SSL Question Corner

From time to time, in the blogosphere or mailing lists, I will get questions about various security decisions we make in Firefox.  Here’s one that has been popular lately:

Q: I think you are dumb.

It is worded in a variety of ways, of course, but that’s the basic thrust.  A longer version might read:

Q: Why has Firefox started treating self-signed SSL certificates as untrustworthy?  I just want encryption, I don’t care that the cert hasn’t been signed by a certificate authority, and anyhow I don’t want to pay hundreds of dollars just to secure my communications.

There are a couple of implicit assumptions we should dispense with up front, before tackling the meat of the question, to wit:

  1. “Why has Firefox started treating…”  Firefox has been treating self-signed certificates as disconcerting for quite some time.  In Firefox 2, you would get a giant dialog box popping up asking what to do with them.  It was farcically easy to dismiss since just hitting OK would proceed to the site, and since the default was a temporary pass, not a permanent one, you saw the dialog frequently, making it even easier to ignore.  Firefox 3 has absolutely changed that flow — more on that later — but there is nothing new here.
  2. “ … I don’t want to pay hundreds of dollars …” Several CAs accepted by all major browsers sell certificates for less than $20/yr, and StartSSL, in the Firefox 3 root store, offers them for free.

Those concerns are red herrings, the real concern is in the middle:  “Why treat self-signed SSL as untrustworthy?  I just want encryption.”  Let’s explore this.

First of all, this isn’t quite right.  You never *just* want encryption, you want encryption to a particular system.  The whole reason for having encryption is that you don’t want various ill-doers doing ill with your data, so clearly you want encryption that isn’t going to those people.

“So fine, I want encryption to a particular system,” you say, “but I don’t need a CA to prove that my friend’s webmail is trustworthy.  CAs don’t even do that anyhow.  I trust him, Firefox should get out of my way.”

Yes, absolutely – the browser is your agent, and if you trust your friend’s webmail, you should be able to tell Firefox to do so as well.  But how do you know that’s who you’re talking to?

Permit me 3 short digressions…

Digression the First: Ettercap, webmitm, and friends

What if I told you that there were a group of programs out there that made it trivial, brain-dead simple, to intercept your web traffic, log it, and then pass it through without you ever noticing?  These “Man in the Middle” attacks used to be the stuff of scary security fiction, but now they are point-and-click.

If one of these is running on your network (you know, like the packet sniffers you’re protecting against with encryption in the first place) it will poison your network so that all requests go through them.  It will then transparently fetch and pass off any regular web pages without you noticing (after logging anything juicy, of course).  If you request an SSL page, it will generate its own certificate whose human readable details match the real site, same organization name, same domain name, everything, and use that to masquerade as the site in question.  The only difference is, it will be self-signed, since the tool obviously can’t get a CA signature.

Digression the Second: Drive-By Router Reconfig

Do you use one of those home cable-dsl-router/wifi-access-point thingies?  For the last couple years, security folks have gotten giggles out of finding ways to break them, and the number one thing they do is rewrite your network configuration so that your connections go to computers of their choosing.  If your router is subverted in this way, the only hint you might have is that your secure sites have all become self-signed.

Digression the Third: Kaminsky Breaks the Internet

This week I’m at the Black Hat security conference in Vegas, where it is a virtual certainty that Dan Kaminsky is going to outline an attack that lets any site on the internet pretend to be any other site on the internet.  I can pretend to be paypal.com.  You can pretend to be bankofamerica.com.  If your ISP doesn’t fix all of their servers, one aforementioned doer-of-ill can trick them into sending all of their customers to forgeries of the actual sites they seek.  They don’t even have to be on the same network anymore.  This is substantially easier than packet sniffing. The only thing that will tell you whether the sites you are visiting are real is the existence of a trusted certificate, which only the legitimate site can have.

Back to the Plot

The question isn’t whether you trust your buddy’s webmail – of course you do, your buddy’s a good guy – the question is whether that’s even his server at all.  With a CA-signed cert, we trust that it is – CAs are required to maintain third party audits of their issuing criteria, and Mozilla requires verification of domain ownership to be one of them.

With a self-signed certificate, we don’t know whether to trust it or not.  It’s not that these certificates are implicitly evil, it’s that they are implicitly untrusted – no one has vouched for them, so we ask the user.  There is language in the dialogs that talks about how legitimate banks and other public web sites shouldn’t use them, because it is in precisely those cases that we want novice users to feel some trepidation, and exercise some caution. There is a real possibility there, hopefully slim, that they are being attacked, and there is no other way for us to know.

