SSL Question Corner

From time to time, in the blogosphere or mailing lists, I will get questions about various security decisions we make in Firefox.  Here’s one that has been popular lately:

Q: I think you are dumb.

It is worded in a variety of ways, of course, but that’s the basic thrust.  A longer version might read:

Q: Why has Firefox started treating self-signed SSL certificates as untrustworthy?  I just want encryption, I don’t care that the cert hasn’t been signed by a certificate authority, and anyhow I don’t want to pay hundreds of dollars just to secure my communications.

There are a couple of implicit assumptions we should dispense with up front, before tackling the meat of the question, to wit:

  1. “Why has Firefox started treating…”  Firefox has been treating self-signed certificates as disconcerting for quite some time.  In Firefox 2, you would get a giant dialog box popping up asking what to do with them.  It was farcically easy to dismiss since just hitting OK would proceed to the site, and since the default was a temporary pass, not a permanent one, you saw the dialog frequently, making it even easier to ignore.  Firefox 3 has absolutely changed that flow — more on that later — but there is nothing new here.
  2. “ … I don’t want to pay hundreds of dollars …” Several CAs accepted by all major browsers sell certificates for less than $20/yr, and StartSSL, in the Firefox 3 root store, offers them for free.

Those concerns are red herrings, the real concern is in the middle:  “Why treat self-signed SSL as untrustworthy?  I just want encryption.”  Let’s explore this.

First of all, this isn’t quite right.  You never *just* want encryption, you want encryption to a particular system.  The whole reason for having encryption is that you don’t want various ill-doers doing ill with your data, so clearly you want encryption that isn’t going to those people.

“So fine, I want encryption to a particular system,” you say, “but I don’t need a CA to prove that my friend’s webmail is trustworthy.  CAs don’t even do that anyhow.  I trust him, Firefox should get out of my way.”

Yes, absolutely – the browser is your agent, and if you trust your friend’s webmail, you should be able to tell Firefox to do so as well.  But how do you know that’s who you’re talking to?

Permit me 3 short digressions…

Digression the First: Ettercap, webmitm, and friends

What if I told you that there were a group of programs out there that made it trivial, brain-dead simple, to intercept your web traffic, log it, and then pass it through without you ever noticing?  These “Man in the Middle” attacks used to be the stuff of scary security fiction, but now they are point-and-click.

If one of these is running on your network (you know, like the packet sniffers you’re protecting against with encryption in the first place) it will poison your network so that all requests go through them.  It will then transparently fetch and pass off any regular web pages without you noticing (after logging anything juicy, of course).  If you request an SSL page, it will generate its own certificate whose human readable details match the real site, same organization name, same domain name, everything, and use that to masquerade as the site in question.  The only difference is, it will be self-signed, since the tool obviously can’t get a CA signature.

Digression the Second: Drive-By Router Reconfig

Do you use one of those home cable-dsl-router/wifi-access-point thingies?  For the last couple years, security folks have gotten giggles out of finding ways to break them, and the number one thing they do is rewrite your network configuration so that your connections go to computers of their choosing.  If your router is subverted in this way, the only hint you might have is that your secure sites have all become self-signed.

Digression the Third: Kaminsky Breaks the Internet

This week I’m at the Black Hat security conference in Vegas, where it is a virtual certainty that Dan Kaminsky is going to outline an attack that lets any site on the internet pretend to be any other site on the internet.  I can pretend to be paypal.com.  You can pretend to be bankofamerica.com.  If your ISP doesn’t fix all of their servers, one aforementioned doer-of-ill can trick them into sending all of their customers to forgeries of the actual sites they seek.  They don’t even have to be on the same network anymore.  This is substantially easier than packet sniffing. The only thing that will tell you whether the sites you are visiting are real is the existence of a trusted certificate, which only the legitimate site can have.

Back to the Plot

The question isn’t whether you trust your buddy’s webmail – of course you do, your buddy’s a good guy – the question is whether that’s even his server at all.  With a CA-signed cert, we trust that it is – CAs are required to maintain third party audits of their issuing criteria, and Mozilla requires verification of domain ownership to be one of them.

With a self-signed certificate, we don’t know whether to trust it or not.  It’s not that these certificates are implicitly evil, it’s that they are implicitly untrusted – no one has vouched for them, so we ask the user.  There is language in the dialogs that talks about how legitimate banks and other public web sites shouldn’t use them, because it is in precisely those cases that we want novice users to feel some trepidation, and exercise some caution. There is a real possibility there, hopefully slim, that they are being attacked, and there is no other way for us to know.

On the other hand – if you visit a server which does have a legitimate need for a self-signed certificate, Firefox basically asks you to say “I know you don’t trust this certificate, but I do.”  You add an exception, and assuming you make it permanent, Firefox will begin trusting that specific cert to identify that specific site.  What’s more, you’ll now get the same protection as a CA signed cert – if you are attacked and someone tries to insert themselves between you and your webmail, the warning will come up again.

I don’t think the approach in Firefox 3 is perfect, I’m not sure any of us do. I have filed bugs, and talked about things I think we could do to continue to enhance our users’ security while at the same time reducing unnecessary annoyances.  You’ll notice that Firefox 3 has fewer “Warning: you are submitting a search to a search engine” dialog boxes than Firefox 2 did, and it’s because of precisely this desire.

I welcome people who want to make constructive progress towards a safer internet and a happier browsing experience. That’s what motivated this change, it’s what motivates everything we do with the browser, really.  So it sure would be nice if we didn’t start from the assumption that changes are motivated by greed, malice, or stupidity.

81 thoughts on “SSL Question Corner

  1. it is OK to try to make Firefox a secure browser and help users stay away of the “bad guys” in internet

    but regarding UI dialogs, please don’t try to reinvent the wheel.. just copy what the experts ( Apple, Safari ) do

    IMHO, the 4 clicks SSL fiasco message-chain in Firefox 3 sucks.

    “because it is in precisely those cases that we want novice users to feel some trepidation, and exercise some caution.”

    i can assure you that novice users don’t understand a word of the Firefox 3 SSL messages… because it breaks a fundamental law in UI design:

    If there is a fatal error, show a “fatal error message” ( say … the Firefox 3 SSL messages as today ).

