Mozilla SSL Policy Considered Bad For the Web

Chandon Seldon writes "The issue of digital certificates for SSL and the policies surrounding them comes up repeatedly. I've written an article criticizing the behavior in Firefox 3, which includes a serious comparison of the current Mozilla policy — restricting encrypted HTTP to paying customers — to a violation of net neutrality."

One Question

[frodo+from+middle+ea]

wouldn't implementing what the author suggest, defeat the very purpose of having a CA ? SSL is not just for encryption you know. There is a little thing called 'trust' which pays a big part in it too.

Re:One Question

[Iamthecheese]

It didn't make sense, the thing you just said. The author is proposing an easier flow to accepting self-signed certificates. How could that defeat the purpose of having a CA?

While he may have a valid point, I resent and disagree strongly with the author's implication that there is a profit motive to this. A bad decision, but not one made for profit.

Re:One Question

[adamwright]

If there was any real "trust" component, I'd buy this argument. SSL certificate authorities are supposed to be sources of trust - we trust them to have authenticated that the FooCorp who bought a certificate really is FooCorp Ltd (and not F0oCorpe). However, the only inducement most vendors need to issue a certificate these days is money.

I've successfully bought SSL certificates for companies that I had little or no verifiable connection with, from authorities that are trusted by all major browsers. Now, I obtained these with full permission of the companies in question, as a contractor, but as far as the authority was concerned, I was Joe Bloggs. They've even realised that now, and introduced the new EV Certificates - now with Extra Validation! Until of course, these get paid off as well, and we need EEV Certificates and so forth.

Using SSL for trust based on the word of companies like Verisign is pointless - you have to do manual authentication. The only use I see for them these days is transport encryption.

Re:One Question

[pmontra]

CAs do very little to ensure that the site you're connecting to is really the one it claims to be. So SSL is almost useless for authentication and trust. It's worth using it only for encryption and self signed certificates are as good for that as the ones you buy with money.

As a webmaster and owner of a site that uses SSL I second the author's proposal and more: let's stop pretending CAs can ensure the identity of the communicating parties, shut them down, save money and use SSL only for encrypting data.

Re:One Question

[Nursie]

No.

Seriously, stop being a retard.

If I'm connecting to my bank, and I get a certificate that matches the domain name and was signed by a widely trusted 3rd party, that gives me much more confidence than selecting some bozo's self-signed certificate.

Does it guarantee the identity and trustworthiness of the entity? Not absolutely, but it's a whole hell of a lot better than just encrypting comms and sending them to whoever happens to be running a man in the middle attack today.

Re:One Question

[Rakishi]

The problem with this is that it does not guarantee that your connection is actually encrypted. There is a reason why CAs where created and it has a lot to do with ensuring proper encryption. Basically a man in the middle attack can with self-signed CAs fake the user into accepting their CA instead of the website's CA. You now have the illusion of security and encryption which some would consider worse than no encryption at all. To the end user they would be identical and while there may be a complaint about different keys, if the user went to the site before, most users would probably ignore them (especially after they seem them a dozen times for legitimate sites that for some reason changed their keys).

Re:One Question

[locofungus]

Exactly.

A "secure" and encrypted connection to a compromised or malicious server is worthless.

Exactly! My accountant needs some documents from me. Rather than email them I have them up on a secure site. If my accountant connects to the wrong site I really don't care, he's not going to find the documents he needs so he's going to give me a call and ask where they are.

Self signed certs are for when you want to do the encryption but you're doing the authentication via other means.

I've used this in the past (although not to my accountant).

At the very worst, a self signed certificate is no worse than a plain HTTP connection.

If we didn't have plain HTTP at all then we would consider sites using self signed certificates as secure (or insecure) as a plain HTTP connection.

Tim.

Re:One Question

[shaitand]

I agree, domain verification is useful and should not be done away with entirely.

I don't agree with the current policy though. A simple notification saying the connection is encrypted but the domain identity isn't verified by a 3rd party with a box to not show this again would be fine. Currently the popup goes as far as to say that the site is not legitimate!

Also, this CA 'https://www.openca.org/' does verify you have control of the domain. Why is it still not included in the browser by default?

