SSL Question Corner

From time to time, in the blogosphere or mailing lists, I will get questions about various security decisions we make in Firefox.  Here’s one that has been popular lately:

Q: I think you are dumb.

It is worded in a variety of ways, of course, but that’s the basic thrust.  A longer version might read:

Q: Why has Firefox started treating self-signed SSL certificates as untrustworthy?  I just want encryption, I don’t care that the cert hasn’t been signed by a certificate authority, and anyhow I don’t want to pay hundreds of dollars just to secure my communications.

There are a couple of implicit assumptions we should dispense with up front, before tackling the meat of the question, to wit:

  1. “Why has Firefox started treating…”  Firefox has been treating self-signed certificates as disconcerting for quite some time.  In Firefox 2, you would get a giant dialog box popping up asking what to do with them.  It was farcically easy to dismiss since just hitting OK would proceed to the site, and since the default was a temporary pass, not a permanent one, you saw the dialog frequently, making it even easier to ignore.  Firefox 3 has absolutely changed that flow — more on that later — but there is nothing new here.
  2. “ … I don’t want to pay hundreds of dollars …” Several CAs accepted by all major browsers sell certificates for less than $20/yr, and StartSSL, in the Firefox 3 root store, offers them for free.

Those concerns are red herrings, the real concern is in the middle:  “Why treat self-signed SSL as untrustworthy?  I just want encryption.”  Let’s explore this.

First of all, this isn’t quite right.  You never *just* want encryption, you want encryption to a particular system.  The whole reason for having encryption is that you don’t want various ill-doers doing ill with your data, so clearly you want encryption that isn’t going to those people.

“So fine, I want encryption to a particular system,” you say, “but I don’t need a CA to prove that my friend’s webmail is trustworthy.  CAs don’t even do that anyhow.  I trust him, Firefox should get out of my way.”

Yes, absolutely – the browser is your agent, and if you trust your friend’s webmail, you should be able to tell Firefox to do so as well.  But how do you know that’s who you’re talking to?

Permit me 3 short digressions…

Digression the First: Ettercap, webmitm, and friends

What if I told you that there were a group of programs out there that made it trivial, brain-dead simple, to intercept your web traffic, log it, and then pass it through without you ever noticing?  These “Man in the Middle” attacks used to be the stuff of scary security fiction, but now they are point-and-click.

If one of these is running on your network (you know, like the packet sniffers you’re protecting against with encryption in the first place) it will poison your network so that all requests go through them.  It will then transparently fetch and pass off any regular web pages without you noticing (after logging anything juicy, of course).  If you request an SSL page, it will generate its own certificate whose human readable details match the real site, same organization name, same domain name, everything, and use that to masquerade as the site in question.  The only difference is, it will be self-signed, since the tool obviously can’t get a CA signature.

Digression the Second: Drive-By Router Reconfig

Do you use one of those home cable-dsl-router/wifi-access-point thingies?  For the last couple years, security folks have gotten giggles out of finding ways to break them, and the number one thing they do is rewrite your network configuration so that your connections go to computers of their choosing.  If your router is subverted in this way, the only hint you might have is that your secure sites have all become self-signed.

Digression the Third: Kaminsky Breaks the Internet

This week I’m at the Black Hat security conference in Vegas, where it is a virtual certainty that Dan Kaminsky is going to outline an attack that lets any site on the internet pretend to be any other site on the internet.  I can pretend to be paypal.com.  You can pretend to be bankofamerica.com.  If your ISP doesn’t fix all of their servers, one aforementioned doer-of-ill can trick them into sending all of their customers to forgeries of the actual sites they seek.  They don’t even have to be on the same network anymore.  This is substantially easier than packet sniffing. The only thing that will tell you whether the sites you are visiting are real is the existence of a trusted certificate, which only the legitimate site can have.

Back to the Plot

The question isn’t whether you trust your buddy’s webmail – of course you do, your buddy’s a good guy – the question is whether that’s even his server at all.  With a CA-signed cert, we trust that it is – CAs are required to maintain third party audits of their issuing criteria, and Mozilla requires verification of domain ownership to be one of them.

With a self-signed certificate, we don’t know whether to trust it or not.  It’s not that these certificates are implicitly evil, it’s that they are implicitly untrusted – no one has vouched for them, so we ask the user.  There is language in the dialogs that talks about how legitimate banks and other public web sites shouldn’t use them, because it is in precisely those cases that we want novice users to feel some trepidation, and exercise some caution. There is a real possibility there, hopefully slim, that they are being attacked, and there is no other way for us to know.