On the other hand – if you visit a server which does have a legitimate need for a self-signed certificate, Firefox basically asks you to say “I know you don’t trust this certificate, but I do.”  You add an exception, and assuming you make it permanent, Firefox will begin trusting that specific cert to identify that specific site.  What’s more, you’ll now get the same protection as a CA signed cert – if you are attacked and someone tries to insert themselves between you and your webmail, the warning will come up again.

I don’t think the approach in Firefox 3 is perfect, I’m not sure any of us do. I have filed bugs, and talked about things I think we could do to continue to enhance our users’ security while at the same time reducing unnecessary annoyances.  You’ll notice that Firefox 3 has fewer “Warning: you are submitting a search to a search engine” dialog boxes than Firefox 2 did, and it’s because of precisely this desire.

I welcome people who want to make constructive progress towards a safer internet and a happier browsing experience. That’s what motivated this change, it’s what motivates everything we do with the browser, really.  So it sure would be nice if we didn’t start from the assumption that changes are motivated by greed, malice, or stupidity.

81 comments

  1. [...] Johnathan has a post up that talks about SSL in Firefox 3, a post that I hope will put some of those questions to rest. He talks about why we did it, what the change was and how it’s actually an improvement and brings better security to the web. It’s worth a read. [...]

  2. orlando_ombzzz

    it is OK to try to make Firefox a secure browser and help users stay away of the “bad guys” in internet

    but regarding UI dialogs, please don’t try to reinvent the wheel.. just copy what the experts ( Apple, Safari ) do

    IMHO, the 4 clicks SSL fiasco message-chain in Firefox 3 sucks.

    “because it is in precisely those cases that we want novice users to feel some trepidation, and exercise some caution.”

    i can assure you that novice users don’t understand a word of the Firefox 3 SSL messages… because it breaks a fundamental law in UI design:

    If there is a fatal error, show a “fatal error message” ( say … the Firefox 3 SSL messages as today ).

    But if there is a “SSL situation” that the user have to be informed and asked to make a decision, just : INFORM THE USER AND LET HIM DECIDE but

    in simple words
    and in a simple way ( not with 4 clicks for god sake )

    my 2 c

  3. Good stuff. Like I always tell people: security and convenience always move in opposite directions.

    The Firefox 3 self-signed cert “differences” are annoying for me because I manage about 100 HP linux servers, and we use the iLO out-of-band https interface for remote consoles, etc. HP does some random certificate generation out of the box, and because we don’t “manage” the certs on these servers like we should, they’re all self-signed, causing FF to complain on every one (initially).

    It’s really annoying when these generated certs conflict with one another, too. Then, you have to figure out which one has the same ID, etc. Painful.

    But, it goes back to our lack of managing the certs correctly. We should just be signing them all with our internal CA.

    I was certainly annoyed at first with all the clicks needed to accept a self-signed cert in FF3, but if certs are done right, it’s really not an issue.

  4. I pointed out over on Chris’ blog already, but I really like the way FF3 handles self-signed certificates. Especially if there’s a hostname mismatch. In FF2 if you hit this situation, you’d get prompted every time you went to the site. FF3 makes it possible to say “I trust this cert on this site, even if it doesn’t match” and it’ll stick. Now if you could just deal with the duplicate serial number issue that Jason mentioned (which happens a lot with network gear with embedded management utilities) you’d be all set.

  5. For a long while I would have fallen into the “I think you are dumb” category, but this entry has quelled my concerns about the new SSL protections in Firefox. Thanks for the insights.

  6. What about not being able to log into switches/routers/firewalls because they share the same certificate?

    ——————
    You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information:

    Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.

    (Error code: sec_error_reused_issuer_and_serial)
    ——————

    I agree all these certificate changes makes the web safer, but the least you could do was to add an option (about:config) to override these blocks. I’d really like to access my firewall with FireFox again.

  7. I’ve helped dozen of users on SUMO and some others support forum about the new SSL messages. A few years ago, I worked on several SSL-related project, so I understand very well how all this worked and why.

    I have to say that the Firefox 3 way of handling them is far far better than the one in Firefox 2. Though not perfect.

    A few quick comments:
    1) Thanks to the accrued visibility of the message, dozens of people have discovered that their employers or their security suite is hijacking their SSL connection. Some proxies are using self-signed certificates other their own embedded CA, which is obviously, not trusted by default.