Re:One Question

[Eivind]

Reading the article would be good, ya ?

The articles main complain is that the way FF does thing by default a website secured using a self-signed https:/// certificate looks MORE scary and LESS secure than the very same site using http:/// and no certificate whatsoever.

That, the author argues, is wrong. True, a https:/// site *with* a certificate is even better than one without one. But BOTH are more secure than simply using http:///

So, it makes little sense to make self-signed https:/// look MORE scary that http:///

I agree.

Re:One Question

[cryptoguy]

There are lots of times when SSL is used for less than its complete feature set. SSL provides a mechanism for *mutual* authentication, but how often does the server actually require a verified SSL certificate from the client? The fact that servers usually don't do this does not mean SSL is not useful in that context. Likewise, the absence of a verified server side certificate does not necessarily mean that SSL is providing no value. Encryption without authentication provides a degree of privacy, raising the level of difficulty significantly for anyone who would want to eavesdrop. When a client encounters a self-signed certificate, or when the certificate is a type that is weakly verified by the CA, the client should simply notify the user of that fact. That can be done with a single notifier. The notifier can provide the user the option of verifiying the certificate out-of-band so it will be trusted next time without a nag screen.

This is stupid

[duffbeer703]

The whole point of SSL is to have some assurance that you are connecting to whom you think you're are connecting to.

While the model of paying a CA to assure your identity is not perfect by any means, ignoring the issue isn't either. Many slashdotters seem to have a hard time getting this.

IMHO, the system in Firefox 3 is superior. While self-signed sites are blocked by default, it is not easier to explicitly trust a self-signed SSL site. In the past, most people would just click past the nag dialog when it popped up.

Re:This is stupid

[jgtg32a]

But there's one problem you understand what the error message says and means.
My parents couldn't get past that message even after I explained it. I had to downgrade FF because they would freak out when they saw that message.
From a usability point of view its terrible.

Re:This is stupid

[js_sebastian]

The whole point of SSL is to have some assurance that you are connecting to whom you think you're are connecting to.

No. As TFA says, there are 2 points to SSL. 1 is to provide confidentiality (encryption) the other is to authenticate the server to the user. A server with a self-signed certificate provides protection against passing (but not active) snooping. This is worse than what a real, trusted-third-party signed certificate provides, but it is better than no encryption at all!

So why does the firefox GUI make a site with a self-signed certificate appear (to the non-technical user) less secure than a plain HTTP site?

IMHO TFA is very much correct this is a problem. The solution is not obvious, because users are used to the lock icon and may not understand the concept that confidentiality and authentication are 2 separate protperties, so how do we design a GUI which does not mislead him.

Re:This is stupid

[quantumplacet]

I think that's exactly the point. If you can't understand what a self signed certificate is, you shouldn't be accepting them.

Re:This is stupid

[mapsjanhere]

Insecure is less dangerous than encrypted untrusted. How many less-than-savvy users are trained by their more geeky relatives to check for two things - the httpS and the little lock icon. How easy do you want to make it for the phisher if he can safely pretend to be https://cidybank.com/ with the lock icon? Getting "trust" established was one of the hardest thing for e-commerce to do. Anything that undermines it needs to be stamped out.

Re:This is stupid

[pmontra]

Let's do it with alert boxes.

HTTP only: "The communication with this site is insecure because it doesn't ecrypt the data you're sending to it. Furthermore there is no guarantee that it's owned by the organization that it claims to belong to. [checkbox] Don't tell this to me anymore.

Self signed HTTPS: "The communication with this site is secure because it encrypts the data you're sending to it. However there is no guarantee that it's owned by the organization that it claims to belong to. [checkbox] Don't tell this to me anymore."

CA's signed HTTPS: "The communication with this site is secure because it encrypts the data you're sending to it. Furthermore [the name of the CA] guarantees that the site is really owned by the organization that it claims to belong to. [checkbox] Don't tell this to me anymore."

However one has to be really naive to believe the guarantee part of the last statement or that CAs are willing to have any legal responsibility for the claims they're issuing with any certificate. Actually that third alert box might be harmful as it perpetuates the delusion that certificates do anything about authentication.

Eventually it's not a problem of GUIs but a problem of understanding what certificates are really for.