On the other hand – if you visit a server which does have a legitimate need for a self-signed certificate, Firefox basically asks you to say “I know you don’t trust this certificate, but I do.”  You add an exception, and assuming you make it permanent, Firefox will begin trusting that specific cert to identify that specific site.  What’s more, you’ll now get the same protection as a CA signed cert – if you are attacked and someone tries to insert themselves between you and your webmail, the warning will come up again.

I don’t think the approach in Firefox 3 is perfect, I’m not sure any of us do. I have filed bugs, and talked about things I think we could do to continue to enhance our users’ security while at the same time reducing unnecessary annoyances.  You’ll notice that Firefox 3 has fewer “Warning: you are submitting a search to a search engine” dialog boxes than Firefox 2 did, and it’s because of precisely this desire.

I welcome people who want to make constructive progress towards a safer internet and a happier browsing experience. That’s what motivated this change, it’s what motivates everything we do with the browser, really.  So it sure would be nice if we didn’t start from the assumption that changes are motivated by greed, malice, or stupidity.

81 comments

  1. I agree with the warning’s and the dialog boxes, the problem is with hardware devices which use HTTPS to get to their embedded web page for log files, etc. WHEN FF3 decides that the self signed cert from a router is not valid and will not allow you to bypass it no matter what you do and then you have to use IE to access the router what good is that??? It forces me to use IE and since we have several apps which do not work on IE7 I am stuck accessing several routes with IE6 and without tabbed browsing. The router vendor (Cisco) will not change the cert for the routers which FF3 refuses to accept and indicates that since it works with IE that it must be a problem with FF3.. Also since the Routers are on an internal network behind a firewall with no web access why can I not tell FF3 to just accept the cert even though FF3 claims it has the same serial number as another cert from the same device??? Note also since the routers are on an internal network none of them have DNS entries anywhere so immediately FF3 complains that the cert also does not belong to the device. I know that the hostname in the router is not the same as the IP thats the way its designed for security.

  2. [...] officials directed inquires on the certificate topic to a blog penned by Mozilla developer Jonathan Nightingale, who wrote that one reason for the changes is that [...]

  3. I disagree with Jonathan wholeheartedly on the Firefox’s treatment of SSL’s in FF3.

    1. The new SSL interface is overly dramatic and not very intuitive.
    2. I especially disagree with his take on self-signed SSLs and here’s why:

    I’ve been hosting web sites for the past few years and recently started reselling SSLs and discovered something interesting. The entire SSL industry is a giant sham.

    Buying an SSL from a “trusted” source provides nothing more than “encryption” which is basically the same as setting up a self-signed SSL.

    I could be Joe Schister and set up flybynight.com and easily purchase an SSL from any SSL provider: the so-called trusted providers do no verification of who I am unless I buy one of the $1000 SSLs which is ridiculously expensive. I can buy one of those cheap Rapid SSL as most do which doesn’t even provide address information regarding the vendor so what’s the point?

    Like I said, the trusted providers don’t verify the information I provide for most SSLs I buy on behalf of clients and more importantly, your web site visitors are only interested in seeing that little lock appear somewhere in their browser. The average customer doesn’t understand SSL except to look for the lock symbol.

    I have to wonder of the trusted providers didn’t do some lobbying to have Firefox throw up these dramatic warnings about self-signed SSLs.

    To anyone who wants to buy an SSL, just buy the cheapest SSL available. It makes no difference and if you can find the time to create your own, then go ahead. Unfortunately, Firefox will make that difficult.

    Other than that, Firefox 3 is a great improvement over V2.

    Cheers
    Glenn

  4. [...] that I usually visit didn’t reveal any major problems. Chrome also enforces the same kind of warning about self-signed SSL certs that Firefox 3.0 introduced but doesn’t present quite as intimidating a warning. Performance seems pretty good but I [...]

  5. As others have noted, there are numerous errors in your logic, which is essentially that you feel your users are idiots who need to be protected from themselves. This is a very Microsoft attitude.

    You’ve made Firefox less useful to me — and insulted me in the process.

    Stick in whatever error message you want, just give me specific information and allow me to decide what to do — and in the future please save the sanctimonious preaching for your neighborhood association or PTA meetings.

