IT Jobs
Firefox accused over SSL-certificate warnings
Bad for the web?
By John Fontana, Network World (US)
Published: 10:08 GMT, 22 August 08
Mozilla is being accused of creating undue fear and confusion for everyday web surfers, due to the new security feature in Firefox 3.0 that throws out a warning page when a website's SSL certificate is expired or has not been issued by a trusted third party.
Critics say that Firefox 3.0 makes it difficult to set exceptions for certain websites, and is forcing website operators to do business with specific vendors of SSL certificates or risk the appearance that their websites are broken.
Browsers require SSL certificates to initiate encrypted communications and to validate the authenticity of a site. The Mozilla.com website, where Firefox 3.0 can be freely downloaded, defends the new feature, saying SSL certificates not issued by a validated certificate authority - so-called self-signed certificates (SSC) - don't provide even basic validation; and expired certificates should not be viewed as "harmless" because they open avenues for hackers.
Mozilla officials say the new feature helps curb electronic eavesdropping or so-called "man in the middle" attacks.
The certificate issue is cropping up on such major sites as the US Army's, which uses certificates issued by the Department of Defense. In the Army's case, Firefox does not recognize the DOD as an authorised certificate provider. Firefox, therefore, rejects the Army site's certificate and defaults to a web page showing a traffic-cop icon and proclaiming "secure connection failed" and that the site's certificate cannot be trusted.
The problem also has surfaced with expired SSL certificates on such sites as Google Checkout and LinkedIn. The issue also could crop up on intranet sites that use SSCs and force IT administrators to configure exceptions within the browser or other workarounds.
Some are saying that Firefox 3.0 is out of line.
The Pingdom.com blog this week took Mozilla to task, saying the issue could affect tens of thousands of sites. "People most in need of a clear and explicit warning regarding SSL certificates are inexperienced users, and those are not very likely to understand the error message that Firefox 3 is displaying. A large portion will simply be scared away, thinking that the website is broken," according to the blog.
Developer Nat Tuck called the Firefox feature bad for the web in a blog post he wrote on 31 July. "Mozilla Firefox 3 limits usable encrypted (SSL) websites to those who are willing to pay money to one of their approved digital-certificate vendors. This policy is bad for the web."
Tuck concedes that the SSCs provide no value for authenticating a website, but he says Firefox is ignoring the encryption capabilities of SSL certificates, which thwart snooping on web traffic. He even goes so far as to suggest perhaps open source advocates should create a derivative of the open source Firefox code that includes full SSL functions.
Mozilla.com officials says SSCs have been treated as "disconcerting" for some time by the open source browser and what changed in Firefox 3.0 is an attempt to make users understand the potential consequences of accepting such certificates.
Email
Print
Comment
Permalink
Contact Us
RSS
Digg
Add your commentComments
Barbara | Published: 15:19 GMT, 31 January 2009
I can't get to my local humane society site, it is not clear how to click through and get to it, Firefox needs to fix this and explain it.
Glen B | Published: 16:31 GMT, 27 August 2008
Firefox 3 insists that some self signed Cisco Access Point certificates are bad and refuses to accept them even if you tell firefox to create an exception. I cannot get Cisco to change the certificate on one access point so I have to use IE to access some and can use Firefox to access others.
Glynn Reynolds | Published: 17:54 GMT, 24 August 2008
I may have misread the response from Mozilla.com official's. Are they offering a solution to fix the problem? I did not read anything resulting to fixing the problem.
Norman Morris | Published: 22:45 GMT, 22 August 2008
If website operators can pander to Microsoft using "Microsoft" standards to build their websites rather than using "Industry" standards, then Mozilla can make sure sites adhere to web security standards.
jdubs | Published: 17:10 GMT, 22 August 2008
How come the article makes no mention of the similar error pages in IE7? It also presents an annoying screen when visiting a site with an SSC.
George | Published: 16:19 GMT, 22 August 2008
So many "false alarms" on sites that I know well and trust leads me to ignore the warnings totally, making then worse than useless.
Catch 22... | Published: 15:25 GMT, 22 August 2008
On the other hand, how lax should the treatment be? I personally liked the way version 2 handled certificates. Getting a CA published costs WAY TOO MUCH. Sites that use self signed certificates get screwed with the current rules. Certificates are just another way for the IT industry to milk it's users out of their hard earned money. Microsoft should allow anyone wanting to use a self signed cert to get their CA published whe MS does an update.
Ralph W | Published: 14:52 GMT, 22 August 2008
(to stine and others) I used to consult with early Web commerce companies (in 1996). The whole enterprise depends on end-to-end security. If you can do a one-click bypass of certificate checks, then that means human nature will win out every time, and DEFEATS the whole security model. It SHOULD be difficult to accept a certificate signed by an 'uncertified' authority. There should be a separate mechanism for accepting these CAs (at minimum, checking your e-mail should be required). The recent DNS vulnerability, combined with many, many server compromises, make life difficult enough without having to accept self-signed certificates. So we all must make some sacrifices to ensure that our web accesses are secure. And yes, that means the DOD can pay a few thousand per year for a Verisign certificate. I'll go further, and say Firefox should make it EASY to complain to the webmaster by sending a message to the technical point of contact for the domain with an expired cert.
maxsec | Published: 13:50 GMT, 22 August 2008
another vote for..easy to add the exception and proves how broken the SSL certificate is on many many sites. We tell people to look for the security padlock before giving passwords, but this shows the SSL cert protecting this padlock can't be trusted.
stine | Published: 11:12 GMT, 22 August 2008
I'm all for the warning, but the fact that it takes three move-the-pointer clicks to get through is a pain. it does show how many sites have expired certs...