    But if there is a “SSL situation” that the user have to be informed and asked to make a decision, just : INFORM THE USER AND LET HIM DECIDE but

    in simple words
    and in a simple way ( not with 4 clicks for god sake )

    my 2 c

  2. Good stuff. Like I always tell people: security and convenience always move in opposite directions.

    The Firefox 3 self-signed cert “differences” are annoying for me because I manage about 100 HP linux servers, and we use the iLO out-of-band https interface for remote consoles, etc. HP does some random certificate generation out of the box, and because we don’t “manage” the certs on these servers like we should, they’re all self-signed, causing FF to complain on every one (initially).

    It’s really annoying when these generated certs conflict with one another, too. Then, you have to figure out which one has the same ID, etc. Painful.

    But, it goes back to our lack of managing the certs correctly. We should just be signing them all with our internal CA.

    I was certainly annoyed at first with all the clicks needed to accept a self-signed cert in FF3, but if certs are done right, it’s really not an issue.

  3. I pointed out over on Chris’ blog already, but I really like the way FF3 handles self-signed certificates. Especially if there’s a hostname mismatch. In FF2 if you hit this situation, you’d get prompted every time you went to the site. FF3 makes it possible to say “I trust this cert on this site, even if it doesn’t match” and it’ll stick. Now if you could just deal with the duplicate serial number issue that Jason mentioned (which happens a lot with network gear with embedded management utilities) you’d be all set.

  4. For a long while I would have fallen into the “I think you are dumb” category, but this entry has quelled my concerns about the new SSL protections in Firefox. Thanks for the insights.

  5. What about not being able to log into switches/routers/firewalls because they share the same certificate?

    You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information:

    Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.

    (Error code: sec_error_reused_issuer_and_serial)

    I agree all these certificate changes makes the web safer, but the least you could do was to add an option (about:config) to override these blocks. I’d really like to access my firewall with FireFox again.

  6. I’ve helped dozen of users on SUMO and some others support forum about the new SSL messages. A few years ago, I worked on several SSL-related project, so I understand very well how all this worked and why.

    I have to say that the Firefox 3 way of handling them is far far better than the one in Firefox 2. Though not perfect.

    A few quick comments:
    1) Thanks to the accrued visibility of the message, dozens of people have discovered that their employers or their security suite is hijacking their SSL connection. Some proxies are using self-signed certificates other their own embedded CA, which is obviously, not trusted by default.

    This leads to two things: 1) Accrued end-user awareness (the new UI is no more “click here to make it work”) 2) Security suites builder will move to embedded CA and ask the users to install the CA as an exception (for example, Kaspersky 8).

    That’s a good thing.

    2) Numerous discovered that their system clock are badly set! This seems incredible, but about 40% of the SSL-related “problems” on SUMO was pseudo-expired/not-yet-valid certificate.

    3) A few very specific use-case (mainly hardware sysadmins) appear. The extension MitM-me help a bit (should be updated to 3.0). I do believe they should be handled in the extension realm.

    The system is not perfect, I would like to see some “tweaks”:
    A) Error messages with invalid CA or so are not precise enough. It is long to diagnose why the CA, or CA chains, failed to verify. That’s purely an UI problem;
    B) End-users messages are not enough customized: e.g. a not-yet-valid certificate error should hint the user to check its system clock. There is quite some work to be done there, even if we all know that users do not really read these message, they are too technical and too generic.
    C) Work should be done with hardware manufacturer (Linksys, …) so that they stop issuing self-signed certificate and move to an embedded CA. They should also guarantee that a specific device/CA will never issue a certificate with the same serial number.
    D) Work should be done with software manufacturer (Kaspersky, Charles, …) so that their CA-embedded in software ask the user to add their CA to to the Cert store.

    Firefox 3 way of doing is far better. Self-signing cert were already notified before, but know the user notice it. Messages are no more pop-up but clear errors messages.

    Sorry for the long post.

  7. The problem is that the dialogs now are so unfriendly and hard to understand – hell, I worked with large webshops with SSL at one point, and I get a headache from these things.

    I understand and applaud the thought behind it, but some usability testing would not have hurt. Just because you want people to make a conscious decision does not mean you have to confuse them and make things hard to click on. Something clearly worded, easy to read, understand, and ultimately do should not be impossible without promoting the blind click through.

  8. Jonathan, the basic problem with those new page is that :
    there is no reason why the strategy for bad SSL is different from the strategy for malware/fishing.

    The current screen is a failure, because what people do is start IE to access the site. I mean not just ordinay stupid users, Hixie did it !:
    http://groups.google.fr/group/mozilla.dev.tech.crypto/msg/a027dd4641e1ebbd?hl=fr

    So please, please, please, reconsider those screen to make them work, and not push the users to IE. Align them with the malware screeen. A malware site is actively attacking you, why is the solution that’s adequate for them not deemed adequate for SSL !!

  9. I like the new certificate dialogs, they are a lot better at explaining why you don’t trust a site.

    I’d like to see a slight change in the UI. If the certificate is self signed but otherwise valid (ie, correct hostname, not expired/not yet valid, and so on), and the browser has /never/ seen an SSL certificate for this hostname pop up a “This new site that you’ve never been to before claims to be , do you agree?” and perhaps display the SSL fingerprint, or some representation that is identifiable to the enduser. If you say “Yes” then the certificate is added. If you ever go back to that site and the certificate ever changes (even to regular signed cert) provide a scary warning box similar to the current one. This means that when I go to a site, I can figure out if I want to trust it, and then once I’ve trusted it I want to make sure it never changes. I don’t want to trust this certificate for antoher site, and I certainly want to have big red flashing lights if this certificate ever changes. Make self signed certs easier for people to deal with, there are lots of reasons that people want to use self signed certs (not just cost). Of course don’t make them anywhere near as nice as “proper” SSL certs 🙂

    Some other things, if a site doesn’t have a known certificate associated with it, and the certificate is for a different host, offer to redirect the user to the correct hostname for the cert, so long as the new hostname and the oldhostname resolve to the same IP. (eg https://example.com/ may have a cert for https://www.example.com/, the certs actually correct, and both sites are identical, but you somehow ended up at the wrong one).