    –Bill

  6. See Bug 433422, ‘Self-signed SSL certificates should not be labeled as “invalid”‘ [because that's incorrect and confusing].

    https://bugzilla.mozilla.org/show_bug.cgi?id=433422

    While I sort of understand the logic behind certificates, it seems to me that if it takes a whole blog to explain it, maybe something is too complicated. If you get 55 comments and lots of people still don’t agree or understand, then maybe something is too complicated. If the blog concludes, weakly, that “I don’t think the approach in Firefox 3 is perfect, I’m not sure any of us do”, then maybe something is too complicated.

    Maybe a simply worded, ACCURATE warning would help here.

  7. Hi,
    I have been using a private CA for sometime now – and have imported the CA cert for a valid chain for all internal sites – by group policy etc…

    With firefox 2 that worked perfectly no error messages etc… We appear to have all the correct settings for both the ssl and the CA certs. But with firefox 3 I get the sec_error_unknown_issuer
    Even though I have manually imported the private CA root cert. I have read through the nss documentation and we appear to have all the proper OIDS. Anyway we can get a link to a more detailed version of what it takes for a private CA to actually function after import of root cert – manually as firefox 3 does not appear to have any api’s available for cert management :-)

    Done a lot of searching – and I like firefox – linux combo and so do a lot of my users but I sure am missing something.

    Thanks in advance for any help – not an expert in certs – but have had good luck so far with clear instructions and a trusted private ca root install for users – And I really don’t want to train folks to add exceptions etc for all the reasons in your blog…

  8. Why are people not pissed off by ssh asking them the very same question?

  9. I don’t have problem with Firefox warning me about the validity of a self-signed cert. I don’t even have a problem with needing to click an extra button or two. But four steps in unreasonable.

    As a developer, I work with self-signed certs often and I find it very annoying to use Firefox with these sites. And as a result, I’ve pretty much stopped using it. I use Firefox 2 on Windows and Linux, and Camino on OS X.

    Imposing annoyances on users because you think you know what’s better for them is a spectacularly bad idea. You can’t fix stupid — ignorant users will continue to screw themselves regardless of your efforts. So really you just end up annoying the smart people who like your product. And well, if you continue to annoy your customers they won’t be your customers much longer.

    So you can pretend you know best and ruin your product, or you work to EDUCATE people and improve the quality of the product without sacrificing usability.

    Just my two cents…

  10. Well, I would not ask Firefox developers “please, reconsider…”. I rather tell Firefox Developers that this “smart feature” will make regular people (80-90% of the users, i.e. not like FF developers that don’t seem to be connected to the reality) to switch back to IE. So many years in vain…

  11. …an addition to above ^

    Why do most people spend time on the web? Is it maybe that they have needs (http://en.wikipedia.org/wiki/Maslow%27s_hierarchy_of_needs) and Internet satisfies some of them? If my sister (that got nu clue about what SSL is even if she is a doctor) want a flying ticket asap and receives SSL-error message in on browser and not in another one. Should she use the first one – the one that block her goal(s) in life because of stupid principles (that she don’t even want to care about)? I doubt it…or rather I know which one she choose because I saw it live. After wards she was satisfied. With the other browser that is.

    This reminds me of bureaucracy in low developed countries and Microsoft; FF are you a becoming a big corporation now?

  12. “the only hint you might have is that your secure sites have all become self-signed.”

    It seems that I am stuck trying to fix one of these computers that has this problem. I have no idea where to begin… I can’t find any more virii (mbam, spybot s&d, kaspersky.) Guess I’ll check the router again…

  13. Hi Mozilla Team,

    Thanks for this execellent UI change!

    Whoooohoooo!!!

    - the IE Team.

  14. Hi,
    I’m surprised that no-one highlighted the issue that if a page loaded over http will load resources (like js files or flash loading data) from the https version of the same domain, Firefox will fail silently if the certificate is self-signed! I agree with the new way of handling these certificates, but why does that not apply to these cases? I would not want to force my users to go to the https version of the site by default. Anyone else had this problem?

  15. You are ignoring one very very important thing. Yes we all know CAs serve a purpose, man in the middle attacks can occur, properly signed certificates are needed to stop them blah blah blah.

    However, when I go to a completely unprotected, unencrypted, no proof of identity site …. I get no warnings of any kind, yet if I try to add encryption to my site, firefox acts like I’m visiting the ultimate den of evil hackers that want to steal my life and kill my family…

    That makes no sense at all, a site with encryption is FAR more secure that a site that is completely unencrypted. Not as secure as a properly CA signed and verified site, sure, but can you seriously say with a straight face its not better than transmitting in plaintext?!

    In other words

    CA Signed cert > Self signed cert >>>>>>>>>>>>>>>>>>>>>>>>>>>> no encryption, and the browser needs to reflect THAT.

