Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla SSL Policy Considered Bad For the Web

Posted by kdawson on from the among-these-shall-be-life-liberty-and-acces-to-https dept.

Chandon Seldon writes "The issue of digital certificates for SSL and the policies surrounding them comes up repeatedly. I've written an article criticizing the behavior in Firefox 3, which includes a serious comparison of the current Mozilla policy — restricting encrypted HTTP to paying customers — to a violation of net neutrality."

3 of 897 comments (clear)

  1. Re:This is stupid by jgtg32a · · Score: 5, Informative

    But there's one problem you understand what the error message says and means.
    My parents couldn't get past that message even after I explained it. I had to downgrade FF because they would freak out when they saw that message.
    From a usability point of view its terrible.

  2. Bad Article by MasterOfMagic · · Score: 5, Informative

    As mentioned on the Firehose comments page about this article (http://tech.slashdot.org/comments.pl?sid=634651&cid=24461415):

    CAcert is working to be included by default in all Mozilla Foundation software. CAcert [cacert.org] is based on having certificates for everybody, not just for paying customers. They are already included in many current distro version of Firefox. There's no objection in the Mozilla Foundation to including certificate authorities like CAcert in Mozilla. Mozilla just needs to verify that they are secure - a process that takes a long time and doesn't cost any money - otherwise they could undermine the security of their users. Five minutes of research would have shown this.

    For this problem to be solved, the most popular F/OSS browser(s) must accept self-signed certificates. If Mozilla is unwilling to change their policies, it would be worth the effort of trying to create a *more popular* fork with full SSL functionality.

    This shows a lacking understanding of computer security practice. Self-signed certificates are something that 90% of users need to be wary of because if you allow them by default, phishing sites will use them to their advantage and steal data, and Mozilla will be blamed for it because they'd be the only one to not warn about self-signed certificates. This is why people are warned and this is why there's already and override procedure in place so if you're one of the 10% of the users impacted by it, you can work around it.

    This article seems like an attempt to insert drama where recognized security professionals already have agreed that this is best practice. Wait until CAcert is in Mozilla, and if it gets special treatment by not being treated the same as all of the other CAs, then you'll have something.

    If the purpose of the Firehose is to vet articles, it's not doing a good job.

  3. Re:Seconded. by Antibozo · · Score: 5, Informative

    A self signed certificate is potentially more secure, since you haven't disclosed your private key to a third party...

    Sigh. You don't disclose your private key to a third party when you request a certificate. You provide the public key, and the third party signs that with the private key corresponding to a CA certificate. Neither party reveals a private key to the other, or to anyone else.