    This leads to two things: 1) Accrued end-user awareness (the new UI is no more “click here to make it work”) 2) Security suites builder will move to embedded CA and ask the users to install the CA as an exception (for example, Kaspersky 8).

    That’s a good thing.

    2) Numerous discovered that their system clock are badly set! This seems incredible, but about 40% of the SSL-related “problems” on SUMO was pseudo-expired/not-yet-valid certificate.

    3) A few very specific use-case (mainly hardware sysadmins) appear. The extension MitM-me help a bit (should be updated to 3.0). I do believe they should be handled in the extension realm.

    The system is not perfect, I would like to see some “tweaks”:
    A) Error messages with invalid CA or so are not precise enough. It is long to diagnose why the CA, or CA chains, failed to verify. That’s purely an UI problem;
    B) End-users messages are not enough customized: e.g. a not-yet-valid certificate error should hint the user to check its system clock. There is quite some work to be done there, even if we all know that users do not really read these message, they are too technical and too generic.
    C) Work should be done with hardware manufacturer (Linksys, …) so that they stop issuing self-signed certificate and move to an embedded CA. They should also guarantee that a specific device/CA will never issue a certificate with the same serial number.
    D) Work should be done with software manufacturer (Kaspersky, Charles, …) so that their CA-embedded in software ask the user to add their CA to to the Cert store.

    Firefox 3 way of doing is far better. Self-signing cert were already notified before, but know the user notice it. Messages are no more pop-up but clear errors messages.

    Sorry for the long post.

  8. [...] johnath says “StartSSL, in the Firefox 3 root store, offers [SSL certificates] for free“, which might have the same effect; I don’t know whether StartSSL’s root [...]

  9. The problem is that the dialogs now are so unfriendly and hard to understand – hell, I worked with large webshops with SSL at one point, and I get a headache from these things.

    I understand and applaud the thought behind it, but some usability testing would not have hurt. Just because you want people to make a conscious decision does not mean you have to confuse them and make things hard to click on. Something clearly worded, easy to read, understand, and ultimately do should not be impossible without promoting the blind click through.

  10. Søren Sandmann

    Here is another proposal.

  11. Jonathan, the basic problem with those new page is that :
    there is no reason why the strategy for bad SSL is different from the strategy for malware/fishing.

    The current screen is a failure, because what people do is start IE to access the site. I mean not just ordinay stupid users, Hixie did it !:
    http://groups.google.fr/group/mozilla.dev.tech.crypto/msg/a027dd4641e1ebbd?hl=fr

    So please, please, please, reconsider those screen to make them work, and not push the users to IE. Align them with the malware screeen. A malware site is actively attacking you, why is the solution that’s adequate for them not deemed adequate for SSL !!

  12. I like the new certificate dialogs, they are a lot better at explaining why you don’t trust a site.

    I’d like to see a slight change in the UI. If the certificate is self signed but otherwise valid (ie, correct hostname, not expired/not yet valid, and so on), and the browser has /never/ seen an SSL certificate for this hostname pop up a “This new site that you’ve never been to before claims to be , do you agree?” and perhaps display the SSL fingerprint, or some representation that is identifiable to the enduser. If you say “Yes” then the certificate is added. If you ever go back to that site and the certificate ever changes (even to regular signed cert) provide a scary warning box similar to the current one. This means that when I go to a site, I can figure out if I want to trust it, and then once I’ve trusted it I want to make sure it never changes. I don’t want to trust this certificate for antoher site, and I certainly want to have big red flashing lights if this certificate ever changes. Make self signed certs easier for people to deal with, there are lots of reasons that people want to use self signed certs (not just cost). Of course don’t make them anywhere near as nice as “proper” SSL certs :)

    Some other things, if a site doesn’t have a known certificate associated with it, and the certificate is for a different host, offer to redirect the user to the correct hostname for the cert, so long as the new hostname and the oldhostname resolve to the same IP. (eg https://example.com/ may have a cert for https://www.example.com/, the certs actually correct, and both sites are identical, but you somehow ended up at the wrong one).

  13. Frank Ch. Eigler

    Firefox 3 has absolutely changed that flow — more on that later — but there is nothing new here.

    An absolute flow change — a many-click GUI makework — is absolutely something new.

    … The only difference is, it will be self-signed, since the [MITM] tool obviously can’t get a CA signature.

