From time to time, in the blogosphere or mailing lists, I will get questions about various security decisions we make in Firefox.Â Hereâ€™s one that has been popular lately:
Q: I think you are dumb.
It is worded in a variety of ways, of course, but thatâ€™s the basic thrust.Â A longer version might read:
Q: Why has Firefox started treating self-signed SSL certificates as untrustworthy?Â I just want encryption, I donâ€™t care that the cert hasnâ€™t been signed by a certificate authority, and anyhow I donâ€™t want to pay hundreds of dollars just to secure my communications.
There are a couple of implicit assumptions we should dispense with up front, before tackling the meat of the question, to wit:
- â€œWhy has Firefox started treating…â€Â Firefox has been treating self-signed certificates as disconcerting for quite some time.Â In Firefox 2, you would get a giant dialog box popping up asking what to do with them.Â It was farcically easy to dismiss since just hitting OK would proceed to the site, and since the default was a temporary pass, not a permanent one, you saw the dialog frequently, making it even easier to ignore.Â Firefox 3 has absolutely changed that flow — more on that later — but there is nothing new here.
- â€œ … I donâ€™t want to pay hundreds of dollars …â€ Several CAs accepted by all major browsers sell certificates for less than $20/yr, and StartSSL, in the Firefox 3 root store, offers them for free.
Those concerns are red herrings, the real concern is in the middle:Â â€œWhy treat self-signed SSL as untrustworthy?Â I just want encryption.â€Â Letâ€™s explore this.
First of all, this isn’t quite right.Â You never *just* want encryption, you want encryption to a particular system.Â The whole reason for having encryption is that you donâ€™t want various ill-doers doing ill with your data, so clearly you want encryption that isnâ€™t going to those people.
â€œSo fine, I want encryption to a particular system,â€ you say, â€œbut I donâ€™t need a CA to prove that my friendâ€™s webmail is trustworthy.Â CAs donâ€™t even do that anyhow.Â I trust him, Firefox should get out of my way.â€
Yes, absolutely – the browser is your agent, and if you trust your friendâ€™s webmail, you should be able to tell Firefox to do so as well.Â But how do you know thatâ€™s who youâ€™re talking to?
Permit me 3 short digressions…
Digression the First: Ettercap, webmitm, and friends
What if I told you that there were a group of programs out there that made it trivial, brain-dead simple, to intercept your web traffic, log it, and then pass it through without you ever noticing?Â These â€œMan in the Middleâ€ attacks used to be the stuff of scary security fiction, but now they are point-and-click.
If one of these is running on your network (you know, like the packet sniffers youâ€™re protecting against with encryption in the first place) it will poison your network so that all requests go through them.Â It will then transparently fetch and pass off any regular web pages without you noticing (after logging anything juicy, of course).Â If you request an SSL page, it will generate its own certificate whose human readable details match the real site, same organization name, same domain name, everything, and use that to masquerade as the site in question.Â The only difference is, it will be self-signed, since the tool obviously canâ€™t get a CA signature.
Digression the Second: Drive-By Router Reconfig
Do you use one of those home cable-dsl-router/wifi-access-point thingies?Â For the last couple years, security folks have gotten giggles out of finding ways to break them, and the number one thing they do is rewrite your network configuration so that your connections go to computers of their choosing.Â If your router is subverted in this way, the only hint you might have is that your secure sites have all become self-signed.
Digression the Third: Kaminsky Breaks the Internet
This week I’m at the Black Hat security conference in Vegas, where it is a virtual certainty that Dan Kaminsky is going to outline an attack that lets any site on the internet pretend to be any other site on the internet.Â I can pretend to be paypal.com.Â You can pretend to be bankofamerica.com.Â If your ISP doesnâ€™t fix all of their servers, one aforementioned doer-of-ill can trick them into sending all of their customers to forgeries of the actual sites they seek.Â They donâ€™t even have to be on the same network anymore.Â This is substantially easier than packet sniffing. The only thing that will tell you whether the sites you are visiting are real is the existence of a trusted certificate, which only the legitimate site can have.
Back to the Plot
The question isnâ€™t whether you trust your buddyâ€™s webmail – of course you do, your buddyâ€™s a good guy – the question is whether thatâ€™s even his server at all.Â With a CA-signed cert, we trust that it is – CAs are required to maintain third party audits of their issuing criteria, and Mozilla requires verification of domain ownership to be one of them.
With a self-signed certificate, we donâ€™t know whether to trust it or not.Â Itâ€™s not that these certificates are implicitly evil, itâ€™s that they are implicitly untrusted – no one has vouched for them, so we ask the user.Â There is language in the dialogs that talks about how legitimate banks and other public web sites shouldnâ€™t use them, because it is in precisely those cases that we want novice users to feel some trepidation, and exercise some caution. There is a real possibility there, hopefully slim, that they are being attacked, and there is no other way for us to know.
On the other hand – if you visit a server which does have a legitimate need for a self-signed certificate, Firefox basically asks you to say â€œI know you donâ€™t trust this certificate, but I do.â€Â You add an exception, and assuming you make it permanent, Firefox will begin trusting that specific cert to identify that specific site.Â Whatâ€™s more, youâ€™ll now get the same protection as a CA signed cert – if you are attacked and someone tries to insert themselves between you and your webmail, the warning will come up again.
I donâ€™t think the approach in Firefox 3 is perfect, I’m not sure any of us do. I have filed bugs, and talked about things I think we could do to continue to enhance our usersâ€™ security while at the same time reducing unnecessary annoyances.Â Youâ€™ll notice that Firefox 3 has fewer â€œWarning: you are submitting a search to a search engineâ€ dialog boxes than Firefox 2 did, and itâ€™s because of precisely this desire.
I welcome people who want to make constructive progress towards a safer internet and a happier browsing experience. That’s what motivated this change, it’s what motivates everything we do with the browser, really.Â So it sure would be nice if we didnâ€™t start from the assumption that changes are motivated by greed, malice, or stupidity.