Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla SSL Policy Considered Bad For the Web

Posted by kdawson on from the among-these-shall-be-life-liberty-and-acces-to-https dept.

Chandon Seldon writes "The issue of digital certificates for SSL and the policies surrounding them comes up repeatedly. I've written an article criticizing the behavior in Firefox 3, which includes a serious comparison of the current Mozilla policy — restricting encrypted HTTP to paying customers — to a violation of net neutrality."

8 of 897 comments (clear)

  1. four clicks by Bazman · · Score: 4, Informative

    In four mouse clicks I've added that site to my exceptions list. It warned me, I read and understood the warning, I acted. I saw the https page and the web site owner didn't have to pay for a certificate.

    So, the article is wrong:
    "Mozilla Firefox 3 limits usable encrypted (SSL) web sites to those who are willing to pay money to one of their approved digital certificate vendors"

    please add 'or click four times to add the site to an exception list'.

  2. Re:This is stupid by jgtg32a · · Score: 5, Informative

    But there's one problem you understand what the error message says and means.
    My parents couldn't get past that message even after I explained it. I had to downgrade FF because they would freak out when they saw that message.
    From a usability point of view its terrible.

  3. Bad Article by MasterOfMagic · · Score: 5, Informative

    As mentioned on the Firehose comments page about this article (http://tech.slashdot.org/comments.pl?sid=634651&cid=24461415):

    CAcert is working to be included by default in all Mozilla Foundation software. CAcert [cacert.org] is based on having certificates for everybody, not just for paying customers. They are already included in many current distro version of Firefox. There's no objection in the Mozilla Foundation to including certificate authorities like CAcert in Mozilla. Mozilla just needs to verify that they are secure - a process that takes a long time and doesn't cost any money - otherwise they could undermine the security of their users. Five minutes of research would have shown this.

    For this problem to be solved, the most popular F/OSS browser(s) must accept self-signed certificates. If Mozilla is unwilling to change their policies, it would be worth the effort of trying to create a *more popular* fork with full SSL functionality.

    This shows a lacking understanding of computer security practice. Self-signed certificates are something that 90% of users need to be wary of because if you allow them by default, phishing sites will use them to their advantage and steal data, and Mozilla will be blamed for it because they'd be the only one to not warn about self-signed certificates. This is why people are warned and this is why there's already and override procedure in place so if you're one of the 10% of the users impacted by it, you can work around it.

    This article seems like an attempt to insert drama where recognized security professionals already have agreed that this is best practice. Wait until CAcert is in Mozilla, and if it gets special treatment by not being treated the same as all of the other CAs, then you'll have something.

    If the purpose of the Firehose is to vet articles, it's not doing a good job.

  4. Re:no it does. by norton_I · · Score: 4, Informative

    SSL isn't meant just for encrypting pages, it's meant for verifying identity also.

    As the article says. SSL does both. FF3 in particular makes the first completely unusable for no good reason. The web would unquestionably be more secure if all http servers switched to using self-signed SSL certificates in place of unencrypted connections.

    2. buy a cheap ass certificate from godaddy for $10. Your domain registration likely costs this much as well, but we don't complain about that, do we? The service is actually worth $10.

    The $10 certificates have essentially no value over a self-signed certificate. The only reason they even exist is that browsers make it so hard to use self-signed certificates.

    Without the above, the ff3 presentation is correct, the certificate is bad and should not be trusted.

    The correct behavior is to allow self-signed certificates with no warning at all, but not display the yellow bar/padlock that CA verified SSL certificates do. Then they should drop support for all signing authorities that have only an automated check for domain ownership, since they are of next to no value. Warnings should still be generated for expired certificates and probably those signed by unknown CAs.

  5. Re:You missed a couple of very important points. by lukas84 · · Score: 4, Informative

    The FF3 behaviour will make most normal users just think, "Oh, the website is broken. I guess I can't go there." They won't even read the error message: they'll just see that there is one, and give up.

    That's good. I'm fine with that. "Secure by default".

    Or, depending on IE's behaviour (which I do not know in this particular case), they'll see, "Oh, I can't get to this website in Firefox.

    http://projectdream.org/~lb/ie7-unknownca.jpg

    IE7's error message and behaviour are slightly different - first, accessing the site anyway is a single click. However, that click will be necessary each time you try to access the site. When you want to make the trust permanent, much more convoluted steps are necessary (around 10 clicks through a variety of property dialog boxes, and even more complicated on Vista).

    Just because I want to have the possibility of encrypted traffic for visitors to my website

    Encrypted traffic doesn't mean much when everyone can go inbetween you and them. MITM attacks against self signed certificates are easy to do.

    Most hobbyists websites do not require SSL - if you host a discussion group or anything similar to that, SSL is not required. MITM attacks are still easy, so you haven't lost or gained anything.

    Or perhaps you can enlighten me with a use case for a hobbyist website that requires SSL.

  6. Re:trust? by shaitand · · Score: 4, Informative

    No the author has a grip. If you haven't added the root for OpenCA go to www.openca.org with your firefox 3 and look at what you are presented with.

    If you try to go forward it presents you with a HELP GET ME OUT OF HERE button an option to add an exception, then on that exception adding window it blatantly says that no legitimate website would require you to do this. In other words, it blatantly accuses all self-signed sites of being a scam.

  7. Re:Seconded. by Antibozo · · Score: 5, Informative

    A self signed certificate is potentially more secure, since you haven't disclosed your private key to a third party...

    Sigh. You don't disclose your private key to a third party when you request a certificate. You provide the public key, and the third party signs that with the private key corresponding to a CA certificate. Neither party reveals a private key to the other, or to anyone else.

  8. Re:no it does. by cptdondo · · Score: 4, Informative

    WHat annoys about this is that FF doesn't support CACert, which is an 'Open' certificate outfit.
    http://www.cacert.org/

    I can buy a BS certificate from Godaddy.com for $10 and that's OK but a verified cert from CA Cert is no good. Go figure.

    I run a small sideline business, and my whole yearly income would barely pay for a cert from someone like MS and the like. So I explain to my clients to click through the certificate BS. I'm after the in-route encryption; my clients know who they're connecting to.