From time to time, in the blogosphere or mailing lists, I will get questions about various security decisions we make in Firefox. Here’s one that has been popular lately:
Q: I think you are dumb.
It is worded in a variety of ways, of course, but that’s the basic thrust. A longer version might read:
Q: Why has Firefox started treating self-signed SSL certificates as untrustworthy? I just want encryption, I don’t care that the cert hasn’t been signed by a certificate authority, and anyhow I don’t want to pay hundreds of dollars just to secure my communications.
There are a couple of implicit assumptions we should dispense with up front, before tackling the meat of the question, to wit:
- “Why has Firefox started treating…” Firefox has been treating self-signed certificates as disconcerting for quite some time. In Firefox 2, you would get a giant dialog box popping up asking what to do with them. It was farcically easy to dismiss since just hitting OK would proceed to the site, and since the default was a temporary pass, not a permanent one, you saw the dialog frequently, making it even easier to ignore. Firefox 3 has absolutely changed that flow — more on that later — but there is nothing new here.
- “ … I don’t want to pay hundreds of dollars …” Several CAs accepted by all major browsers sell certificates for less than $20/yr, and StartSSL, in the Firefox 3 root store, offers them for free.
Those concerns are red herrings, the real concern is in the middle: “Why treat self-signed SSL as untrustworthy? I just want encryption.” Let’s explore this.
First of all, this isn’t quite right. You never *just* want encryption, you want encryption to a particular system. The whole reason for having encryption is that you don’t want various ill-doers doing ill with your data, so clearly you want encryption that isn’t going to those people.
“So fine, I want encryption to a particular system,” you say, “but I don’t need a CA to prove that my friend’s webmail is trustworthy. CAs don’t even do that anyhow. I trust him, Firefox should get out of my way.”
Yes, absolutely – the browser is your agent, and if you trust your friend’s webmail, you should be able to tell Firefox to do so as well. But how do you know that’s who you’re talking to?
Permit me 3 short digressions…
Digression the First: Ettercap, webmitm, and friends
What if I told you that there were a group of programs out there that made it trivial, brain-dead simple, to intercept your web traffic, log it, and then pass it through without you ever noticing? These “Man in the Middle” attacks used to be the stuff of scary security fiction, but now they are point-and-click.
If one of these is running on your network (you know, like the packet sniffers you’re protecting against with encryption in the first place) it will poison your network so that all requests go through them. It will then transparently fetch and pass off any regular web pages without you noticing (after logging anything juicy, of course). If you request an SSL page, it will generate its own certificate whose human readable details match the real site, same organization name, same domain name, everything, and use that to masquerade as the site in question. The only difference is, it will be self-signed, since the tool obviously can’t get a CA signature.
Digression the Second: Drive-By Router Reconfig
Do you use one of those home cable-dsl-router/wifi-access-point thingies? For the last couple years, security folks have gotten giggles out of finding ways to break them, and the number one thing they do is rewrite your network configuration so that your connections go to computers of their choosing. If your router is subverted in this way, the only hint you might have is that your secure sites have all become self-signed.
Digression the Third: Kaminsky Breaks the Internet
This week I’m at the Black Hat security conference in Vegas, where it is a virtual certainty that Dan Kaminsky is going to outline an attack that lets any site on the internet pretend to be any other site on the internet. I can pretend to be paypal.com. You can pretend to be bankofamerica.com. If your ISP doesn’t fix all of their servers, one aforementioned doer-of-ill can trick them into sending all of their customers to forgeries of the actual sites they seek. They don’t even have to be on the same network anymore. This is substantially easier than packet sniffing. The only thing that will tell you whether the sites you are visiting are real is the existence of a trusted certificate, which only the legitimate site can have.
Back to the Plot
The question isn’t whether you trust your buddy’s webmail – of course you do, your buddy’s a good guy – the question is whether that’s even his server at all. With a CA-signed cert, we trust that it is – CAs are required to maintain third party audits of their issuing criteria, and Mozilla requires verification of domain ownership to be one of them.