  10. Firefox 3 has absolutely changed that flow — more on that later — but there is nothing new here.

    An absolute flow change — a many-click GUI makework — is absolutely something new.

    … The only difference is, it will be self-signed, since the [MITM] tool obviously can’t get a CA signature.

    Why is that so obvious? You just said that even free certificates are easily available. How much effort do you believe it would require for MITM miscreants to automate their production?

    Doesn’t this possibility blow big holes into the rest of your argument?

  11. extracted from http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf:

    Why can’t users get security right (revisited)
    […]
    Security people are wierdos
    • Go directly against millennia of evolutionary conditioning
    • No normal person would ever handle a user interface the way
    that security people do
    Security people design these interfaces assuming that
    they’ll be used the way that they would use them
    • At least one user study on PKI un-usability was greeted with
    disbelief by security people

    • It couldn’t possibly be this hard to use!

  12. @Frank Ch. Eigler: As already mentioned in the blog post, the very minimal requirements on a CA include verifying domain ownership. Nowhere does it say that getting a CA signature is easy, you have to prove to the CA that you own the domain (e.g. by uploading a file to it) – and that’s exactly what MITM tools cannot do.

    Johnathan, thank you for this nice summary. I have seen way too much non-sense spread about that change in Firefox. Despite all the misinformed complaining, the new way to deal with SSL certificates is a great improvement. E.g. I can now access the admin area of my site being certain that I am not giving away my password to a MITM – despite a self-signed certificate.

  13. I’m off to look into StartSSL (thanks to this blog post) to try to deal with this insane UI brain damage.

    You know, SSH got it right. “Hmm, haven’t seen this key before, you OK with it?” And then tell me about it if someone claiming to be the same host gives me a different key. It seems like FF3 implemented the latter, which is good. That goodness does not absolve you of truly awful UI decisions.

    The new UI is hideous. Evil. Condescending. Someone told me they had to talk their mom through it to access his personal site, including the “Legitimate sites will not ask you to do this” message. I’m guessing this person’s mother has a better idea than Mozilla developers as to whether or not he is legitimate.

    There was a bug on this, where it was said that “well, you have two undocumented about:config options to get that down to one click, so quit whining” I tried that, it’s two clicks. (still better than 4, but still too much) I probably set something wrong, but since I can’t find any documentation on the about:config options, I don’t know.

    And speaking of insulting UI design, the first time you go to about:config, you get a “You’ll void your warranty” warning. Excuse me? What *(#$#@ warranty?

    Yes, I understand that was an attempt at humor. I just think it was a poor one.

  14. Nice post Johnathan! I think you guys have done a great job on the self-signed cert interactions. Here are my 2 thoughts for the next steps.

    Open Source people. They are basically the only ones using self-signed certs and I think the problem needs to be attacked from a different angle than everyone counting the number of clicks before an exception. Perhaps it is time to work on the cert installation methods and educating people about how to post up their certificate for FF to install such that they can avoid this road block. Not sure what the exact steps are here, but you can’t keep waging war on the current system or it will erode as you point out it is helping people for a reason.
    Compromised routers and other evils. Is it possible to start detecting these things? If a persons router is compromised and we just block them from using Firefox properly they’re going to load up IE and start using that. I don’t have a clue how to start going about this problem, but I think the broader scope is to help people use a secure internet by informing them of a busted router and helping them fix it.

  15. It sounds like the main argument for the new UI is that self-signed SSL certificates provide little security over not using them in the first place. I generally agree with this argument.

    If this is the case, Firefox should simply use the same UI for self-signed certs as it uses for non-SSL pages. If the user decides that they want to add an exception for the self-signed certificate, they can do so and then firefox could then use UI indicating that the site is secure until the cert changes.

    The downside to this approach is that a man-in-the-middle attack described in the post would cause all SSL websites to look insecure without displaying the big warning message. However, this is not much of a problem: Users MUST be paying attention to that anyway if they want to securely use things like banking websites.

    To me, the current behavior very annoying as I have to add an exception for the self-signed certificate even when I’m visiting a site (which I may not visit again) where I don’t really care about security in the first place. It simply seems wrong to me to force the user to do nothing to visit a non-SSL page, but to have to do more work to visit a site that has a self-signed SSL cert that is just as unsecure.

  16. I personally think that overall FF3 went a good direction regarding SSL certs, but obviously even hardcore techies see the need for working with self-signed certificates[1]. I think a minor change would greatly improve the usefulness and eliminate a lot of blathering.

    Browsing around the internet for tech support at various sites will often times end up at an archive site that have self-signed certificates (why I don’t know). I don’t want to add an exception for the site, I haven’t even looked at it! (and frankly don’t think it should be encrypted anyways, but thats not the pt). This lack of ability to look at the site before adding an exception can be a bit of a pain. But you say I should never look at it without agreeing to its insecure? This would be true if I was actually doing anything with the site aside from looking at it. I can only temporarily add the exception and come back and repeat the annoying steps again to permanently add it if I feel its necessary later? Yeah… no thanks.. to much pita.

    Basically I think that on the self-signed page there should be a small link on the page saying “I realize it might be stupid but let me see it anyways just this once” or whatever phrase is best. Then when you get to the site you now have the ability to click on the site identity button (where the fav-icon is) and then tell it to add an exception for the site. And yes, I realize that this series of steps actually adds more if you want to add the exception after you’ve clicked on the temporary allow, but prevents extraneous additions of exceptions, removes some annoyance, and probably a few more.

    Would it even be so wrong for this to be an enable able option in about:config? Even throw a quick “are you sure” up if you must when its clicked, its still significantly easier for common occurrences.

    [1] Yes i realize MITM attacks are trivial, but as the man above mentioned, sometimes you have scenarios like iLO, and in scenarios like mine, you don’t always have the access/ability to push those admins to install certs.

  17. Someone I know complaining about this had Kaspersky Antivirus rewriting his SSL certificates on the fly. Apparently it is a feature Kaspersky recommend you disable (select * from antiVirusVendors where clue is not NULL and clue > 0 ; zero lines returned).