This causes real problems.

[Daryen]

I encourage all of my users to use Firefox by including it on our PC images, showing them it's cool features, and letting them know about how it's more secure. I've been running into problems with self-signed SSL certificates though.

I run a router/firewall based on the Untangle software, which in turn is a modified Debian/Knoppix setup. It also does VPN, based on the open source openVPN software, and it uses self-signed SSL certificates for it. While I don't mind adding our firewalls to a safe list, my users freak out with all of the warnings and aren't sure what they should do. I've been telling them to use Internet Explorer, but it makes my skin crawl to say it. Hopefully the Mozilla team will reconsider their position to make their software more open-source friendly.

Average user and security

[RomSteady]

The average user doesn't notice any security feature unless it is in their face.

Given the number of phishing sites out there, it could be argued that every additional slap to the face that a user would have to get through in order to get to a phishing site (known phishing site, self-signed SSL, acknowledge that you are a fucking retard for bypassing the last two warnings, etc.) may be worth it.

Just remember that just because the precepts of net neutrality (all bandwidth is equal) means that we should let a user shoot themselves in the head doesn't mean that we shouldn't at least make a passing effort to put a safety on the gun they are using.

four clicks

[Bazman]

In four mouse clicks I've added that site to my exceptions list. It warned me, I read and understood the warning, I acted. I saw the https page and the web site owner didn't have to pay for a certificate.

So, the article is wrong:
"Mozilla Firefox 3 limits usable encrypted (SSL) web sites to those who are willing to pay money to one of their approved digital certificate vendors"

please add 'or click four times to add the site to an exception list'.

Re:Seconded.

[lukas84]

This is bullshit.

It's not like Firefox makes it impossible to access a web site with a self signed certificate. It just makes it very obvious that something is wrong with the certificate, and tells the user that he shouldn't trust it to much.

Now, who uses self signed certificates or certificates signed by an internal CA?

* Test environments (not an end user scenario)
* Unprofessional webhosters (good riddance)
* Companies with their own CA (they can preload the certificate)
* Hobbyist systems (they can reconfigure their browser)

In the end, the only ones hurt by this are unprofessional webhosters - and i don't think anyone should care about them.

Re:Most clueless article ever?

[Hes+Nikke]

There is a "warning," and then there is a "WARNING: YOU MUST CLICK FIVE TIMES TO SEE THIS PAGE." A simple bar across the top of the page with a warning that the sites identity couldn't be verified, but that the connection was still encrypted would work just fine.

Bad Article

[MasterOfMagic]

As mentioned on the Firehose comments page about this article (http://tech.slashdot.org/comments.pl?sid=634651&cid=24461415):

CAcert is working to be included by default in all Mozilla Foundation software. CAcert [cacert.org] is based on having certificates for everybody, not just for paying customers. They are already included in many current distro version of Firefox. There's no objection in the Mozilla Foundation to including certificate authorities like CAcert in Mozilla. Mozilla just needs to verify that they are secure - a process that takes a long time and doesn't cost any money - otherwise they could undermine the security of their users. Five minutes of research would have shown this.

For this problem to be solved, the most popular F/OSS browser(s) must accept self-signed certificates. If Mozilla is unwilling to change their policies, it would be worth the effort of trying to create a *more popular* fork with full SSL functionality.

This shows a lacking understanding of computer security practice. Self-signed certificates are something that 90% of users need to be wary of because if you allow them by default, phishing sites will use them to their advantage and steal data, and Mozilla will be blamed for it because they'd be the only one to not warn about self-signed certificates. This is why people are warned and this is why there's already and override procedure in place so if you're one of the 10% of the users impacted by it, you can work around it.

This article seems like an attempt to insert drama where recognized security professionals already have agreed that this is best practice. Wait until CAcert is in Mozilla, and if it gets special treatment by not being treated the same as all of the other CAs, then you'll have something.

If the purpose of the Firehose is to vet articles, it's not doing a good job.

Re:Bad Article

[MasterOfMagic]

<flame mode="on">

it is easy to be indignant and force stuff upon people, saying 'it is the right thing', while working on an open source project part time, from a secure, corporate level information technology job.