    Why is that so obvious? You just said that even free certificates are easily available. How much effort do you believe it would require for MITM miscreants to automate their production?

    Doesn’t this possibility blow big holes into the rest of your argument?

  14. extracted from http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf:

    ——–
    Why can’t users get security right (revisited)
    [...]
    Security people are wierdos
    • Go directly against millennia of evolutionary conditioning
    • No normal person would ever handle a user interface the way
    that security people do
    Security people design these interfaces assuming that
    they’ll be used the way that they would use them
    • At least one user study on PKI un-usability was greeted with
    disbelief by security people
    • It couldn’t possibly be this hard to use!
    ——–

  15. @Frank Ch. Eigler: As already mentioned in the blog post, the very minimal requirements on a CA include verifying domain ownership. Nowhere does it say that getting a CA signature is easy, you have to prove to the CA that you own the domain (e.g. by uploading a file to it) – and that’s exactly what MITM tools cannot do.

    Johnathan, thank you for this nice summary. I have seen way too much non-sense spread about that change in Firefox. Despite all the misinformed complaining, the new way to deal with SSL certificates is a great improvement. E.g. I can now access the admin area of my site being certain that I am not giving away my password to a MITM – despite a self-signed certificate.

  16. I’m off to look into StartSSL (thanks to this blog post) to try to deal with this insane UI brain damage.

    You know, SSH got it right. “Hmm, haven’t seen this key before, you OK with it?” And then tell me about it if someone claiming to be the same host gives me a different key. It seems like FF3 implemented the latter, which is good. That goodness does not absolve you of truly awful UI decisions.

    The new UI is hideous. Evil. Condescending. Someone told me they had to talk their mom through it to access his personal site, including the “Legitimate sites will not ask you to do this” message. I’m guessing this person’s mother has a better idea than Mozilla developers as to whether or not he is legitimate.

    There was a bug on this, where it was said that “well, you have two undocumented about:config options to get that down to one click, so quit whining” I tried that, it’s two clicks. (still better than 4, but still too much) I probably set something wrong, but since I can’t find any documentation on the about:config options, I don’t know.

    And speaking of insulting UI design, the first time you go to about:config, you get a “You’ll void your warranty” warning. Excuse me? What *(#$#@ warranty?

    Yes, I understand that was an attempt at humor. I just think it was a poor one.

  17. Nice post Johnathan! I think you guys have done a great job on the self-signed cert interactions. Here are my 2 thoughts for the next steps.

    1. Open Source people. They are basically the only ones using self-signed certs and I think the problem needs to be attacked from a different angle than everyone counting the number of clicks before an exception. Perhaps it is time to work on the cert installation methods and educating people about how to post up their certificate for FF to install such that they can avoid this road block. Not sure what the exact steps are here, but you can’t keep waging war on the current system or it will erode as you point out it is helping people for a reason.

    2. Compromised routers and other evils. Is it possible to start detecting these things? If a persons router is compromised and we just block them from using Firefox properly they’re going to load up IE and start using that. I don’t have a clue how to start going about this problem, but I think the broader scope is to help people use a secure internet by informing them of a busted router and helping them fix it.

  18. [...] Blizzard posts in favor of the new arrangement, and points to an interesting post by Johnathan Nightingale explaining Mozilla’s position. Yes, agreed, Jonathan’s post is a good read, but the [...]

  19. It sounds like the main argument for the new UI is that self-signed SSL certificates provide little security over not using them in the first place. I generally agree with this argument.

    If this is the case, Firefox should simply use the same UI for self-signed certs as it uses for non-SSL pages. If the user decides that they want to add an exception for the self-signed certificate, they can do so and then firefox could then use UI indicating that the site is secure until the cert changes.

    The downside to this approach is that a man-in-the-middle attack described in the post would cause all SSL websites to look insecure without displaying the big warning message. However, this is not much of a problem: Users MUST be paying attention to that anyway if they want to securely use things like banking websites.

    To me, the current behavior very annoying as I have to add an exception for the self-signed certificate even when I’m visiting a site (which I may not visit again) where I don’t really care about security in the first place. It simply seems wrong to me to force the user to do nothing to visit a non-SSL page, but to have to do more work to visit a site that has a self-signed SSL cert that is just as unsecure.

  20. Zandr and Scott, please see http://robert.accettura.com/blog/2008/07/19/unobstructed-https/#comment-386085 for why the SSH model or UI downgrades don’t really work for the Web.