    He is a relatively intelligent programmer with years of IT background. Clearly the right thing to do here is to hard fail “Certificate untrustworthy”, and allow people to use the config editor to add an exception if they really need to. Allowing them to click through is just inviting loss of bank details.

    Dan’s talk at blackhat spent a lot of time pointing out most web programmers don’t understand SSL implementation stuff fully (myself included), so how the hell are end users suppose to understand the implications?

    I’m off to check out StartSSL.

  18. Whilst I understand the motives for a warning which is harder to dismiss without reading, it strikes me that to a certain degree the idea of requiring a third party CA is not always appropriate. What’s required is some way to verify a server’s identity via a source other than the server. Does this need to be a CA? Could a possible solution be to utilise the SSHFP DNS record for the domain?

    I have recently discussed this idea in my Free Software Magazine column and a colleague of yours pointed me at this blog. I’d appreciate your comments – even if it is to say why it’s unworkable.

    thanks
    Ryan

  19. It’s not like using your own CA is easy either – due to the braindeadness of NSS the list of CAs is hardcoded in a file, necessitating a recompile to install a CA for all users of an application, or installation in each user’s profile individually. And there’s no computer-wide CA repository either, so you have to recompile both Thunderbird and Firefox – double fail.

  20. While I do understand your points and mostly welcome them, arguments such as “you never just want encryption” are a little akward in the new phase of the internet.

    PS. I am writing from one Nordic country and my traffic passess through Sweden, which now implements a sweeping wiretap for all cross-border traffic.

  21. A major part of the problem as I see it is that the new dialog seems to firmly insist that a self-signed certificate means Evil Hacker Site Trying To Steal Your Precious, which is not only unhelpful (causing less technically inclined and/or patient users to end up not using encryption or to go back to IE or other browsers) but downright insulting.
    This overlaps directly with what I see as the other major part of the problem – Firefox is insisting that a server owner can’t possibly encrypt their traffic without asking a third party for help. It’s not really “free” software if you need someone else’s permission to use it, regardless of how much money (even if it’s “gratis”) the “someone else” charges for the service of claiming to know you. It takes a big dump all over a fundamental principle of “libre” software and is all the more jarring coming from Mozilla Firefox, of all things.

    “Users” of the internet (as opposed to mere “consumers”) are much more likely to be interested in the encryption than in the claim by a third party that they are familiar with the site being connected to (see #25 above, for example). “Consumers” will still want to be reassured that someone gave Verisign® some money to claim to know who they are when they hand over their credit card information to buy things over the internet, but the internet goes way beyond that kind of thing.

    In Summary: Mozilla Firefox should not punish people for using their servers outside the boundaries of the “consumer internet”.

  22. Why does Firefox treat sending data through the web insecurely as “better” than sending it with an unsigned certificate? Surely the correct solution is for FireFox to treat unsigned certs as though it’s not secure at all (e.g. don’t provide warning messages but don’t pretend it is either)?

  23. The other major problem is that Firefox’s warning screen is scary and almost impossible to understand. What happens is you get a scary looking screen saying:

    “Secure connection failed
    uses an invalid security certificate.

    The certificate is not trusted because the issuer certificate is not trusted.

    (Error code: sec_error_untrusted_issuer)”

    Notice how this doesn’t actually explain the situation to the user, and deliberately muddies the waters (since the “security certificate” isn’t invalid at all). It doesn’t even mention the word “authentication” or explains what this means. It even states a lie – that it uses an “invalid certificate”. This is /confusing/ for the user and doesn’t help them understand the issue at hand at all. This is a UI disaster.

    I’m very interested to hear why you think that:
    * Why you think that an insecure certificate is worse than no security
    * Telling outright lies to the user is a good idea from a security point of view
    * How you expect the user to understand the security issue at hand based on Firefox 3’s completely inadequate explanation
    * Why the FireFox team has decided the correct solution is “LALALA I’M NOT LISTENING TO YOU” for anything that can’t easily be represented by a poorly drawn icon of a man in an ambiguous colour or a padlock.

    All of those complete mystify me.

  24. “[…]anything that can’t easily be represented by a poorly drawn icon of a man in an ambiguous colour or a padlock.”
    Maybe that’s a huge part of the problem right there – SSL “certificates” seem to be dealing with two different problems. The happy little green padlock icon is supposed to reassure us of two completely different things. To oversimplify a bit:
    1) “Nobody where you are or between where you are and the server at the other end can see what you’re doing”
    2) “Whoever is at the other end is probably not trying to rob you with a fake website/mail server/whatever”

    This ought to perhaps be TWO little icons: one representing that the link is encrypted, and a second representing that the other end has gotten an “approved” corporate entity to claim to know them. The latter icon ought to have THREE states: “invalid” (the certificate is signed incorrectly), “valid” (Verisign® or someone claims to know them), and “unverified” (correctly self-signed).

    Firefox 3’s UI conflates all of this into one “self-signed BAD!” obstacle course.

  25. Epicanis: That’s exactly what EVSSL certs were supposed to deal with. That’s the difference between the blue and green behind the site icon in the URL bar now. Blue and green (as opposed to gray) both mean that the site is encrypted. Green (and the company name) means that a certificate authority has validated that the company that owns the domain is who they say they are.

    Although perhaps what you’re saying is Firefox should just set up a third color for self-signed certs and not throw a warning… problem is, someone has to agree that the site is trusted. In the case of a self-signed cert, that someone would have to be you. The age-old question of course, is how to get that trust decision from the end user a) in a way that doesn’t scare them away, and b) in a way that still gives them enough information to decide if it’s someone trying to hack them. Trying to do both of those at once is hard.

  26. One real problem we have in that area IMHO, is that we still don’t have CAcert in our root store, mainly because our requirements for adding a root cert are hard to fulfill for an open non-profit organization (i.e. someone who has the same philosophy as Mozilla itself), even though they are working on it… See https://bugzilla.mozilla.org/show_bug.cgi?id=215243 for one part of additional information, but I’ve spoken with people from CAcert and the bug only tells a part of the story.

