Firefox 3.0, released not too long ago, was generally well-received. It added a load of new features, while also providing much-needed speed improvements and better memory management. Some new features, however, have met more resistance – one of them is the rather complicated user interface thrown at users when they reach a website with an invalid or expired SSL certificate.
When I encountered the page for the first time, I was at a loss as to what to do. The OSAlert backend apparently has an invalid security certificate, as well as various websites of my university, so whenever I re-install Firefox somewhere, I need to add an exception for each of these websites. The new Firefox 3.0 exception interface, however, is a four-step process that is wholly unclear (the “Or you can add an exception” is easily overlooked), and will be especially difficult to grasp for ordinary, normal users – exactly the group of users the feature tries to protect. As the Pingdom weblog explains:
The point of this change was to make web browsing safer, and that is a good thing. There is a lot of malware on the Web. However, the people most in need of a clear and explicit warning regarding SSL certificates are inexperienced users, and those are not very likely to understand the error message that Firefox 3 is displaying. A large portion will simply be scared away, thinking that the website is broken.
The problem is that Firefox doesn’t just give you this page following expired certificates, but also with self-signed certificates – something especially annoying for smaller websites. However, big websites are also affected, such as the official website for the United States Army. Heck, even Google forgets to update their certificates.
The Mozilla Foundation defends their decisions as being necessary to prevent malicious and fraudulent websites from carrying out their malintent. Jonathan Nightingale writes:
The question isn’t whether you trust your buddy’s webmail – of course you do, your buddy’s a good guy – the question is whether that’s even his server at all. With a CA-signed cert, we trust that it is – CAs are required to maintain third party audits of their issuing criteria, and Mozilla requires verification of domain ownership to be one of them.With a self-signed certificate, we don’t know whether to trust it or not. It’s not that these certificates are implicitly evil, it’s that they are implicitly untrusted – no one has vouched for them, so we ask the user.
Personally, I agree with the fact that Firefox properly warns me that I’m visiting a site with an invalid or self-signed certificate, but it would be nicer if the user interface that I’m presented with is less complicated, clearer, and easier to use.
Firefox 3 definitely should warn the end-user about self-signed/invalid or expired secure certificates with *at least* 1 in-your-face dialogue box (and maybe more by default). The big problem I have with Firefox 3 is that advanced users can’t configure the number of warning dialogues (i.e. they can’t fine-tune it to behave closer or exactly like Firefox 2, at least not from the UI anyway).
As it stands, self-signed certificate acceptance in Firefox 3 is a horrendous maze of dialogue boxes, link clicks and button clicks (and occasionally page reloads) with seemingly no way to avoid any of them. Repeat for every machine you installed Firefox 3 on too (e.g. home vs. work)…
This is not the fault of Firefox as much as it is the fault of the completely dysfunctional Certificate Authority system currently in place.
If I could AFFORD a valid cert, I wouldn’t have a self-signed cert, and wouldn’t direct all my users to use un-encrypted HTTP on my site.
The Mozilla foundation should step up to the plate and recognize a saner community-based non-profit certificate authority. They have the market share to make this happen. They control this now based on what certs they choose to ship with. Now is the time.
Luckily for you, you CAN afford a certificate from a verified CA. startcom offers free SSL certificates via http://www.startssl.com/ and it is recognised by Firefox.
Unfortunately, not many people know about this.
(Hopefully, CAcert will be recognised soon too, but that may not be soon enough for most people.)
EDIT: Unfortunately, startcom is not recognised as a valid SSL authority by other browser vendors (Microsoft IE, maybe Opera and Apple too), so it may not be a good fit.
Edited 2008-08-29 14:55 UTC
Wow, the price is right ($0) at http://www.startssl.com – thanks, I’ll probably register.
CAcert sounds like the right community-based idea, but they are actually recommending people use a few words of l33t sp34k for their pass phrases!? I don’t think I would be shipping their cert quite yet either…
That doesn’t solve the problem for internal domains (the only solution is to create an internal CA and add its root certificate to the browser), not does it solve the problem for embedded web administration in a variety of devices (many of which don’t even allow the certificate to be changed).
I pay $15/year for a valid cert which comes out to be less than a nickel a day. Surely you can find a way to fund this huge expense.
Edited 2008-08-29 18:38 UTC
Wildcard certificates are usually quite a bit more though :/
Working in IT security this has become a bit annoyence to me. None of the devices which we connect to have valid certs so having to click through it each time sucks. As techies we manage to figure it out. End users ive found are at a loss and will give up unless told what to do.
Also when managing multiple devices, even though i tell firefox to remember the certs, it keeps forgetting them, and once in a while will block me out of a site until i clear all my certs for those devices.
This should be a major issue to revisit for the next point release.
It seems everyone is missing the point here. Sites with invalid SSL certificates ARE broken. When inexperienced users visit these sites, and give up because they’re unsure as to the authenticity of the site, that’s a GOOD thing. It’s exactly what is supposed to happen (users don’t enter their personal info in a site they can’t trust). It also encourages sites to actually maintain a valid cert from a trusted CA.
With SSL certificates issued by a trusted CA available for under $10 (http://www.namecheap.com/learn/other-services/ssl-certificates.asp) there’s no excuse for failing to keep a valid SSL cert up on your site.