  21. I personally think that overall FF3 went a good direction regarding SSL certs, but obviously even hardcore techies see the need for working with self-signed certificates[1]. I think a minor change would greatly improve the usefulness and eliminate a lot of blathering.

    Browsing around the internet for tech support at various sites will often times end up at an archive site that have self-signed certificates (why I don’t know). I don’t want to add an exception for the site, I haven’t even looked at it! (and frankly don’t think it should be encrypted anyways, but thats not the pt). This lack of ability to look at the site before adding an exception can be a bit of a pain. But you say I should never look at it without agreeing to its insecure? This would be true if I was actually doing anything with the site aside from looking at it. I can only temporarily add the exception and come back and repeat the annoying steps again to permanently add it if I feel its necessary later? Yeah… no thanks.. to much pita.

    Basically I think that on the self-signed page there should be a small link on the page saying “I realize it might be stupid but let me see it anyways just this once” or whatever phrase is best. Then when you get to the site you now have the ability to click on the site identity button (where the fav-icon is) and then tell it to add an exception for the site. And yes, I realize that this series of steps actually adds more if you want to add the exception after you’ve clicked on the temporary allow, but prevents extraneous additions of exceptions, removes some annoyance, and probably a few more.

    Would it even be so wrong for this to be an enable able option in about:config? Even throw a quick “are you sure” up if you must when its clicked, its still significantly easier for common occurrences.

    [1] Yes i realize MITM attacks are trivial, but as the man above mentioned, sometimes you have scenarios like iLO, and in scenarios like mine, you don’t always have the access/ability to push those admins to install certs.

  22. Someone I know complaining about this had Kaspersky Antivirus rewriting his SSL certificates on the fly. Apparently it is a feature Kaspersky recommend you disable (select * from antiVirusVendors where clue is not NULL and clue > 0 ; zero lines returned).

    He is a relatively intelligent programmer with years of IT background. Clearly the right thing to do here is to hard fail “Certificate untrustworthy”, and allow people to use the config editor to add an exception if they really need to. Allowing them to click through is just inviting loss of bank details.

    Dan’s talk at blackhat spent a lot of time pointing out most web programmers don’t understand SSL implementation stuff fully (myself included), so how the hell are end users suppose to understand the implications?

    I’m off to check out StartSSL.

  23. Whilst I understand the motives for a warning which is harder to dismiss without reading, it strikes me that to a certain degree the idea of requiring a third party CA is not always appropriate. What’s required is some way to verify a server’s identity via a source other than the server. Does this need to be a CA? Could a possible solution be to utilise the SSHFP DNS record for the domain?

    I have recently discussed this idea in my Free Software Magazine column and a colleague of yours pointed me at this blog. I’d appreciate your comments – even if it is to say why it’s unworkable.

    thanks
    Ryan

  24. It’s not like using your own CA is easy either – due to the braindeadness of NSS the list of CAs is hardcoded in a file, necessitating a recompile to install a CA for all users of an application, or installation in each user’s profile individually. And there’s no computer-wide CA repository either, so you have to recompile both Thunderbird and Firefox – double fail.

  25. While I do understand your points and mostly welcome them, arguments such as “you never *just* want encryption” are a little akward in the new phase of the internet.

    PS. I am writing from one Nordic country and my traffic passess through Sweden, which now implements a sweeping wiretap for all cross-border traffic.

  26. A major part of the problem as I see it is that the new dialog seems to firmly insist that a self-signed certificate means Evil Hacker Site Trying To Steal Your Precious, which is not only unhelpful (causing less technically inclined and/or patient users to end up not using encryption or to go back to IE or other browsers) but downright insulting.
    This overlaps directly with what I see as the other major part of the problem – Firefox is insisting that a server owner can’t possibly encrypt their traffic without asking a third party for help. It’s not really “free” software if you need someone else’s permission to use it, regardless of how much money (even if it’s “gratis”) the “someone else” charges for the service of claiming to know you. It takes a big dump all over a fundamental principle of “libre” software and is all the more jarring coming from Mozilla Firefox, of all things.

    “Users” of the internet (as opposed to mere “consumers”) are much more likely to be interested in the encryption than in the claim by a third party that they are familiar with the site being connected to (see #25 above, for example). “Consumers” will still want to be reassured that someone gave Verisign® some money to claim to know who they are when they hand over their credit card information to buy things over the internet, but the internet goes way beyond that kind of thing.