  27. “EVSSL” isn’t really relevant here. The “extra” validated-by-a-trusted-Certificate-Authority SSL certificates vs. “regular” validated-by-a-trusted-Certificate-Authority aren’t the issue. As someone else pointed out, it’s odd to treat unauthenticated but encrypted links as somehow less secure than completely unencrypted links (plus the new interface – AND these posts defending it! – seems to be suggesting that unauthenticated “self-signed” certificates are the work of nefarious evildoers intent on criminal activity. This presumably makes the large number of people using self-signed certificates for benign purposes feel slightly offended…). As I posted elsewhere: “Mozilla now says that a certificate you sign yourself is the same as a certificate signed by “Russian Guyovitch’s Phishing and 419 Scam Emporium”, and is quite insistent about it”.

    The same Nefarious Evildoers could just set up an unencrypted site. A few people might notice that the Green Lock Icon of Peace is not appearing on the browser, but not everyone. Or will there be a “Invalid Certificate: site uses no encryption certificate at all. Click several times to add an exception to allow this site to load” dialog in a future version of Firefox? Since an unauthenticated (again – not “invalid”) site is not less secure than the completely un-certified sites that make up the bulk of the internet, why make them appear to be much worse?

    As #27 suggests (and I meant to expand upon with my icon suggestion), perhaps firefox should treat the “security” of all unauthenticated sites the same, regardless of whether they are encrypted. What I was suggesting is the use of two icons to indicate the two things (authentication and encryption) that SSL deals with separately: encrypted links to sites that are authenticated by “trusted” certificate authorities get both a happy green padlock icon AND a “safe from eavesdropping” icon. Correctly self-signed certificates and/or certificates from unrecognized certificate authorities get the “safe from eavesdropping” one but a “Like, Dude, Something went wrong” Red Broken Padlock of Warning (clicking on which would bring up the “register an exception for this certificate” dialogue). Unencrypted links get neither. Save the “invalid certificate” popup for certificates that really are “invalid” (i.e. incorrect signature or otherwise genuinely broken).

    It might be worth saying that this isn’t actually a real personal hassle for me or anything. I don’t think I’ve run into more than two sites where this came up in the months I’ve been using Firefox 3. Other than this one issue Firefox 3 has been great and is my preferred browser. I’m not really worried about the price of certificate services, either. I’m just genuinely disturbed to see Mozilla appearing to attack “do it yourself” use of encryption so harshly, particularly the implication that do-it-yourself encryption is “invalid”. The continued claims that it’s more important to scare consumers away from sites that might possibly maybe be out to get them than to promote “free and open” use (rather than “Yeah, I guess we’ve gone a little overboard, we’re working on coming up with a less melodramatic and more accurate behavior for future versions”) finally disturbed me enough to start commenting on it.

  28. (Oops, that ending was a bit incoherent – I had intended insert a reference to posts like this one insistently reiterating the “save the consumer” viewpoint prior to the “rather than…” in that last sentence. Sorry about that.)

  29. “This is a UI disaster.”

    actually, FF3 SSL message is the closest thing to a BSOD that i saw in UI “science”: completely techno-blah-blah to the novice user.

    Compare it with IE7 message and Safari message.

    Hire some UI experts please!!!! and stop to play the security super-heroes!

    PS: typing this in FF3 (i love this browser and open source, but i want to make clear what i think are bad decisions )

  30. I don’t judge what motivated the change. I doubt it makes it for a safer internet experience, and definitely not for a safer one. Warning, even about self-signed certificates, are OK for me. But putting half a dozen roadblocks that I have to click away is too much. It is not so much the treatment of the certificates that bothers me as it is the user interface – it trains the user to blindly click six times instead of two. It waters down the user’s attention. There should be a single warning page, with all the information on that page. Highlight in red orange and yellow the critical bits so that the user can make an informed decision. Make sure the user knows it is a critical decision. But don’t hypnotize the user to a series of empty clicks – he won’t know to make the difference between a really serious warning and just an obnoxious one, as this which I got when trying to access Yahoo today.

  31. You never *just* want encryption, you want encryption to a particular system.

    Exactly. That is why FF should accept the self signed certificate exactly like a trusted CA signed one, but Cry Out Loud if that cert changes the second time the user visits the site. Sometimes it is enough to know that the site you are connected to the second time, is the same you created an account on the first time. IMHO there is no need to force all those steps on a user that wants to accept a SS certificate.

  32. This is bad on so many levels. It completely ignores all the legitimate uses of encrypted connections in circumstances where a valid SSL cert is impossible to obtain. In particular any appliance scenario where the administration needs to be encrypted but getting a CA signed cert is impossible because the IP is not known in advance. Because there is simply no other way to setup an encrypted session, it forces appliance vendors to be LESS secure because the user experience as it stands is so hostile as to be completely unacceptable. For protecting your bank it might work, but SSL is used all over the place for simple encryption and this leaves no good option for dealing with it in a way that doesn’t scare your users away from the product.

  33. “IMHO, the 4 clicks SSL fiasco message-chain in Firefox 3 sucks.”

    Seconded, I suppose there was some privacy czar who forced this non-sequitur into the product. 99.99999% of all cases are false positives because https is used for privacy and not authentication. (There are dozens of sites in our intranet I had to add). Security is nice and all but this is really the only FF3 “feature” that really sucks. And even if you do it in that way LET ME WAVE IT WITH ONE CLICK DAMMIT. And give me an option to disable this stupid feature. (Is there one please?)

  34. This argument makes no sense, essentially. If there’s a mitm capable of spoofing a remote site, he’ll not change the cert to a self-signed cert, but simply remove the cert entirely. Self-signed certs are at worst no worse than plain http – yet they do provide real security improvement when a network is trusted but the users are not (which is frequently the case).

    If firefox’s dramatic warnings were about security, a better heuristic would be to cache security certs and warn when they’re unexpectedly changed, not freak out even on an innocent https connection. This isn’t a simple problem, and pretending that everything less than full-blown SSL is horrible is simply scare-mongering.

  35. In my eyes, the main problem with the way Firefox 3 handles self-signed SSL certificates is that it treats sites with self-signed certificates as “scarier” than sites without encryption at all. In the best case, a self-signed certificate is indicative of a legitimate site that wants to protect user privacy; in the worse case, it’s just like an unencrypted connection. So why does Firefox 3 attempt to scare users away from sites with self-signed certificates while giving no warning for sites without encryption at all?