In all seriousness, fuck you. No, really, fuck you. I am a graduate student. My only support comes from the part time job that I have to pay my tuition and my bills, and a grant for my research. I research computer security. To say what you have said shows zero understanding of computer security, encryption, user behavior, and accountability. Go suck a big fat one.
</flame>

'security professionals' do not build the web, or do they constitute the market, or the people.

This is the ultimate problem with your post. Before I tear it a new asshole (and I'm going to tear it a new asshole - nothing personal, but I hate posts that masquerade ignorance as wisdom), know that the reason that Mozilla is doing this is because security professionals, by and large, do not build the web and are not the majority of the people. This is why they are so picky about security. I have spoken to security professionals and the overwhelming consensus is that accepting self-signed certificates by default is bad. Very bad. Break the whole security and user trust in SSL bad. If user trust in SSL is broken, then we have ultimately failed.

there are a LOT of community websites (that cater to thousands of people, the smallest one), small businesses, their customers, vpn users, a lot of people that are going to be hurt by this overly self righteous move.

Community websites can walk users through installing the proper certificate instead of relying on users to override a secure default for certificates. They can teach the users about the importance of verifying certificate fingerprints (to avoid a man-in-the middle). If they release software, they can bundle their certificate with the software. If there are small businesses, they can install their CA on their user's machines. This then becomes a non-issue. In a secure setup, these entities will generate a self-signed root CA certificate (like any other CA), push that to their users, and then sign the certificate for their website with this CA certificate (thus providing the ability to revoke the encrypting certificate should it become compromised and allow certificate updates/refreshes completely hands-off of the client). <flame mode="on">If you knew anything about SSL, anything at all, you would know this. Instead you assume, and make yourself look like the twit you are. Users hurt by this policy? It's the same policy (a bit more stringent, but the same policy) that the other browsers have.</flame>

one thinks it seems right for you, and therefore it is probably right for others. of course, all the while clueless about how many people, businesses, organizations and communities use self signed certs throughout the web, just because their isolated position.

If they used the certificates securely, understood how SSL worked, and did research, this would be a non-issue. I am not clueless about how people use SSL. I am saying that they are using it wrong, and Mozilla is doing the right thing here. Here's a roadmap for anyone who cares to learn about how to do this properly:

1. Talk to someone who understands SSL, preferably a reputable security professional. I can't speak for the rest of my profession, but I do a first consultation for free because I feel that it's my responsibility as a professional to make sure that people, non-profits, and small businesses are just as secure as the big boys.
2. They will tell you the pros and cons of going with a CA that is trusted by the OS and by the browser by default. They do not, generally, get a kickback for this. They are doing their job. Consider CAcert. It's

Re:Seconded.

[Hes+Nikke]

On the other side of the coin, it subsidizes the CA industry just like compulsory auto insurance subsidizes the auto insurance industry.

Mozilla is correct

[Antibozo]

I think the author makes Mozilla's case for them, by not appearing to understand the risks, especially at a time when DNS cache poisoning has become unusually feasible. E.g., the statement

Snooping a connection (i.e. on a wireless link) is much easier than any of the impersonation attacks that SSL authentication prevents.

is simply not true for clients of unpatched DNS servers. It's much easier for an attacker to get a remote user's traffic redirected to a host of his choosing than it is for him to snoop on that user's traffic. Volume-based attacks on DNS become increasingly easier as bandwidth increases, and people who operate botnets have a good chance of poisoning a cache even on patched nameservers, simply through brute force. Meanwhile, that smaller class of attackers who are in a position to actually snoop on traffic are also in a position to use an arp spoofing attack. Encryption is simply not useful without knowing whom you're encrypting to.

If you're feeling lucky, you can always add the exception. You can also sign your certs with a CA cert, and import that into your certificate database. Of course, anyone who trusts that CA cert also trusts you not to generate bogus certs for bankofamerica.com, etc... The solution to the problem is not to make the browser more trusting by default; it's to migrate away from X.509 to a PKI that allows domain owners to generate certs at no additional cost, such as a DNSSEC-based PKI.

I think Mozilla has it 100% right.

No, it is not considered bad for the web.Blogrant.