With a self-signed certificate, we don’t know whether to trust it or not. It’s not that these certificates are implicitly evil, it’s that they are implicitly untrusted – no one has vouched for them, so we ask the user. There is language in the dialogs that talks about how legitimate banks and other public web sites shouldn’t use them, because it is in precisely those cases that we want novice users to feel some trepidation, and exercise some caution. There is a real possibility there, hopefully slim, that they are being attacked, and there is no other way for us to know.
On the other hand – if you visit a server which does have a legitimate need for a self-signed certificate, Firefox basically asks you to say “I know you don’t trust this certificate, but I do.” You add an exception, and assuming you make it permanent, Firefox will begin trusting that specific cert to identify that specific site. What’s more, you’ll now get the same protection as a CA signed cert – if you are attacked and someone tries to insert themselves between you and your webmail, the warning will come up again.
I don’t think the approach in Firefox 3 is perfect, I’m not sure any of us do. I have filed bugs, and talked about things I think we could do to continue to enhance our users’ security while at the same time reducing unnecessary annoyances. You’ll notice that Firefox 3 has fewer “Warning: you are submitting a search to a search engine” dialog boxes than Firefox 2 did, and it’s because of precisely this desire.
I welcome people who want to make constructive progress towards a safer internet and a happier browsing experience. That’s what motivated this change, it’s what motivates everything we do with the browser, really. So it sure would be nice if we didn’t start from the assumption that changes are motivated by greed, malice, or stupidity.
Well, I would not ask Firefox developers “please, reconsider…”. I rather tell Firefox Developers that this “smart feature” will make regular people (80-90% of the users, i.e. not like FF developers that don’t seem to be connected to the reality) to switch back to IE. So many years in vain…
…an addition to above ^
Why do most people spend time on the web? Is it maybe that they have needs (http://en.wikipedia.org/wiki/Maslow%27s_hierarchy_of_needs) and Internet satisfies some of them? If my sister (that got nu clue about what SSL is even if she is a doctor) want a flying ticket asap and receives SSL-error message in on browser and not in another one. Should she use the first one – the one that block her goal(s) in life because of stupid principles (that she don’t even want to care about)? I doubt it…or rather I know which one she choose because I saw it live. After wards she was satisfied. With the other browser that is.
This reminds me of bureaucracy in low developed countries and Microsoft; FF are you a becoming a big corporation now?
“the only hint you might have is that your secure sites have all become self-signed.”
It seems that I am stuck trying to fix one of these computers that has this problem. I have no idea where to begin… I can’t find any more virii (mbam, spybot s&d, kaspersky.) Guess I’ll check the router again…
Hi Mozilla Team,
Thanks for this execellent UI change!
Whoooohoooo!!!
- the IE Team.
Hi,
I’m surprised that no-one highlighted the issue that if a page loaded over http will load resources (like js files or flash loading data) from the https version of the same domain, Firefox will fail silently if the certificate is self-signed! I agree with the new way of handling these certificates, but why does that not apply to these cases? I would not want to force my users to go to the https version of the site by default. Anyone else had this problem?
You are ignoring one very very important thing. Yes we all know CAs serve a purpose, man in the middle attacks can occur, properly signed certificates are needed to stop them blah blah blah.
However, when I go to a completely unprotected, unencrypted, no proof of identity site …. I get no warnings of any kind, yet if I try to add encryption to my site, firefox acts like I’m visiting the ultimate den of evil hackers that want to steal my life and kill my family…
That makes no sense at all, a site with encryption is FAR more secure that a site that is completely unencrypted. Not as secure as a properly CA signed and verified site, sure, but can you seriously say with a straight face its not better than transmitting in plaintext?!
In other words
CA Signed cert > Self signed cert >>>>>>>>>>>>>>>>>>>>>>>>>>>> no encryption, and the browser needs to reflect THAT.
The current system actually encourages people to just not encrypt the site at all, at least then the users won’t get any warnings.