  36. “You never just want encryption, you want encryption to a particular system.”

    That’s bovine fecal matter.

    Self-signed ssl gives you encryption, which is an improvement over plain-text http. But for some reason you have decided to make it a lot scarier and harder to use than plaintext. There are lots of eavesdroppers out there (take the ruckus in Sweden over their wiretapping law, for example), and by making as much traffic as possible encrypted by default you make eavesdropping (1) a lot more expensive and (2) detectable.

    Self-signed should not give you the nice pretty green address bar or the padlock, but it is an improvement over plaintext so it is bass ackwards to make it easier to use http than https.

  37. (this comment may be garbage)
    I’m no expert in SSL. This is how I understand the challenge:
    Self-signed certificates can be intercepted multiple times between you and the host. The fingerprint you get for the connection is not verified by anyone and so encryption may only be superficial, as the attacker between you and the host will decode the transmission, log, and re-encrypt with another certificate before sending the package on toward the host.

    So self-signed certificates only provide security if the fingerprint is verified against the certificate of the host you’re communicating with. (Manually.) How many of you have ever verified a certificates fingerprint?

    Regarding the error page Firefox uses for invalid SSL:
    I think the UI is on the right track, but the information presented in the page sucks. Information from this blogpost would go a long way in explaining the issue so that humans with no knowledge of SSL can have a chance at understand it. (Hats off to the writer of this blogpost.)

    It’s also erroneous (wrong) to treat self-signed SSL-certificates as less secure than standard unencrypted http. (Hey, at least only the server and the attacker(s) in the middle can read your traffic.)

    Peace.

  38. I think it is really dumb to make people suffer to such an extent, just for the sake of “security”.

    You are same people who bitch about Microsoft building UAC in Vista, when you are doing exactly same annoying shit.

    Go get a life. While you are at it maybe you would want to start a crusade on how the door locks at most people’s home aren’t really safe! That is a damn bigger problem than someone hijacking password to your email or porn site. I am sure you will find more people to annoy that way.

  39. Hi

    I have got site for me and few other people. I wanted it to be safer, so I generated ssl certificate and keys for everyone. In firefox 2 everything was working fine, but in Firefox 3 we are getting message “please select certificate” with information about imported key. Why ? Is there a way to tell firefox that this key is ok ? This is very annoying, because my page is checking some webpages every minute and I get this “alert message” non-stop.

  40. Спасибо. Прочитал с интересом, и вообще полезный у Вас блог

  41. Спасибо за статью, всегда рад почитать вас!

  42. I agree with the warning’s and the dialog boxes, the problem is with hardware devices which use HTTPS to get to their embedded web page for log files, etc. WHEN FF3 decides that the self signed cert from a router is not valid and will not allow you to bypass it no matter what you do and then you have to use IE to access the router what good is that??? It forces me to use IE and since we have several apps which do not work on IE7 I am stuck accessing several routes with IE6 and without tabbed browsing. The router vendor (Cisco) will not change the cert for the routers which FF3 refuses to accept and indicates that since it works with IE that it must be a problem with FF3.. Also since the Routers are on an internal network behind a firewall with no web access why can I not tell FF3 to just accept the cert even though FF3 claims it has the same serial number as another cert from the same device??? Note also since the routers are on an internal network none of them have DNS entries anywhere so immediately FF3 complains that the cert also does not belong to the device. I know that the hostname in the router is not the same as the IP thats the way its designed for security.

  43. I disagree with Jonathan wholeheartedly on the Firefox’s treatment of SSL’s in FF3.

    The new SSL interface is overly dramatic and not very intuitive.
    I especially disagree with his take on self-signed SSLs and here’s why:

    I’ve been hosting web sites for the past few years and recently started reselling SSLs and discovered something interesting. The entire SSL industry is a giant sham.

    Buying an SSL from a “trusted” source provides nothing more than “encryption” which is basically the same as setting up a self-signed SSL.

    I could be Joe Schister and set up flybynight.com and easily purchase an SSL from any SSL provider: the so-called trusted providers do no verification of who I am unless I buy one of the $1000 SSLs which is ridiculously expensive. I can buy one of those cheap Rapid SSL as most do which doesn’t even provide address information regarding the vendor so what’s the point?

    Like I said, the trusted providers don’t verify the information I provide for most SSLs I buy on behalf of clients and more importantly, your web site visitors are only interested in seeing that little lock appear somewhere in their browser. The average customer doesn’t understand SSL except to look for the lock symbol.

    I have to wonder of the trusted providers didn’t do some lobbying to have Firefox throw up these dramatic warnings about self-signed SSLs.

    To anyone who wants to buy an SSL, just buy the cheapest SSL available. It makes no difference and if you can find the time to create your own, then go ahead. Unfortunately, Firefox will make that difficult.

    Other than that, Firefox 3 is a great improvement over V2.

    Cheers
    Glenn

  44. As others have noted, there are numerous errors in your logic, which is essentially that you feel your users are idiots who need to be protected from themselves. This is a very Microsoft attitude.

    You’ve made Firefox less useful to me — and insulted me in the process.

    Stick in whatever error message you want, just give me specific information and allow me to decide what to do — and in the future please save the sanctimonious preaching for your neighborhood association or PTA meetings.

    –Bill

  45. See Bug 433422, ‘Self-signed SSL certificates should not be labeled as “invalid”‘ [because that’s incorrect and confusing].

    https://bugzilla.mozilla.org/show_bug.cgi?id=433422

    While I sort of understand the logic behind certificates, it seems to me that if it takes a whole blog to explain it, maybe something is too complicated. If you get 55 comments and lots of people still don’t agree or understand, then maybe something is too complicated. If the blog concludes, weakly, that “I don’t think the approach in Firefox 3 is perfect, I’m not sure any of us do”, then maybe something is too complicated.

    Maybe a simply worded, ACCURATE warning would help here.