[mxs]

I originally meant to post this as a comment to the blog post, but apparently the author does not care about testing their commenting feature. This alone should already tell you stories about how much thought he puts into this stuff.

-+-
Why in the world are you singling out Mozilla in this ? Every browser has this policy.

Every browser has avenues to add new root certs, too (I can just create my own CA, offer the certificate file on the web, and let users install that; all future communication with a site that has a certificate signed by that CA will not be bothered with these error messages). This may not be 100% convenient, you are correct. But it's not as if it was hard to do if you want to give your users the option of using encrypted sessions.

Oh, and there IS a way to get your shiny new non-profit CA into the main Firefox builds. All you need to do is comply with their procedures and requirements -- which include policies on how you verify the identity of the certificates you sign, how revocations work, etc., and requiring specific minimum requirements in these. If you think you can run a proper CA for free for everybody with proper identity checking and day-to-day operations, do it and get it added !

The default position Mozilla takes is quite simply that the CA should verify the identity of the entity the certificate is being issued to. You may not think that it is important for this to be such a prominent user interface feature, but many people do. Every user can add an exception for your site, you can add a CA of your own, you can get certified by a nonprofit CA (good luck finding one; I agree that most of them are scumbag operations that try to extract as much money from you as possible, but I have yet to see a proposal which both ensures identity checking and revocation management while being completely free ... Maybe you'll find a way).

This has nothing to do with network neutrality. Nothing at all. A more proper comparison would be comparing this situation with that of 2nd-level domain names. You can't get a .com domain for free, either. Nor a .net or .org or most of the country TLDs. You can open up your own Registrar (but will still have to pay dues for domains registered), just as you can open up your own CA. It'll be a rocky road, and it'll not be free -- least of all in work required.

My sites work just fine with SSL certs signed by my very own CA. Firefox displays them just fine (either by adding the root cert of my CA to it, or by simply adding an exception). All other browsers work fine, too. If you have visitors or customers that require validation of your certificate by a third party, you are SOL. But then again, you also would be were the warning worded differently (and there SHOULD be a warning for a certificate that is not signed by a trusted CA or one which you explicitly told the browser to trust. No matter what. Self-signed certs are alright for encryption, sure, but I want my browser to have a default setting of warning me when something is happening that very well could be an attack; especially when I have taken care to add a specific trusted CA (say, the one by my university).
-+-

Accept self-signed certs and I hack you in no time

[rpp3po]

When do people finally realize that self signed certificates don't work? If I share your WLAN access in a public cafe it's really no big deal to play man in the middle and exchange the presented certificate for my own. Ok, it's more work than without, but not much (about 5 minutes). The only case where self-signed certificates can be secure is when you manually verify the validity of a certificate beforehand and save it in your cert store. If your first check of a certificate's validity happens to be while I'm attacking you (maybe because you are visiting the site for the first time) you will "verify" my hacked one. And don't tell me about hashes on webpages. Maybe 1 in 1000000 users checks this once in a while for pure curiosity, but not more.

no it does.

[unity100]

It's not like Firefox makes it impossible to access a web site with a self signed certificate. It just makes it very obvious that something is wrong with the certificate, and tells the user that he shouldn't trust it to much.

there close to a billion people on the net that wouldnt tell what to do when faced with such a disastrous looking warning as ff 3 prints out when met with a self signed ca.

also there are equally many people that would rather skip visiting/subscribing to a site when they see the hassle ff3 puts out.

therefore many small service providers, businesses, communities that would not afford a decent certificate will be hurt in all respects, not to mention many users.

excuse me, but this is a very stupid, self righteous and jacobin move.

that is the EXACT kind of thing slashdot criticizes almost EVERY government, country, organization, corporation for, yet, you people are actually applauding it in this case.

Re:no it does.

[spottedkangaroo]

SSL isn't meant just for encrypting pages, it's meant for verifying identity also.

There are two solutions to this problem.

1. create your own CA and tell your customers to import the CA by clicking here (before putting them in ssl mode). It's really not much trouble to set up your own CA.

2. buy a cheap ass certificate from godaddy for $10. Your domain registration likely costs this much as well, but we don't complain about that, do we? The service is actually worth $10.

