assuring you that you're actually on the site which it says you are. If you're going to your bank, you want to know that yes, you really are at your banks web site and not a spoof site. For that, a self-signed cert is a really bad idea.
But, for example, Cisco routers provide a secure http interface for configuring the router. It uses a self-signed cert. Using Firefox is such a pain that I use IE instead. It's fine to have a warning about it. But give me a page which doesn't look like a 404 and for Christ's sake give me a one-click way to say "Yes, I know. I don't care. Just render the friggin' page already."
Thomson says:
> "Yes, I know. I don't care. Just
> render the friggin' page already."
Hear hear.
Whoever took this decision on certs for Firefox obviously had no clue about real world. Cisco. Linksys. Embedded devices. My own linux compilations and boxes. Those certs are there and aren't going to change. Bad idea? Yes. Does it matter? No. I need to get to the cisco -now-. And I'm not going to 'not' go into the cisco -now- because it's a 'bad' certificate.
I would actually argue that the whole X.509 system is defective by design, so the cert nonsense is just taking a broken situation and making it stupid.
Why is it broken you ask? Because I am not paying Verisign or Thawte or Godaddy or any of their ilk a shaved penny more than I have to. By locking the X509 infrastructure into the for-pay structure, it was doomed from the start. And getting a 'master' cert (the one that lets you generate other certs for my stuff and my clients stuff) ain't cheap, and usually the terms are each of those gives a percentage to the verisign or thawte. Not no, but hell no. I can do my own, thank you very much. And so we start the argument over again.
Anyway, thanks for letting me rant.
Any comments?
