Comments on: SSL Error Pages in Firefox 3.1

By: Johnath

Johnath — Wed, 26 Nov 2008 11:42:53 +0000

Hey John,

It’s not a safe practice in general, which is why I don’t particularly try to promote it, but there is an addon that might help in your situation:

https://addons.mozilla.org/en-US/firefox/addon/6843

It adds the exceptions without showing the dialog, and lets you specify whether they are temporary or permanent. It is an attack waiting to happen (hence the name) but in some circumstances, maybe you’re okay with that?

By: John Caruso

John Caruso — Wed, 26 Nov 2008 06:18:00 +0000

I understand the logic behind making permanent exceptions the default, but it would be very useful to have an option to allow expert users to change the default to temporary. When you deal with scads of devices that you fully expect will produce exceptions (i.e. SSL-enabled devices on a firewalled LAN) and you’d rather not make those exceptions permanent, the Firefox dialogs are a major pain.

More generally, I appreciate the emphasis on protecting naive users, but it’d be nice if Firefox provided a way for expert users to get their work done with minimal hassles. It sounds like 3.1 will get a little closer to that, which is good.

By: Almorca

Almorca — Sat, 08 Nov 2008 23:09:14 +0000

Near the button “Get me out of here!” I will put another button to continue the navigation with the text “Continue navigation” or “See page” or something similar.

By: Arthur

Arthur — Fri, 07 Nov 2008 08:37:55 +0000

I’ve used the new SSL error page “in real world” this week several times. It works very well for me.

A question: You write that “Get Certificate” is gone, I still see it in recent nightlies. Isn’t that checked in yet? Will it show the certificates hash by default (I always know a few bytes of it and don’t bother to check more than those, still secure enough for me)? Now I still have to click “View…”.

By: Anon

Anon — Fri, 07 Nov 2008 08:35:24 +0000

The text “if you usually connect to this site without a problem” seems to beg another improvement: why not have the browser keep track of what certificates have been seen at what sites? Then the browser could be a bit more assertive with the message. The privacy issues should be handled like any other history mechanisms.

By: Daniel Einspanjer

Daniel Einspanjer — Fri, 07 Nov 2008 00:57:16 +0000

Anders,

I’m sorry, but I feel that you have gotten the issue between identity and encryption confused here. It doesn’t matter if all the developer wants to do with a self signed cert is ensure that the connection is encrypted. If the browser and the user don’t take steps to ensure that the self-signed certificate delivered to the user did, in fact, come from the authentic site (e.g. the identity) then it is not effectively encrypted because there are too many push button man in the middle attacks that can replace an ssl cert with a fabricated self-signed one.

Just pretending that a self-signed cert is exactly the same as a plain non-secure site would be a great disservice to the many many sites relying on them. I want my e-mail traffic protected by SSL. I need to be told if something suspicious has happened to my certificate. I don’t want people to feel they can’t do business with a site that doesn’t fork over money for a premium certificate. If they have no capability to see that the connection can be considered secure as long as appropriate precautions are taken then that will be a failure.

By: Axel Hecht

Axel Hecht — Thu, 06 Nov 2008 21:10:27 +0000

I wonder what kind of tests this comes with? If we could have, say, a litmus test explaining how to expose the variants of this dialog exhaustively, that’d help l10n a lot.

By: Anders Conbere

Anders Conbere — Thu, 06 Nov 2008 21:07:38 +0000

I think you’re wrong about hiding self signed errors. The reality is that when developers use a self signed cert they are making a very different claim about identity than one that uses a root CA. In fact using a self signed cert makes almost no claims other than that your connection will be encrypted.

If that’s the case then why even tell users anything about ssl connections using self signed certs, in terms of the safety it provides it’s just like using a non-secure connection, so let them know that.

By: Daniel Einspanjer

Daniel Einspanjer — Thu, 06 Nov 2008 19:44:11 +0000

This is really great, and I hope that it will help educate some people out there who were wondering what we were up to.

Do we have a different content page if the certificate has changed vs not being seen before?

I know that I typically nearly blindly type “yes” into SSH the first time that I connect to a server from a new machine, but I always pay very careful attention to the scary message that comes up if the cached signature is different from the one currently being offered by the SSH server.