Firefox SSL-Certificate Debate Rages On

BobB-nw points out the ever more raucous debate over the way Firefox 3 handles self-signed certificates. The scary browser warnings have affected a number of legitimate sites (such as Google AdWords and LinkedIn) that didn't renew certs in time. Lauren Weinstein loudly called attention to the problem early in July. "If you visit a website with either an expired or a self-signed SSL certificate, Firefox 3 will not show that page at all. Instead it will display an error message... To get past this error page, users have to go through four different steps before they can access the website, which from a usability standpoint is far from ideal. This way of handling websites with expired or self-signed SSL certificates is bound to scare away a lot of inexperienced users, no matter how legitimate the website is."

Worth it.

[Shaitan+Apistos]

As long as I get my awesome bar, I'll put up with anything.

Re:Worth it.

[Bashae]

Well, I can live with it, but they could at least patch this feature to make it less annoying with self-signed certificates. Show a warning, yes, but right now the error message is too creepy.

Re:Worth it.

[mulvane]

Let's not expect site maintainers to actually keep their ssl certs up to date. Oh noes. We want customers to not trust ssl certs so they may fall victim to a scam.

Re:Worth it.

[Cormacus]

I have to agree. Few things should be more important to a site administrator that handles personal information for their clients than getting their SSL certs updated in time.

Browsers that allow this kind of lax security atmosphere are part of the problem.

Re:Worth it.

[bunratty]

It's supposed to be creepy, because it may be the only warning you're the victim of a DNS poisoning and you're not at the site you think you are, or you're the victim of a man-in-the-middle attack and your "encrypted" communications are being intercepted and read. At least in Firefox 3 you need to add an exception to see the site, so you see the warning only once. In Internet Explorer 7, you can see the site by clicking a link, but you will see the scary warning every time you visit the site. Users will disregard the warning if they see it very often, making the warning ineffective.

Re:Worth it.

[phoenix321]

Better yet: expect the non-technical crowd, the users, to put up with errors of the pro-technical crowd, the site maintainers.

Excellent shift of responsibility towards, right?

I think this is an issue of whiny webmasters, really. A proper certificate is around 10 bucks per year and although they issue it to anyone, it is security at a much higher level than using a self-signed crutch.

If you're a website owner, put up those 10 dollars and stop complaining. Keep your house clean and your certificates valid.

EVERYTHING you do by that is better than to accustom millions of non-technical users to click away any and all error messages when surfing. If all browsers would show these drastic certificiate errors AND all SSL-loving webmasters would keep their certs updated, we would have less issues in phising and scamming, much less.

Either you have security or you don't. Encrypting to someone is useless or even dangerous when you mistake the identity of the receiver.

Re:Worth it.

amen. The error message seems to be designed for people who know about these things, not mom and pop users.

I don't follow this sentence. That seems to describe *precisely* the old way of doing things, an easily dismissable box that only experts took note of and understood. The new method is *supposed* to bother users and get them to pay attention to the actual risk, while offering them a way to still accept it.

Whether or not you think being bothersome to users is a legitimate technique can and should be open to debate, but I don't think it targets experts at all...

Re:Worth it.

[HungryHobo]

They could do with a red-yellow-green warning system.

Red- sites with self signed certs which have changed since the last time you have visited them(keeping a record of all certs accepted to this point would be a good idea to help with this)
Yellow- Self signed cert. Warning first time you go to the site with accept/reject.
Green- Signed and verified by trusted 3rd party.

Sites which have a signed and verified cert and which have marked themselves as "should always be HTTPS" but which you are visiting with HTTP -should be red as well.
This way if some phisher sent you a link to http:\\paypal.com and paypal had registered with the trusted 3rd party that their site should always be using HTTPS then you get a red warning. Yes I know this would mean traffic to the trusted 3rd party whenever you visit any http site.

Re:Worth it.

[exi1ed0ne]

A proper certificate is around 10 bucks per year and although they issue it to anyone, it is security at a much higher level than using a self-signed crutch.