    In Summary: Mozilla Firefox should not punish people for using their servers outside the boundaries of the “consumer internet”.

  27. Johnny Michaels

    Why does Firefox treat sending data through the web insecurely as “better” than sending it with an unsigned certificate? Surely the correct solution is for FireFox to treat unsigned certs as though it’s not secure at all (e.g. don’t provide warning messages but don’t pretend it is either)?

  28. Johnny Michaels

    The other major problem is that Firefox’s warning screen is scary and almost impossible to understand. What happens is you get a scary looking screen saying:

    “Secure connection failed
    uses an invalid security certificate.

    The certificate is not trusted because the issuer certificate is not trusted.

    (Error code: sec_error_untrusted_issuer)”

    Notice how this doesn’t actually explain the situation to the user, and deliberately muddies the waters (since the “security certificate” isn’t invalid at all). It doesn’t even mention the word “authentication” or explains what this means. It even states a lie – that it uses an “invalid certificate”. This is /confusing/ for the user and doesn’t help them understand the issue at hand at all. This is a UI disaster.

    I’m very interested to hear why you think that:
    * Why you think that an insecure certificate is worse than no security
    * Telling outright lies to the user is a good idea from a security point of view
    * How you expect the user to understand the security issue at hand based on Firefox 3′s completely inadequate explanation
    * Why the FireFox team has decided the correct solution is “LALALA I’M NOT LISTENING TO YOU” for anything that can’t easily be represented by a poorly drawn icon of a man in an ambiguous colour or a padlock.

    All of those complete mystify me.

  29. “[...]anything that can’t easily be represented by a poorly drawn icon of a man in an ambiguous colour or a padlock.”
    Maybe that’s a huge part of the problem right there – SSL “certificates” seem to be dealing with two different problems. The happy little green padlock icon is supposed to reassure us of two completely different things. To oversimplify a bit:
    1) “Nobody where you are or between where you are and the server at the other end can see what you’re doing”
    2) “Whoever is at the other end is probably not trying to rob you with a fake website/mail server/whatever”

    This ought to perhaps be TWO little icons: one representing that the link is encrypted, and a second representing that the other end has gotten an “approved” corporate entity to claim to know them. The latter icon ought to have THREE states: “invalid” (the certificate is signed incorrectly), “valid” (Verisign® or someone claims to know them), and “unverified” (correctly self-signed).

    Firefox 3′s UI conflates all of this into one “self-signed BAD!” obstacle course.

  30. Epicanis: That’s exactly what EVSSL certs were supposed to deal with. That’s the difference between the blue and green behind the site icon in the URL bar now. Blue and green (as opposed to gray) both mean that the site is encrypted. Green (and the company name) means that a certificate authority has validated that the company that owns the domain is who they say they are.

    Although perhaps what you’re saying is Firefox should just set up a third color for self-signed certs and not throw a warning… problem is, *someone* has to agree that the site is trusted. In the case of a self-signed cert, that someone would have to be you. The age-old question of course, is how to get that trust decision from the end user a) in a way that doesn’t scare them away, and b) in a way that still gives them enough information to decide if it’s someone trying to hack them. Trying to do both of those at once is hard.

  31. One real problem we have in that area IMHO, is that we still don’t have CAcert in our root store, mainly because our requirements for adding a root cert are hard to fulfill for an open non-profit organization (i.e. someone who has the same philosophy as Mozilla itself), even though they are working on it… See https://bugzilla.mozilla.org/show_bug.cgi?id=215243 for one part of additional information, but I’ve spoken with people from CAcert and the bug only tells a part of the story.

  32. “EVSSL” isn’t really relevant here. The “extra” validated-by-a-trusted-Certificate-Authority SSL certificates vs. “regular” validated-by-a-trusted-Certificate-Authority aren’t the issue. As someone else pointed out, it’s odd to treat unauthenticated but encrypted links as somehow less secure than completely unencrypted links (plus the new interface – AND these posts defending it! – seems to be suggesting that unauthenticated “self-signed” certificates are the work of nefarious evildoers intent on criminal activity. This presumably makes the large number of people using self-signed certificates for benign purposes feel slightly offended…). As I posted elsewhere: “Mozilla now says that a certificate you sign yourself is the same as a certificate signed by “Russian Guyovitch’s Phishing and 419 Scam Emporium”, and is quite insistent about it”.

