So there’s this thing at Mozilla where we try not to break the internet. Call us wacky, but it seems like a bad play. And so Rob Sayre is right to be a little miffed when it looks like we’ve done exactly that. Sayre is often right, in fact, it’s his thing that he does.
The web has this technology called SSL that lets you do two important things:
- Know who you’re talking to (because companies exist which verify this information, we’ve been over this)
- Talk to them in an encrypted, validated way so that no one can eavesdrop or tamper with the message
- Show a little padlock on your browser window
As I said, only two of them are important.
Because SSL makes these relatively useful promises, it is sort of a popular technology. Because it’s generally important to get security things *precisely right* though, and because humans are people, there’s a lot of broken SSL out there too.
What’s “broken”? Sometimes it means using the identification for one site on another site (because it’s cheapereasierfaster than getting a second one). Sometimes it means using it after it has expired. Sometimes “broken” isn’t actually broken at all, it’s just that the site is using SSL with identification they wrote themselves, so that they’re getting promise 2 (encrypted, validated), but not promise 1 (knowing who you’re talking to).
In the past, most browsers did a very dumb thing here:
This dialog, in the hands of normal people, feels like it basically amounts to:
Why change such a fun and exciting system, I hear you ask? The real problem here is that once in a while, when this kind of dialog appears, it actually might represent an actual attack. Most of the time it’s site administrator laziness, but it’s hard to tell, and it could be a real problem; it could mean that someone has hacked your internet connection (or more likely totally controls it because you connected in some public WiFi spot like a coffee shop) and is redirecting you from your bank’s web site to their own. When that happens, the fact that we’ve taught everyone to click OK blindly is a really bad thing, because we need you to stop and ask yourself what’s going on.
That’s a lot of backstory, if it was new to you, take a break here. Have a cookie.
The State of Things
In Firefox 3, one of the things a lot of people were really pushing on was that we dump these dialogs, and we have. Rob has a screenshot of what the current code does, and in case you missed it the first time, here’s another link.
Before we start talking about changing it, I want to give the crypto dudes, and particular Kai Engert from RedHat a shout-out here, because (believe it or not) I think this is actually a good first step, and was a lot of work to get implemented.
So now instead of a little, cryptic dialog box with an OK button, there’s a big, cryptic error page with no OK button. Hmm.
People are seeing that error page, and making a couple really important points:
- Everything needs to be less cryptic. Human readable would be a good start. Bug 398718
- There needs to be a way to get past it so that it’s not a dead-end. (There is, of course. There’s the Add Exception dialog added in bug 387480, which people generally seem to like, but it’s buried in the bowels of advanced prefs, so bugs like 399275 argue for making it much more directly accessible).
- You’re (excuse me) batshit fucking loco.
Security and ease of use are not intrinsically a tradeoff. Indeed, a lot of the time, good security comes from a better understanding of how people naturally work. But there are times, and this feels like one of them, where doing the safer thing for users means annoying them more, and annoying them less means failing to honour our obligation to keep them safe. Boo.
Walking and Chewing Gum
The thing is, we don’t get to just throw up our hands and say “well, better safe than sorry” nor do I think we get to say “Too annoying, let’s revert.” That slider has middle positions, where annoyance and safety are in better balance, let’s get there.
Fixing the text is important. It needs to speak in human terms about why this is a problem, and about what you can do to fix it. I do think, though, that we need to consider giving people a path from the error page to the override UI. I can already hear the furious head-smashing of anyone who understands PKI and has read the relevant literature. Click-throughs beget bad security habits, which is why I think it should still be a multi-step process that hammers home the fact that you’re doing something aggressive. But full-stop blocking our users is something that’s contentious even for known malware sites; here it feels like too much.
IE7 does this. I think they win big points for human readability there – even though they still have a click-through. I don’t know how much the red shield scares users off, maybe it does, but one-click override still turns my stomach a little. What I’d like to see from us is an action like that, but which, rather than automatically extending trust, simply shortcuts you to the exception adding dialog. The argument will be made that it’s just a longer click-through, I understand that, but my feeling is that it’s long enough, and scary enough, to get more of users’ attention. My feeling is also that we might have to eat that possibility anyhow, because if we make it sufficiently annoying for users to browse the web, they really will decide it’s a Firefox problem, since other browsers let them through. At that point we not only fail our users on the security front, we also go back to the bad old days of “only works on IE.”
Why Don’t You Just…
I love it when people have alternate suggestions, but some of the frequently recurring ones have pretty big problems. I’ll call out a few here to save re-treading (unless I’m getting them wrong, in which case we should totally retread, since they’re often held up as much simpler than this other thing we’re doing).
“Why don’t you just let the connections through quietly, and just remove any indicators of security, like the padlock, yellow address bar, verified identity, etc?” The argument here being that rather than blocking the load, why not serve the content, but not let users think it’s a secure site? Compelling, no?
Approaches like this have the really unpleasant side effect of subverting whatever good security practices our users have developed. Banks tell their customers to go to the website via a saved bookmark, rather than clicking on links in email or other web pages. That’s a good practice. Some even tell users to look for the “https” in the URL. In the case where you’re being attacked, where the cert presented is a forgery (since only the legit site can present the real one) all of these habits will tell you you’re safe. The URL says https, and you clicked on the same bookmark you always click on to get to your bank. This would be a present gift-wrapped for attackers.
“Why don’t you treat self-signed certs, which legitimate sites use when they want encryption but not identity, differently from actual breakages?”
The thing is that self-signed is no more or less trustworthy than, say, a domain-mismatched cert. Likewise for the argument about treating a self-signed cert differently from one that is signed, but by an unknown signer. I did open bug 398721 about the idea of using “Key Continuity Management” as a way to mitigate the hurt in the self-signed case while still getting the basics right, but in any event that wouldn’t make it in for Firefox 3.
To my friends and family using Firefox, don’t panic, none of this is happening in the currently released browser, you’re not going to see this debate enacting itself on a desktop near you anytime soon. We are extremely cautious about changing the experience in released products after shipping. This is happening purely among those running the up-to-the-minute versions under active development.
It will get better. Bug 398718 (my fingers have already learned how to type that one automatically) will land, and the error pages will be things that make sense, and explain your options. Bug 399275 will morph into a general discussion of what kind of path we want to create to add exceptions, or if it doesn’t, I’ll create a new one which does. We’re not going to ship a browser you can’t use. Even on sites that are doing it wrong, we put the choice in your hands, because it’s your browser. And we like you very much.