  46. Hi,
    I have been using a private CA for sometime now – and have imported the CA cert for a valid chain for all internal sites – by group policy etc…

    With firefox 2 that worked perfectly no error messages etc… We appear to have all the correct settings for both the ssl and the CA certs. But with firefox 3 I get the sec_error_unknown_issuer
    Even though I have manually imported the private CA root cert. I have read through the nss documentation and we appear to have all the proper OIDS. Anyway we can get a link to a more detailed version of what it takes for a private CA to actually function after import of root cert – manually as firefox 3 does not appear to have any api’s available for cert management 🙂

    Done a lot of searching – and I like firefox – linux combo and so do a lot of my users but I sure am missing something.

    Thanks in advance for any help – not an expert in certs – but have had good luck so far with clear instructions and a trusted private ca root install for users – And I really don’t want to train folks to add exceptions etc for all the reasons in your blog…

  47. I don’t have problem with Firefox warning me about the validity of a self-signed cert. I don’t even have a problem with needing to click an extra button or two. But four steps in unreasonable.

    As a developer, I work with self-signed certs often and I find it very annoying to use Firefox with these sites. And as a result, I’ve pretty much stopped using it. I use Firefox 2 on Windows and Linux, and Camino on OS X.

    Imposing annoyances on users because you think you know what’s better for them is a spectacularly bad idea. You can’t fix stupid — ignorant users will continue to screw themselves regardless of your efforts. So really you just end up annoying the smart people who like your product. And well, if you continue to annoy your customers they won’t be your customers much longer.

    So you can pretend you know best and ruin your product, or you work to EDUCATE people and improve the quality of the product without sacrificing usability.

    Just my two cents…

  48. Well, I would not ask Firefox developers “please, reconsider…”. I rather tell Firefox Developers that this “smart feature” will make regular people (80-90% of the users, i.e. not like FF developers that don’t seem to be connected to the reality) to switch back to IE. So many years in vain…

  49. …an addition to above ^

    Why do most people spend time on the web? Is it maybe that they have needs (http://en.wikipedia.org/wiki/Maslow%27s_hierarchy_of_needs) and Internet satisfies some of them? If my sister (that got nu clue about what SSL is even if she is a doctor) want a flying ticket asap and receives SSL-error message in on browser and not in another one. Should she use the first one – the one that block her goal(s) in life because of stupid principles (that she don’t even want to care about)? I doubt it…or rather I know which one she choose because I saw it live. After wards she was satisfied. With the other browser that is.

    This reminds me of bureaucracy in low developed countries and Microsoft; FF are you a becoming a big corporation now?

  50. “the only hint you might have is that your secure sites have all become self-signed.”

    It seems that I am stuck trying to fix one of these computers that has this problem. I have no idea where to begin… I can’t find any more virii (mbam, spybot s&d, kaspersky.) Guess I’ll check the router again…

  51. Hi,
    I’m surprised that no-one highlighted the issue that if a page loaded over http will load resources (like js files or flash loading data) from the https version of the same domain, Firefox will fail silently if the certificate is self-signed! I agree with the new way of handling these certificates, but why does that not apply to these cases? I would not want to force my users to go to the https version of the site by default. Anyone else had this problem?

  52. You are ignoring one very very important thing. Yes we all know CAs serve a purpose, man in the middle attacks can occur, properly signed certificates are needed to stop them blah blah blah.

    However, when I go to a completely unprotected, unencrypted, no proof of identity site …. I get no warnings of any kind, yet if I try to add encryption to my site, firefox acts like I’m visiting the ultimate den of evil hackers that want to steal my life and kill my family…

    That makes no sense at all, a site with encryption is FAR more secure that a site that is completely unencrypted. Not as secure as a properly CA signed and verified site, sure, but can you seriously say with a straight face its not better than transmitting in plaintext?!

    In other words

    CA Signed cert > Self signed cert >>>>>>>>>>>>>>>>>>>>>>>>>>>> no encryption, and the browser needs to reflect THAT.

    The current system actually encourages people to just not encrypt the site at all, at least then the users won’t get any warnings.

    If the concern is users can’t understand the difference between a signed, encrypted, and verified site, and a site that is only encrypted without any proof of identity, that’s fine. Just show the self signed sites the same as a plain unencrypted site. Bury the fact that its encrypted in a detail page somewhere so that those of us who care can determine if its working at all, as I said theres no way you can argue it isn’t AT LEAST as secure as a regular unencrypted site.

  53. As an ordinary no nonsense browser user I liked a number of the good things about Firefox and the Mozilla line but THIS IS A DEAL BREAKER!

    I don’t want somebody else DECIDING what site I should go to – even if that somebody else considers it “dangerous”. I am intelligent enough to make choices for myself and I will accept a warning but not a denial of service which I consider this “feature”.

    Goodbye Firefox. Until you respect me and my ability to make my own decisions you are useless to me as a browser.

    NED

  54. As further explanation:

    I am sick and tired of the nanny state tellimg me before each program and after each commercial break on TV that “caution is advised”. Censors want to pick what I watch and treat me as an idiot who is incapable of recognizing that something called “Extreme Prejudice With A Vengeance” will involve gunfire. There are too many similar examples of idiots catering to the lowest denominator when “providing services” because they believe the rest of the population is just like them or more stupid.

    In like manner FF is turning into the nanny browser IMO.

    Just look at a simple example of a recent use. My cell phone is not the latest and I was in need of a replacement accessory. I went to Google and entered – “Cell phone accessories” ‘phone name’ adpter -. A good 1/3 of the sites I chose to look at in the resultant output were ‘blocked’ by FF. I know what is happening with FF is not actually a DOS but with all the extra gyrations I have to go through to reach the site the frustration level induced is similar.

    Yes of course I could add clicks to each site – accept is as unsafe but one I still want to see – and eventually get to see what the site had. But all I wanted to do was go directly to the site, see if they had what I wanted, check the price they were charging and decide which site had the best value for my money. I may never visit the site again so see no need to continually build a database of sites FF considers risky for my browsing. With a search of this nature I certainly don’t expect malicious code to be added to my machine/network by visiting the site, and anyhow I have security software to catch such invasion attempts.