Without the above, the ff3 presentation is correct, the certificate is bad and should not be trusted. Otherwise you're in real danger of man in the middle attacks.

Re:no it does.

[norton_I]

SSL isn't meant just for encrypting pages, it's meant for verifying identity also.

As the article says. SSL does both. FF3 in particular makes the first completely unusable for no good reason. The web would unquestionably be more secure if all http servers switched to using self-signed SSL certificates in place of unencrypted connections.

2. buy a cheap ass certificate from godaddy for $10. Your domain registration likely costs this much as well, but we don't complain about that, do we? The service is actually worth $10.

The $10 certificates have essentially no value over a self-signed certificate. The only reason they even exist is that browsers make it so hard to use self-signed certificates.

Without the above, the ff3 presentation is correct, the certificate is bad and should not be trusted.

The correct behavior is to allow self-signed certificates with no warning at all, but not display the yellow bar/padlock that CA verified SSL certificates do. Then they should drop support for all signing authorities that have only an automated check for domain ownership, since they are of next to no value. Warnings should still be generated for expired certificates and probably those signed by unknown CAs.

Re:no it does.

[andymadigan]

The issue isn't quite identity verification, the issue is that without a trusted certificate another server masquerading as yours can connect to your server and retrieve the data the user is requesting without either party noticing. That's what a man-in-the-middle attack (is simple terms). There's simply no way to secure the link without that. There may be other ways to have a signed certificate system, and that is where you should be looking.

Re:no it does.

[shaitand]

From the article:

'This ignores the value of simple encryption. Snooping a connection (i.e. on a wireless link) is much easier than any of the impersonation attacks that SSL authentication prevents.'

You are acting as if security is an all or nothing affair. There is no such thing as totally secure. Every step just raises the bar.

Also, there is an open CA that Mozilla doesn't include either. It performs the same domain verification that godaddy and others perform, checking that you have control of the DNS for the domain.

Re:no it does.

[cptdondo]

WHat annoys about this is that FF doesn't support CACert, which is an 'Open' certificate outfit.
http://www.cacert.org/

I can buy a BS certificate from Godaddy.com for $10 and that's OK but a verified cert from CA Cert is no good. Go figure.

I run a small sideline business, and my whole yearly income would barely pay for a cert from someone like MS and the like. So I explain to my clients to click through the certificate BS. I'm after the in-route encryption; my clients know who they're connecting to.

Number of holes in the author's argument

[bconway]

A.) You don't need to buy certs from Mozilla, you can buy them from any number of CA's, for as little as $10. There are some free CA's, as well.
B.) This isn't in any way related to network neutrality.

Re:Seconded.

[Thiez]

Except that there is nothing compulsory about ff. You are free to trust any certificate you want, the browser merely warns you that it could be a bad idea to do so.

Re:Seconded.

[Goaway]

Obviously you don't need encryption very badly if you don't care about man-in-the-middle attacks.

Re:Damn right you are.

[Culture20]

For those sites, buying a certificate is possible, but the costs are high compared to the gains (as this is *only* about protection of the data, not about "being sure this is site XY).

If my data needs encrypted, you'd better be sure as a client I want to know it's going to the right place. As the server, you probably don't care (but you should). You don't want to spend $$ to get a cert with a browser pre-installed CA? Fine, but please provide a way to contact your company through the yellow pages or some other non-website contact info that allows people to call a real person and verify the SSL cert. 99.999% of people won't, but sysadmins will.

Re:Seconded.

[j79zlr]

On the other side of the coin, it subsidizes the CA industry just like compulsory auto insurance subsidizes the auto insurance industry.

Driving is a privilege not a right. Unless you have the money to cover any damages you may cause, it is absolutely necessary to have insurance. The cost of barebones liability coverage is not that high assuming you have a relatively clean record and if not, you probably shouldn't be driving. It seems that today the idea of personal responsibility is falling out of favor.

You missed a couple of very important points.

[danaris]

First, I think that the most important line in the article is this one:

But there is absolutely no excuse for it to be significanly less inviting to a normal user than an unencrypted site.

The FF3 behaviour will make most normal users just think, "Oh, the website is broken. I guess I can't go there." They won't even read the error message: they'll just see that there is one, and give up.