    The current system actually encourages people to just not encrypt the site at all, at least then the users won’t get any warnings.

    If the concern is users can’t understand the difference between a signed, encrypted, and verified site, and a site that is only encrypted without any proof of identity, that’s fine. Just show the self signed sites the same as a plain unencrypted site. Bury the fact that its encrypted in a detail page somewhere so that those of us who care can determine if its working at all, as I said theres no way you can argue it isn’t AT LEAST as secure as a regular unencrypted site.

  16. As an ordinary no nonsense browser user I liked a number of the good things about Firefox and the Mozilla line but THIS IS A DEAL BREAKER!

    I don’t want somebody else DECIDING what site I should go to – even if that somebody else considers it “dangerous”. I am intelligent enough to make choices for myself and I will accept a warning but not a denial of service which I consider this “feature”.

    Goodbye Firefox. Until you respect me and my ability to make my own decisions you are useless to me as a browser.

    NED

  17. As further explanation:

    I am sick and tired of the nanny state tellimg me before each program and after each commercial break on TV that “caution is advised”. Censors want to pick what I watch and treat me as an idiot who is incapable of recognizing that something called “Extreme Prejudice With A Vengeance” will involve gunfire. There are too many similar examples of idiots catering to the lowest denominator when “providing services” because they believe the rest of the population is just like them or more stupid.

    In like manner FF is turning into the nanny browser IMO.

    Just look at a simple example of a recent use. My cell phone is not the latest and I was in need of a replacement accessory. I went to Google and entered – “Cell phone accessories” ‘phone name’ adpter -. A good 1/3 of the sites I chose to look at in the resultant output were ‘blocked’ by FF. I know what is happening with FF is not actually a DOS but with all the extra gyrations I have to go through to reach the site the frustration level induced is similar.

    Yes of course I could add clicks to each site – accept is as unsafe but one I still want to see – and eventually get to see what the site had. But all I wanted to do was go directly to the site, see if they had what I wanted, check the price they were charging and decide which site had the best value for my money. I may never visit the site again so see no need to continually build a database of sites FF considers risky for my browsing. With a search of this nature I certainly don’t expect malicious code to be added to my machine/network by visiting the site, and anyhow I have security software to catch such invasion attempts.

    This is not the first result of this nature I have encountered with FF 3. I have had the same thing happen when searching for non academic information or researching a particular topic of interest I want to write on.

    So while I don’t really care what the message says the fact that it obtrusively appears and cannot be turned off is enough to lead me to abandon an otherwise decent browser because I don’t need the hassle it causes me to use it. As far as I’m concerned FF2 handled this feature to my satisfaction.

    I trust this answers your question Johnathan and thank you for your interest in my comment.

    NED

  18. My parents in law just switched back from Firefox to IE because they could not see the pictures of their grandchild on my home-server.

    This is the type of reallife examples that is happening right now, all over the world.

    Thanks for that.

  19. So most uses of self-signed certs are to protect passwords. How about Mozilla puts some effort behind RFC 5054, SRP/TLS which sets up an encrypted session based on passwords, instead of making excuses for the 10-year old poor technology that is PKIX.

  20. Don’t worry. Don’t argue. Switch to a different browser. That is the language a developer understands.

  21. I am so very, really, BLOODY sick of FF3′s idiotic certificate behavior. Fix the DAMN thing!!! The poor quality of the error message and the ‘you’re too stupid to manage your own browser’ approach to security are so off-putting that I’ve mostly stopped using FireFox. I like having a very visible warning but not giving me the opportunity to make my own decisions, without digging through all kinds of overly complicated BULLSHIT, about security is driving me away.

  22. Ah, Never Mind the previous post… Turns out it was a plug-in behaving very badly. Watch out for Broadband Speed Test and Diagnostics 1.1 it overrides the default FF3 SSL behavior, which really has been fixed to play nice.

  23. Hello,

    Got the same problem as James but with Errorzilla Mod. In the case of a self-signed cert there is no “add an exception” wayout.

    Anyway, thanks for this article about security concerns, it finally convinced me to get a third party signed cert (startssl) to prevent my visitors to get “afraid” by the security warning in FF3.

  24. Hello,

    thanks for writing this post. It definitely brings some light into the argument of why the UI was rebuilt to be so apparently braindead in FF3.

    Also if the pointer to StartSSL (which I will have to look into a bit more) could be published a bit more prominent…

    What really gets me about the new Security Dialog:

    Firstly: why on earth do I have to click that frickin’ little button to get the certificate! I would expect the browser to fetch it for me while it opens that dialog!