    This is not the first result of this nature I have encountered with FF 3. I have had the same thing happen when searching for non academic information or researching a particular topic of interest I want to write on.

    So while I don’t really care what the message says the fact that it obtrusively appears and cannot be turned off is enough to lead me to abandon an otherwise decent browser because I don’t need the hassle it causes me to use it. As far as I’m concerned FF2 handled this feature to my satisfaction.

    I trust this answers your question Johnathan and thank you for your interest in my comment.

    NED

  55. My parents in law just switched back from Firefox to IE because they could not see the pictures of their grandchild on my home-server.

    This is the type of reallife examples that is happening right now, all over the world.

    Thanks for that.

  56. So most uses of self-signed certs are to protect passwords. How about Mozilla puts some effort behind RFC 5054, SRP/TLS which sets up an encrypted session based on passwords, instead of making excuses for the 10-year old poor technology that is PKIX.

  57. Don’t worry. Don’t argue. Switch to a different browser. That is the language a developer understands.

  58. I am so very, really, BLOODY sick of FF3’s idiotic certificate behavior. Fix the DAMN thing!!! The poor quality of the error message and the ‘you’re too stupid to manage your own browser’ approach to security are so off-putting that I’ve mostly stopped using FireFox. I like having a very visible warning but not giving me the opportunity to make my own decisions, without digging through all kinds of overly complicated BULLSHIT, about security is driving me away.

  59. Ah, Never Mind the previous post… Turns out it was a plug-in behaving very badly. Watch out for Broadband Speed Test and Diagnostics 1.1 it overrides the default FF3 SSL behavior, which really has been fixed to play nice.

  60. Hello,

    Got the same problem as James but with Errorzilla Mod. In the case of a self-signed cert there is no “add an exception” wayout.

    Anyway, thanks for this article about security concerns, it finally convinced me to get a third party signed cert (startssl) to prevent my visitors to get “afraid” by the security warning in FF3.

  61. Hello,

    thanks for writing this post. It definitely brings some light into the argument of why the UI was rebuilt to be so apparently braindead in FF3.

    Also if the pointer to StartSSL (which I will have to look into a bit more) could be published a bit more prominent…

    What really gets me about the new Security Dialog:

    Firstly: why on earth do I have to click that frickin’ little button to get the certificate! I would expect the browser to fetch it for me while it opens that dialog!

    Secondly: I really want an about:config-option to set the default to accept the exception only temporarily, thus saving me another mouse-stunt!

    Given the above modifications, I could even live without the enter key automatically choosing ok (as long as the dialog remains navigational using only the keyboard).

    My rationale is that most of the time when I personally run into a SSL-site I either want to be sure it’s safe (thus some warning is good) or sometimes I just want to read some (low priority and security) information presented on a self-signed site and then it’s just a p*** in the a** to get to that information and not worth the minutes wasted when researching something and having 20 other tabs that might have also valuable information. But it is entirely possible that the site I ignored due to the FF3 idiocity has exactly the information I really wanted, so to ease my dilemma I’m really condidering switching my browser.

    Cheers, and I’d appreciate your feedback

  62. @58.behdad

    Why are people not pissed off
    by ssh asking them the very
    same question?

    Because ssh has a sane UI

  63. I completely understand the reasoning behind this and I don’t really have any issues with it. I was just wondering if you know anything that I might be able to do about getting a certificate for a subdomain?

    I signed up for a StartSSL account, but they don’t do subdomains…

  64. I could live with the dialog and clicks and explaining to everyone what it meant, how to interpret this “dire warning”, when to be concerned and when not to.

    But now with 3.0.3 it appears to be unacceptably worse. I can find no way at all to enter an exception. The dialog in the browser itself no longer offers any recourse. It just says “localhost:443 uses an invalid security certificate.” I can not get the certificate imported or entered as an exception in the preferences panel, again because it is claims an self-signed certificate is invalid. WTF! I can’t even enter an exception anymore.

    I’m developing web applications, and we DO have the full-on signed certificates – on our production servers. This is absolutely preventing me from developing and testing. (My exception, imported in a previous version, expired tonight and after a couple hours wasted I realize firefox has screwed me.)

    Sadly, switching to Safari because I have to get work done.

  65. Would it be possible for firefox, upon receiving an SSL cert for (say) “Bobby’s Bank”, do a search of the various CA’s (or perhaps a unified CA database (CAUDB) if possible), and see if a trusted certificate for “Bobby’s Bank” already exists, and if it matches the one https://www.bobbysbank.com/ has just sent us. If there is no match, then FF should simply warn that the site is unknown, and the user should be careful if entering personal information or usernames & passwords.

    Of course CA’s would have to co-operate and set up the CAUDB, itself encrypted through SSL and signed by ALL CA’s. But FF would know a priori that a self-signed certificate for the CAUDB would be inacceptable irrespective of the user’s wishes. FF could have the CAUDB SSL key hardwired, and it’s IP address too to prevent DNS attacks. If the CA’s can’t agree on a CAUDB, then FF could hardwire all their IP’s and SSL keys. This way no-one could MITM a CA/CAUDB site.

    The only problem I see is if a virus cleverly rewrites FF’s internal, hardwired CA and certificate database. But maybe some hash-function guru could come up with a way to easily catch such an attack. In any case, this problem already exists (or perhaps it doesn’t?).

    An advantage would be that a single compromised CA’s signing key would not affect the CAUDB validity as the CAUDB SSL key has to be signed by ALL participating CA’s.

    As a second point, I would try the following wording in the event of encountering a self-signed SSL key:

    “You are entering an encrypted web-site which has not been verified by any internationally recognized verification authority.

    If this is an “important site” (e.g. a bank/shop/online retailer/services) this is VERY DANGEROUS and PROBABLY AN ATTEMPTED FRAUD – DO NOT PROCEED UNLESS YOU ARE CERTAIN THE SITE YOU ARE VISITING IS VALID – please contact the site-owner.
    If this is a less important site (e.g. email/facebook/friend’s website) please contact the site-owner and verify this site’s unique fingerprint code shown below before proceeding.
    More details are shown below. Click “I don’t understand this message” for further instructions.”

    How’s that?

    Cheers,
    Fergal.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s