If the concern is users can’t understand the difference between a signed, encrypted, and verified site, and a site that is only encrypted without any proof of identity, that’s fine. Just show the self signed sites the same as a plain unencrypted site. Bury the fact that its encrypted in a detail page somewhere so that those of us who care can determine if its working at all, as I said theres no way you can argue it isn’t AT LEAST as secure as a regular unencrypted site.
As an ordinary no nonsense browser user I liked a number of the good things about Firefox and the Mozilla line but THIS IS A DEAL BREAKER!
I don’t want somebody else DECIDING what site I should go to – even if that somebody else considers it “dangerous”. I am intelligent enough to make choices for myself and I will accept a warning but not a denial of service which I consider this “feature”.
Goodbye Firefox. Until you respect me and my ability to make my own decisions you are useless to me as a browser.
NED
As further explanation:
I am sick and tired of the nanny state tellimg me before each program and after each commercial break on TV that “caution is advised”. Censors want to pick what I watch and treat me as an idiot who is incapable of recognizing that something called “Extreme Prejudice With A Vengeance” will involve gunfire. There are too many similar examples of idiots catering to the lowest denominator when “providing services” because they believe the rest of the population is just like them or more stupid.
In like manner FF is turning into the nanny browser IMO.
Just look at a simple example of a recent use. My cell phone is not the latest and I was in need of a replacement accessory. I went to Google and entered – “Cell phone accessories” ‘phone name’ adpter -. A good 1/3 of the sites I chose to look at in the resultant output were ‘blocked’ by FF. I know what is happening with FF is not actually a DOS but with all the extra gyrations I have to go through to reach the site the frustration level induced is similar.
Yes of course I could add clicks to each site – accept is as unsafe but one I still want to see – and eventually get to see what the site had. But all I wanted to do was go directly to the site, see if they had what I wanted, check the price they were charging and decide which site had the best value for my money. I may never visit the site again so see no need to continually build a database of sites FF considers risky for my browsing. With a search of this nature I certainly don’t expect malicious code to be added to my machine/network by visiting the site, and anyhow I have security software to catch such invasion attempts.
This is not the first result of this nature I have encountered with FF 3. I have had the same thing happen when searching for non academic information or researching a particular topic of interest I want to write on.
So while I don’t really care what the message says the fact that it obtrusively appears and cannot be turned off is enough to lead me to abandon an otherwise decent browser because I don’t need the hassle it causes me to use it. As far as I’m concerned FF2 handled this feature to my satisfaction.
I trust this answers your question Johnathan and thank you for your interest in my comment.
NED
My parents in law just switched back from Firefox to IE because they could not see the pictures of their grandchild on my home-server.
This is the type of reallife examples that is happening right now, all over the world.
Thanks for that.
So most uses of self-signed certs are to protect passwords. How about Mozilla puts some effort behind RFC 5054, SRP/TLS which sets up an encrypted session based on passwords, instead of making excuses for the 10-year old poor technology that is PKIX.
Don’t worry. Don’t argue. Switch to a different browser. That is the language a developer understands.
I am so very, really, BLOODY sick of FF3′s idiotic certificate behavior. Fix the DAMN thing!!! The poor quality of the error message and the ‘you’re too stupid to manage your own browser’ approach to security are so off-putting that I’ve mostly stopped using FireFox. I like having a very visible warning but not giving me the opportunity to make my own decisions, without digging through all kinds of overly complicated BULLSHIT, about security is driving me away.
Ah, Never Mind the previous post… Turns out it was a plug-in behaving very badly. Watch out for Broadband Speed Test and Diagnostics 1.1 it overrides the default FF3 SSL behavior, which really has been fixed to play nice.
Hello,
Got the same problem as James but with Errorzilla Mod. In the case of a self-signed cert there is no “add an exception” wayout.
Anyway, thanks for this article about security concerns, it finally convinced me to get a third party signed cert (startssl) to prevent my visitors to get “afraid” by the security warning in FF3.
Hello,
thanks for writing this post. It definitely brings some light into the argument of why the UI was rebuilt to be so apparently braindead in FF3.