    Secondly: I really want an about:config-option to set the default to accept the exception only temporarily, thus saving me another mouse-stunt!

    Given the above modifications, I could even live without the enter key automatically choosing ok (as long as the dialog remains navigational using only the keyboard).

    My rationale is that most of the time when I personally run into a SSL-site I either want to be sure it’s safe (thus some warning is good) or sometimes I just want to read some (low priority and security) information presented on a self-signed site and then it’s just a p*** in the a** to get to that information and not worth the minutes wasted when researching something and having 20 other tabs that might have also valuable information. But it is entirely possible that the site I ignored due to the FF3 idiocity has exactly the information I really wanted, so to ease my dilemma I’m really condidering switching my browser.

    Cheers, and I’d appreciate your feedback

  25. @58.behdad
    > Why are people not pissed off
    > by ssh asking them the very
    > same question?

    Because ssh has a sane UI

  26. [...] self-signed certificates and this is also the crowd making most of the noise! Johnathan’s SSL Question Corner tries to explain – I’d say with limited success – why Mozilla implemented such a rigorous [...]

  27. I completely understand the reasoning behind this and I don’t really have any issues with it. I was just wondering if you know anything that I might be able to do about getting a certificate for a subdomain?

    I signed up for a StartSSL account, but they don’t do subdomains…

  28. I could live with the dialog and clicks and explaining to everyone what it meant, how to interpret this “dire warning”, when to be concerned and when not to.

    But now with 3.0.3 it appears to be unacceptably worse. I can find no way at all to enter an exception. The dialog in the browser itself no longer offers any recourse. It just says “localhost:443 uses an invalid security certificate.” I can not get the certificate imported or entered as an exception in the preferences panel, again because it is claims an self-signed certificate is invalid. WTF! I can’t even enter an exception anymore.

    I’m developing web applications, and we DO have the full-on signed certificates – on our production servers. This is absolutely preventing me from developing and testing. (My exception, imported in a previous version, expired tonight and after a couple hours wasted I realize firefox has screwed me.)

    Sadly, switching to Safari because I have to get work done.

  29. Would it be possible for firefox, upon receiving an SSL cert for (say) “Bobby’s Bank”, do a search of the various CA’s (or perhaps a unified CA database (CAUDB) if possible), and see if a trusted certificate for “Bobby’s Bank” already exists, and if it matches the one https://www.bobbysbank.com/ has just sent us. If there is no match, then FF should simply warn that the site is unknown, and the user should be careful if entering personal information or usernames & passwords.

    Of course CA’s would have to co-operate and set up the CAUDB, itself encrypted through SSL and signed by ALL CA’s. But FF would *know* a priori that a self-signed certificate for the CAUDB would be inacceptable irrespective of the user’s wishes. FF could have the CAUDB SSL key hardwired, and it’s IP address too to prevent DNS attacks. If the CA’s can’t agree on a CAUDB, then FF could hardwire all their IP’s and SSL keys. This way no-one could MITM a CA/CAUDB site.

    The only problem I see is if a virus cleverly rewrites FF’s internal, hardwired CA and certificate database. But maybe some hash-function guru could come up with a way to easily catch such an attack. In any case, this problem already exists (or perhaps it doesn’t?).

    An advantage would be that a single compromised CA’s signing key would not affect the CAUDB validity as the CAUDB SSL key has to be signed by *ALL* participating CA’s.

    As a second point, I would try the following wording in the event of encountering a self-signed SSL key:

    “You are entering an encrypted web-site which has not been verified by any internationally recognized verification authority.

    - If this is an “important site” (e.g. a bank/shop/online retailer/services) this is VERY DANGEROUS and PROBABLY AN ATTEMPTED FRAUD – DO NOT PROCEED UNLESS YOU ARE CERTAIN THE SITE YOU ARE VISITING IS VALID – please contact the site-owner.

    - If this is a less important site (e.g. email/facebook/friend’s website) please contact the site-owner and verify this site’s unique fingerprint code shown below before proceeding.

    - More details are shown below. Click “I don’t understand this message” for further instructions.”

    How’s that?

    Cheers,
    Fergal.

  30. [...] in a way that wouldn’t get you ostracized from a security conscious community. Johnathon has warned the blogosphere at large why self-signed certs are bad and why Firefox makes you jump through hoops to allow a [...]

  31. [...] johnath feels the warnings are appropriate because there are point and click programs that can log encrypted traffic by spoofing self-signed [...]