    The same Nefarious Evildoers could just set up an unencrypted site. A few people might notice that the Green Lock Icon of Peace is not appearing on the browser, but not everyone. Or will there be a “Invalid Certificate: site uses no encryption certificate at all. Click several times to add an exception to allow this site to load” dialog in a future version of Firefox? Since an unauthenticated (again – not “invalid”) site is not less secure than the completely un-certified sites that make up the bulk of the internet, why make them appear to be much worse?

    As #27 suggests (and I meant to expand upon with my icon suggestion), perhaps firefox should treat the “security” of all unauthenticated sites the same, regardless of whether they are encrypted. What I was suggesting is the use of two icons to indicate the two things (authentication and encryption) that SSL deals with separately: encrypted links to sites that are authenticated by “trusted” certificate authorities get both a happy green padlock icon AND a “safe from eavesdropping” icon. Correctly self-signed certificates and/or certificates from unrecognized certificate authorities get the “safe from eavesdropping” one but a “Like, Dude, Something went wrong” Red Broken Padlock of Warning (clicking on which would bring up the “register an exception for this certificate” dialogue). Unencrypted links get neither. Save the “invalid certificate” popup for certificates that really are “invalid” (i.e. incorrect signature or otherwise genuinely broken).

    It might be worth saying that this isn’t actually a real personal hassle for me or anything. I don’t think I’ve run into more than two sites where this came up in the months I’ve been using Firefox 3. Other than this one issue Firefox 3 has been great and is my preferred browser. I’m not really worried about the price of certificate services, either. I’m just genuinely disturbed to see Mozilla appearing to attack “do it yourself” use of encryption so harshly, particularly the implication that do-it-yourself encryption is “invalid”. The continued claims that it’s more important to scare consumers away from sites that might possibly maybe be out to get them than to promote “free and open” use (rather than “Yeah, I guess we’ve gone a little overboard, we’re working on coming up with a less melodramatic and more accurate behavior for future versions”) finally disturbed me enough to start commenting on it.

  33. (Oops, that ending was a bit incoherent – I had intended insert a reference to posts like this one insistently reiterating the “save the consumer” viewpoint prior to the “rather than…” in that last sentence. Sorry about that.)

  34. “This is a UI disaster.”

    actually, FF3 SSL message is the closest thing to a BSOD that i saw in UI “science”: completely techno-blah-blah to the novice user.

    Compare it with IE7 message and Safari message.

    Hire some UI experts please!!!! and stop to play the security super-heroes!

    PS: typing this in FF3 (i love this browser and open source, but i want to make clear what i think are bad decisions )

  35. I don’t judge what motivated the change. I doubt it makes it for a safer internet experience, and definitely not for a safer one. Warning, even about self-signed certificates, are OK for me. But putting half a dozen roadblocks that I have to click away is too much. It is not so much the treatment of the certificates that bothers me as it is the user interface – it trains the user to blindly click six times instead of two. It waters down the user’s attention. There should be a single warning page, with all the information on that page. Highlight in red orange and yellow the critical bits so that the user can make an informed decision. Make sure the user knows it is a critical decision. But don’t hypnotize the user to a series of empty clicks – he won’t know to make the difference between a really serious warning and just an obnoxious one, as this which I got when trying to access Yahoo today.

  36. You never *just* want encryption, you want encryption to a particular system.

    Exactly. That is why FF should accept the self signed certificate exactly like a trusted CA signed one, but Cry Out Loud if that cert changes the second time the user visits the site. Sometimes it is enough to know that the site you are connected to the second time, is the same you created an account on the first time. IMHO there is no need to force all those steps on a user that wants to accept a SS certificate.

  37. [...] itself seems aware of.  Jonathan Nightingale, who works with usability and security at Mozilla, had this to say in his blog in regards to how Firefox 3 handles SSL [...]

  38. [...] August 20, 2008 Johnathan Nightingale recently addressed a very common question, namely why Firefox doesn’t automatically accept self-signed SSL certificates as being valid. I don’t have much to add to Johnathan’s discussion of the issues with self-signed [...]

  39. [...] ‘bad’) certificates. Johnathan Nightingale (of Mozilla) posted a Q&A on the issue here, explaining very well why Firefox behaves this [...]

  40. This is bad on so many levels. It completely ignores all the legitimate uses of encrypted connections in circumstances where a valid SSL cert is impossible to obtain. In particular any appliance scenario where the administration needs to be encrypted but getting a CA signed cert is impossible because the IP is not known in advance. Because there is simply no other way to setup an encrypted session, it forces appliance vendors to be LESS secure because the user experience as it stands is so hostile as to be completely unacceptable. For protecting your bank it might work, but SSL is used all over the place for simple encryption and this leaves no good option for dealing with it in a way that doesn’t scare your users away from the product.