Or, depending on IE's behaviour (which I do not know in this particular case), they'll see, "Oh, I can't get to this website in Firefox. But hey, it works fine in Internet Explorer! I guess Firefox is broken, and I won't use it anymore."

Second, and probably more importantly, either you missed a very, very important demographic among those who use self-signed certificates, or otherwise don't want to pay the extortionate fees charged by the corporate CAs, or you severely misunderstand and underestimate the importance of "unprofessional" and "hobbyist" webmasters.

Just because I want to have the possibility of encrypted traffic for visitors to my website doesn't mean that I'm bringing in loads of money by said website, or that I want to spend some not insignificant sum on a recurring basis for what is, for me, just a fun hobby, for which I'm already shelling out a not insignificant sum for hosting.

I'm seriously hoping that your definition of "unprofessional webhosters" means "people running for-profit websites (that actually make a profit) who are just too cheap to actually buy a certificate," and not simply "amateurs," because it is on the backs of those amateurs that the web was built.

Dan Aris

Re:You missed a couple of very important points.

[lukas84]

The FF3 behaviour will make most normal users just think, "Oh, the website is broken. I guess I can't go there." They won't even read the error message: they'll just see that there is one, and give up.

That's good. I'm fine with that. "Secure by default".

Or, depending on IE's behaviour (which I do not know in this particular case), they'll see, "Oh, I can't get to this website in Firefox.

http://projectdream.org/~lb/ie7-unknownca.jpg

IE7's error message and behaviour are slightly different - first, accessing the site anyway is a single click. However, that click will be necessary each time you try to access the site. When you want to make the trust permanent, much more convoluted steps are necessary (around 10 clicks through a variety of property dialog boxes, and even more complicated on Vista).

Just because I want to have the possibility of encrypted traffic for visitors to my website

Encrypted traffic doesn't mean much when everyone can go inbetween you and them. MITM attacks against self signed certificates are easy to do.

Most hobbyists websites do not require SSL - if you host a discussion group or anything similar to that, SSL is not required. MITM attacks are still easy, so you haven't lost or gained anything.

Or perhaps you can enlighten me with a use case for a hobbyist website that requires SSL.

Re:Seconded.

[user24]

It's hardly a "mere" warning; it's a gigantic stop sign.

If a little yellow bar like the "remember password" bar came down and said "this site is encrypted, but its identity cannot be authenticated. Be aware that, like any normal (http) website, this one may not be from who it says it's from" then it would be completely different. Instead they interrupt the browsing experience with a very unfriendly message that non-tech people will not have a chance of understanding.

This is bad because, as the article says, some sites will end up having to buy certificates when in fact they don't need one, and others will end up not using encryption when in fact they should be.

Bear in mind the three levels of security:
1) no-ssl: offers neither encryption nor authenication
2) SSL(self-signed): offers encryption
3) SSL(3rd party signed): offers both

why is that that no.2, which is a significant improvement on no.1, generates such a severe warning message?

Re:Seconded.

[wasabii]

This is a well known attack vendor: Make a web page that looks like a real bank site and trick people into visiting it. This prevents those sites from using HTTPS, as it makes entering them pretty hard and obvious. Mission solved. The collateral damage is admins who don't want to spend the time to properly set up their CAs. Nothing to see here, move along. As to subsidizing the industry, if you feel you can do a better job being a default CA, please contact the Mozilla foundation and prove it.

Re:Seconded.

[loopkin]

Problem is that your "2" doesn't exist... the way SSL (and most other secure protocols, as SSH) is designed, having encryption without authentication is pointless, because man in the middle attacks are too easy to set up.
With SSL, the real 3 options you have are:
1- no ssl
2- "1 way authentication" SSL (usually only the server has a certificate: this ensures the client it is reaching the right server, but the server cannot trust the client)
3- mutual authentification SSL (aka "strong authentication": server and client have a certificate)

I think TFA is completely out of topic and blatantly ignorant: what would you think if SSH wouldn't warn you when the host you're trying to connect to has changed ?

The problem about SSL isn't to warn or not about self signed certificate (you HAVE to be warned about self-signed, and strongly, else anybody can easily get "average user's" bank account info, for instance). What is at stake is the lack of competition among public SSL Certification Authorities.

