Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox SSL-Certificate Debate Rages On

Posted by kdawson on from the four-screens-i-mean-really dept.

BobB-nw points out the ever more raucous debate over the way Firefox 3 handles self-signed certificates. The scary browser warnings have affected a number of legitimate sites (such as Google AdWords and LinkedIn) that didn't renew certs in time. Lauren Weinstein loudly called attention to the problem early in July. "If you visit a website with either an expired or a self-signed SSL certificate, Firefox 3 will not show that page at all. Instead it will display an error message... To get past this error page, users have to go through four different steps before they can access the website, which from a usability standpoint is far from ideal. This way of handling websites with expired or self-signed SSL certificates is bound to scare away a lot of inexperienced users, no matter how legitimate the website is."

3 of 733 comments (clear)

  1. Certificate hijacking by elfguy · · Score: 5, Informative

    SSL Certificate hijacking is a real issue so it should not be underestimated. Users should not be able to just dismiss a warning dialog like they can do with IE. However I do think self signed certs shouldn't be discriminated this way. Learn more with presentation #11 here:

    http://www.securitypresentations.com/#11

  2. Re:That's the point. by swilver · · Score: 5, Informative

    No, they are not. I'm afraid you are not as experienced as you think.

    You see, self-signed certificates are only wide open to MITM attacks if the person monitoring you was replacing all certificates pro-actively before you even visited the website once. If you however have visited the site before, Firefox will warn you that the certicate has changed when a MITM changes it. At this point Firefox should display a big red warning.

    Furthermore, and this is the part that people like you donot seem to grasp, there IS use for encryption beyond protection from MITM attacks. Using SSL encryption protects me from password sniffers that sit on my network, or in my wireless neighbourhood or from some comprimised router my request travels over. It protects me from some script kiddy running a network monitor seeing what I'm typing in HTTP forms. Yes, it does not protect me from a REAL MITM attack (unless of course I've been there before, and see that the certicate changed), however the sites providing simple SSL encryption just for the sake of not sending stuff in plain text are not worth attacking anyway.

  3. Unavoidable with devices by IdahoEv · · Score: 5, Informative

    I agree totally, the problem isn't the scary browser notices. It's websites and their poor security practices

    Self-signed certs are not always "poor security practices". Consider, for example, devices like the ubiquitous Linksys broadband routers. They support ssl connections for administration, which is probably a good idea (tm).

    But signed certs require a domain name, and cost real money (typically $100/year), which is probably a little much for a home user who just wants the extra security on their LAN. So self-signed certs are perfectly reasonable for uses like that.

    --
    I stole this sig from someone cleverer than me.