  41. [...] officials directed inquires on the certificate topic to a blog penned by Mozilla developer Jonathan Nightingale, who wrote that one reason for the changes is that [...]

  42. “IMHO, the 4 clicks SSL fiasco message-chain in Firefox 3 sucks.”

    Seconded, I suppose there was some privacy czar who forced this non-sequitur into the product. 99.99999% of all cases are false positives because https is used for privacy and not authentication. (There are dozens of sites in our intranet I had to add). Security is nice and all but this is really the only FF3 “feature” that really sucks. And even if you do it in that way LET ME WAVE IT WITH ONE CLICK DAMMIT. And give me an option to disable this stupid feature. (Is there one please?)

  43. This argument makes no sense, essentially. If there’s a mitm capable of spoofing a remote site, he’ll not change the cert to a self-signed cert, but simply remove the cert entirely. Self-signed certs are at worst no worse than plain http – yet they do provide real security improvement when a network is trusted but the users are not (which is frequently the case).

    If firefox’s dramatic warnings were about security, a better heuristic would be to cache security certs and warn when they’re unexpectedly changed, not freak out even on an innocent https connection. This isn’t a simple problem, and pretending that everything less than full-blown SSL is horrible is simply scare-mongering.

  44. In my eyes, the main problem with the way Firefox 3 handles self-signed SSL certificates is that it treats sites with self-signed certificates as “scarier” than sites without encryption at all. In the best case, a self-signed certificate is indicative of a legitimate site that wants to protect user privacy; in the worse case, it’s just like an unencrypted connection. So why does Firefox 3 attempt to scare users away from sites with self-signed certificates while giving no warning for sites without encryption at all?

  45. “You never *just* want encryption, you want encryption to a particular system.”

    That’s bovine fecal matter.

    Self-signed ssl gives you encryption, which is an improvement over plain-text http. But for some reason you have decided to make it a lot scarier and harder to use than plaintext. There are lots of eavesdroppers out there (take the ruckus in Sweden over their wiretapping law, for example), and by making as much traffic as possible encrypted by default you make eavesdropping (1) a lot more expensive and (2) detectable.

    Self-signed should not give you the nice pretty green address bar or the padlock, but it is an improvement over plaintext so it is bass ackwards to make it easier to use http than https.

  46. (this comment may be garbage)
    I’m no expert in SSL. This is how I understand the challenge:
    Self-signed certificates can be intercepted multiple times between you and the host. The fingerprint you get for the connection is not verified by anyone and so encryption may only be superficial, as the attacker between you and the host will decode the transmission, log, and re-encrypt with another certificate before sending the package on toward the host.

    So self-signed certificates only provide security if the fingerprint is verified against the certificate of the host you’re communicating with. (Manually.) How many of you have ever verified a certificates fingerprint?

    Regarding the error page Firefox uses for invalid SSL:
    I think the UI is on the right track, but the information presented in the page sucks. Information from this blogpost would go a long way in explaining the issue so that humans with no knowledge of SSL can have a chance at understand it. (Hats off to the writer of this blogpost.)

    It’s also erroneous (wrong) to treat self-signed SSL-certificates as less secure than standard unencrypted http. (Hey, at least only the server and the attacker(s) in the middle can read your traffic.)

    Peace.

  47. I think it is really dumb to make people suffer to such an extent, just for the sake of “security”.

    You are same people who bitch about Microsoft building UAC in Vista, when you are doing exactly same annoying shit.

    Go get a life. While you are at it maybe you would want to start a crusade on how the door locks at most people’s home aren’t really safe! That is a damn bigger problem than someone hijacking password to your email or porn site. I am sure you will find more people to annoy that way.

  48. Hi

    I have got site for me and few other people. I wanted it to be safer, so I generated ssl certificate and keys for everyone. In firefox 2 everything was working fine, but in Firefox 3 we are getting message “please select certificate” with information about imported key. Why ? Is there a way to tell firefox that this key is ok ? This is very annoying, because my page is checking some webpages every minute and I get this “alert message” non-stop.

  49. Спасибо. Прочитал с интересом, и вообще полезный у Вас блог

  50. Спасибо за статью, всегда рад почитать вас!