Nonsense. And that attitude is why we are in this mess…
Speaking as a web developer, I couldn’t agree more. Mozilla are protecting *their* users and not *your* users, and this is exactly the correct thing for them to do.
I just encountered FF’s new process for the first time, and at first glance it did seem a bit clunky, but it wasn’t any problem for me to step through and add an exception. Now, I was adding an exception for my own webmail system, but the extra steps made me think twice about doing it, even for that. I certainly applaud FF for making me think twice!
For regular users who have no clue about how SSL works, it’s essential that they not just get the old one-screen click-thru. Users are way too conditioned to click through error messages and warnings that read like gobbledygook to them.
People need to understand that it’s very easy to spoof or man-in-the-middle a site with an invalid cert or self-signed cert. They’re worse than no cert in some ways, because they provide the illusion of security. Hackers stealing credentials usually set up bogus OWA, webmail, intra/extranet and hotspot login pages, the very thing lazy IT admins don’t bother configuring a real cert for.
If you’re running a serious ecommerce business, then you’ll buy a Verisign cert and pay out the nose, but there are plenty of cheap options for other folks. If you’re IT admin for a large number of internal systems and don’t want to pay for certs, like a university, the *right* thing to do is just to make yourself a CA.
I have no problem with the general approach taken in Firefox3. I do have a problem in that I have to click on 4 separate pop-ups to allow me access to a website I know is good.
What’s wrong with having one pop-up with multiple check boxes? I suspect that someone prefers the appearance of buttons to check boxes and decided that annoying people with multiple pop-ups was better than having this one big ugly pop-up. Perhaps the solution would be prettier check boxes.
Ok, I can see them adding an option to make it easier, but the complaint doesn’t sound justified to me.
People do not know how to protect themselves on the Internet. What exactly do you mean when you say you were at a loss? The entire point of it was to make people _actually_ read the warning messages. Sure I was confused about the interface until I read it, and that was The Damned Point. Sometimes, usability is the opposite of what you want. Sometimes, you just need a nice confusing jolt to make the user pay attention to the message instead of letting them drift through the process.
Again, normal users _need_ this. It’s a huge step toward making the web somewhat safer. If they want to make it easier, it should be through a buried browser option.
EDIT: Additionally, I’m sure you can add your own authority if you self-sign.
Edited 2008-08-29 16:14 UTC
There is a usability issue – the site looks broken and not many people would wait to read the text.
It may be, but not in the same way that “page cannopt be found” means that the page is not there.
When I first moved to the Firefox 3 betas, it took me a while to realise that it was improperly signed sites causing the issue and NOT that the site was down.
A page similar to the the red page “potential malicious site page” would have been better as it does not look the same as a 404.
https is used for two different reasons – encryption and identification.
If you are connecting to a site that you don’t really know then identification serves no purpose *anyway* but encryption may be very useful.
I would say that in *most* cases it is the encryption that people use https for.
Firefox is insisting on both. Their exception system is basically unusable – awful.
It’s worth bearing in mind, though, that without certificate authentication there’s the possibility of someone performing a man-in-the-middle attack (e.g. I sit in the middle of the connection between you and your bank, decrypting the data with my self-signed certificate and then re-encrypting it with your bank’s certificate). This means that your apparently encrypted link isn’t actually as secure as it looks.
Because of this the authentication part is needed for fully secure encryption too.
I’d still agree that a self-signed certificate used for encryption is better than using no encryption at all.
My solution:
Two separate warnings:
1. Invalid or expired certificates: always bad… like current behavior
2. Self-signed or unknown certificate authorities: allow a simpler way to accept cert on first visit to a site (with some explanation about how only encryption is enabled but no identity verification has been done), but keep track whenever a site’s certificate has changed on subsequent visits and show warning about man-in-middle attacks.
Easy!
Edited 2008-08-29 23:41 UTC
I’d say that encryption would be quite useless in this case unless you are worried that people sniffing on the network might laugh too loudly at the crap the untrusted site is exchanging with you .
The content you are exchanging without encryption or strong authentication is still enough to put you in jail or on a watchlist in many countries.
Nearly ALL internet traffic should be encrypted. Period.
A man-in-the-middle attack is 10 times harder than sniffing, is easily detectable, and has legal implications which require a warrant for governments in most countries.
We’ve lost a lot of ground since 10 years ago when the FreeS/WAN project seriously aimed to get most routine internet traffic encrypted by now and PGP was slowly becoming an accepted mail protocol.
As usual, I suspect that the “experts” have been asked to weigh in on the interface, resulting in the ridiculous and confusing cascade of messages and buttons with stupid labels. “Get me out of here!” – what is that supposed to mean? Ignore the error, close the tab/window, forget about ever visiting that site, what? At least, once you’ve got the pop-up window, it takes you through the process in a half-reasonable way.
And if CAcert isn’t supported in some way – I haven’t really checked – then the Mozilla people really have been caught napping.
http://www.cs.cmu.edu/~perspectives/firefox.html
The major annoyance with this feature for me is when I use WLAN hotspots that have a login page you need to complete prior to getting full access to Internet.
These systems redirect whatever you have as your homepage to their login page. I happen to have an SSL secured webpage as my homepage, so when this redirection occurs, Firefox shows this SSL error page. This is of course natural, but it makes it very hard to access the page without having to add an SSL exception. You need to copy the login.whatever.net address you’re getting redirected to from the error message to the address bar and switch the protocol type to normal HTTP.