Also if the pointer to StartSSL (which I will have to look into a bit more) could be published a bit more prominent…
What really gets me about the new Security Dialog:
Firstly: why on earth do I have to click that frickin’ little button to get the certificate! I would expect the browser to fetch it for me while it opens that dialog!
Secondly: I really want an about:config-option to set the default to accept the exception only temporarily, thus saving me another mouse-stunt!
Given the above modifications, I could even live without the enter key automatically choosing ok (as long as the dialog remains navigational using only the keyboard).
My rationale is that most of the time when I personally run into a SSL-site I either want to be sure it’s safe (thus some warning is good) or sometimes I just want to read some (low priority and security) information presented on a self-signed site and then it’s just a p*** in the a** to get to that information and not worth the minutes wasted when researching something and having 20 other tabs that might have also valuable information. But it is entirely possible that the site I ignored due to the FF3 idiocity has exactly the information I really wanted, so to ease my dilemma I’m really condidering switching my browser.
Cheers, and I’d appreciate your feedback
@58.behdad
> Why are people not pissed off
> by ssh asking them the very
> same question?
Because ssh has a sane UI
I completely understand the reasoning behind this and I don’t really have any issues with it. I was just wondering if you know anything that I might be able to do about getting a certificate for a subdomain?
I signed up for a StartSSL account, but they don’t do subdomains…
I could live with the dialog and clicks and explaining to everyone what it meant, how to interpret this “dire warning”, when to be concerned and when not to.
But now with 3.0.3 it appears to be unacceptably worse. I can find no way at all to enter an exception. The dialog in the browser itself no longer offers any recourse. It just says “localhost:443 uses an invalid security certificate.” I can not get the certificate imported or entered as an exception in the preferences panel, again because it is claims an self-signed certificate is invalid. WTF! I can’t even enter an exception anymore.
I’m developing web applications, and we DO have the full-on signed certificates – on our production servers. This is absolutely preventing me from developing and testing. (My exception, imported in a previous version, expired tonight and after a couple hours wasted I realize firefox has screwed me.)
Sadly, switching to Safari because I have to get work done.
Would it be possible for firefox, upon receiving an SSL cert for (say) “Bobby’s Bank”, do a search of the various CA’s (or perhaps a unified CA database (CAUDB) if possible), and see if a trusted certificate for “Bobby’s Bank” already exists, and if it matches the one https://www.bobbysbank.com/ has just sent us. If there is no match, then FF should simply warn that the site is unknown, and the user should be careful if entering personal information or usernames & passwords.
Of course CA’s would have to co-operate and set up the CAUDB, itself encrypted through SSL and signed by ALL CA’s. But FF would *know* a priori that a self-signed certificate for the CAUDB would be inacceptable irrespective of the user’s wishes. FF could have the CAUDB SSL key hardwired, and it’s IP address too to prevent DNS attacks. If the CA’s can’t agree on a CAUDB, then FF could hardwire all their IP’s and SSL keys. This way no-one could MITM a CA/CAUDB site.
The only problem I see is if a virus cleverly rewrites FF’s internal, hardwired CA and certificate database. But maybe some hash-function guru could come up with a way to easily catch such an attack. In any case, this problem already exists (or perhaps it doesn’t?).
An advantage would be that a single compromised CA’s signing key would not affect the CAUDB validity as the CAUDB SSL key has to be signed by *ALL* participating CA’s.
As a second point, I would try the following wording in the event of encountering a self-signed SSL key:
“You are entering an encrypted web-site which has not been verified by any internationally recognized verification authority.
- If this is an “important site” (e.g. a bank/shop/online retailer/services) this is VERY DANGEROUS and PROBABLY AN ATTEMPTED FRAUD – DO NOT PROCEED UNLESS YOU ARE CERTAIN THE SITE YOU ARE VISITING IS VALID – please contact the site-owner.
- If this is a less important site (e.g. email/facebook/friend’s website) please contact the site-owner and verify this site’s unique fingerprint code shown below before proceeding.
- More details are shown below. Click “I don’t understand this message” for further instructions.”
How’s that?
Cheers,
Fergal.