In general, don't try to solve a political/competition problem through technical/IT means, this won't work. Solve such problems through political/competition means (such as laws, regulators or open standards).

Re:trust?

[shaitand]

No the author has a grip. If you haven't added the root for OpenCA go to www.openca.org with your firefox 3 and look at what you are presented with.

If you try to go forward it presents you with a HELP GET ME OUT OF HERE button an option to add an exception, then on that exception adding window it blatantly says that no legitimate website would require you to do this. In other words, it blatantly accuses all self-signed sites of being a scam.

Re:Seconded.

[beyondkaoru]

number 2 is _not_ a significant improvement over number 1, simply because from a security standpoint, you have gained almost no security by encrypting if you don't know whether you're communicating between the person you want to or perhaps some fake site that looks similar, or a man-in-the-middle attack.

the only improvement is in the case of a purely-passive eavesdropper -- not much of an improvement at all. For eavesdropping purposes, if you can passively eavesdrop, you can probably actively eavesdrop and interrupt or manipulate the connections, because you've got physical access to some wires or routers or just have a laptop running airsnort software in a cafe.

furthermore, having people get used to using self-signed certificates is bad, because it lends man-in-the-middle attacks more apparent legitimacy. so of course eve couldn't fake the signature of the real key, but if any signature will do...

i don't like the existing certificate authorities ($50-$100 per year for a row in a table? sheesh!) much either, but they're needed to have trust between people who have not met before.

Re:Seconded.

[Hal_Porter]

Thats what they said about IE6

I think comparisons to IE6 count as Godwinning the thread.

Re:Seconded.

[Antibozo]

A self signed certificate is potentially more secure, since you haven't disclosed your private key to a third party...

Sigh. You don't disclose your private key to a third party when you request a certificate. You provide the public key, and the third party signs that with the private key corresponding to a CA certificate. Neither party reveals a private key to the other, or to anyone else.

Re:Seconded.

[funaho]

Hmm now Microsoft, they're a well-known attack vendor. :-)

Re:Seconded.

[undercanopy]

No: if you train your users to ignore "[this certificate isn't signed by a know authority]" warnings, then you makes them substantially MORE vulnerable to man-in-the-middle attacks and, indeed, increases their susceptibility to phishing across the board.

As a web admin you will of course also have to maintain the certificate store, but that may be very easy if you only have a handful of clients. And if you have a handful of clients you may install the root certificate in a controlled situation on the clients, so not even there you have a big problem with insecurity.

didn't you just defeat your own protest to this 'feature?' If you're going to install the cert/root on your clients, then they won't encounter this message, and there's no problem.

Where i DO see a problem is making it very very cheap and and easy for people to register believable certs for

cittibank.com

citibnak.com

citybank.com

citibanc.com

Cost of entry keeps attacks like these targeted, removing that would open things up immeasurably... or do you think the phishing problem is overblown and just a commercial stunt too?

Re:Seconded.

[Talennor]

Problem is that "2" doesn't happen.

Think of this example: I "encrypt" some confidential data. However, I've encrypted it so that I don't know who will be able to decrypt it. Does that make any sense?

Why was I encrypting it? So a criminal couldn't steal my credit card number? What if I had just encrypted it directly to that criminal? Oops! This encryption didn't help me at all.

If I want to send someone secured data I first have to define clearly and be sure of who I am sending that confidential data to.

With a little thinking you'll find that not authenticating the end users of an encrypted channel is just moving some bits around and is only as secure as your network. Meaning you might as well be sending clear text and save some processor cycles.

Now you can accept self-signed certificates, but you had better have a different way of authenticating the cert than the rest of us use. An example of this would be something from an internal corporate network.

Re:Seconded.

[great_snoopy]

Yes, but for a public user there is no difference between your self signed certificate and Harry Hacker's self signed certificate. If your application is to be used just by a finite number of user on which computers you took care of also installing your self signed certificate, then this is ok. But for a publicly accessible site, like your webmail, or your bank's internet banking application, you need a CA signed certificate, otherwise a certificate self signed by the bank looks exactly like one that a middle man can create on himself to impersonate the bank.