Currently the only difference between a self signed cert and a $10 one is that the latter leaves you $10 poorer. There is no practical difference between the two. As a matter of fact, the current methodology of including certain CAs in browsers provides a false sense of security - which decreases the value of the system as a whole.

Re:Worth it.

[Zeinfeld]

It's supposed to be creepy, because it may be the only warning you're the victim of a DNS poisoning and you're not at the site you think you are, or you're the victim of a man-in-the-middle attack and your "encrypted" communications are being intercepted and read.

This whole debate is rather off the point. Making changes to a security protocol in response to the last Slashdot thread is not exactly the best idea. There are more issues than just whether people can save a buck and get encryption. As you point out the point of the certificate is authentication, not encryption.

Back in 1995 the Netscape folk decided to write the protocol in such a way that you had to have authentication of the server public key to do encryption. As it happens I argued against that choice at the time, and again when the self-signed certs issue came up again a few years ago I have consistently argued that the browser should allow ANY connection to be encrypted with ANY key, just don't bother to worry the user about it unless the cert is trustworthy according to the user spec.

There are in fact changes in the works here. I am part of a W3C working group where we have discussed this exact issue. I have consistently argued for eliminating all security pop-up warnings of all types - they are designed to dump responsibility for security onto the user rather than be actually useful. I have also argued to make use of self-signed certificates easier as we should be moving to a position where security is the default on the Web.

Yes I do work for a CA, no I am not speaking for them on this particular occasion, but we have consistently argued to make use of unpaid cryptography as easy as possible because anything that expands the use of cryptography is going to eventually expand the demand for authenticated keys. I really don't think that we will have large numbers of people stop paying the price of a Thawte or GeoTrust cert and switch to a self-signed. More businesses will go the other way.

Its the same argument on code signing: all code should be signed, even development compiles. But only final production code should be signed with a trustworthy key - or the key is not going to be trustworthy very long. And only some final code will be signed by CA accredited keys. But that is fine if the O/S allows you to make statements of the sort 'drivers have to be signed by a trusted root, programs signed off a Web o' Trust key can run but only with restricted privs'.

Re:Worth it.

[MadnessASAP]

I agree totally, the problem isn't the scary browser notices. It's websites and their poor security practices perhaps now that those practices are having a noticeable impact on their business these websites will change said practices and it wont be a problem anymore.

Re:Worth it.

[jeroen94704]

The problem is that mom and pop users are not the ones who should solve this issue, cannot be educated about cryptography in a warning message AND are the most likely victims of phishing attacks and such. The people who complain about the number of steps to set up an exception are also the people who can make an informed judgment about the trustworthiness of a site to begin with. We should NOT be putting mom and pop at risk for the convenience of the knowledgeable minority of users. The sites mom and pop are most likely to visit will have their certificates in order anyway (or should have, at least). Not being able to access some legitimate sites that insist on using self-signed certificates is a small price to pay.

Re:Worth it.

[beckerist]

I agree. The problem is though that the people that are complaining probably:
A) Don't even know what it is and
B) Don't even bother reading it once they figure out which order of buttons to push.

Even though the concept SHOULD be easy enough for anyone who can figure out how to browse the internet, the issue isn't comprehension but presentation. It's immediately demoted to "annoying pop up" as opposed to "informative box I should read" in the style it's in now.

Re:Worth it.

[Matthieu+Araman]

No, if the site uses SSL and the certificate is invalid, it may be a "Man in the middle attack".
You can't just treat this like a http connection and not warn the user.
There are many sites which should use real encrypted connections (ie with a signed certificate + SSL). I'm not fond of sending sensitive info in the clear (that's about the same thing with a self-signed certificate...)
StartCom/StartSSL certificate are free and works with Firefox (and other CA are mostly cheap) so price is no longer an excuse...

Re:Worth it.

[onefriedrice]

All of this new talk about self-signed certificates is clouding over the real, critical issue which has been around for longer than FF3. It would make more sense for the browser to treat a self-signed certificate like a CA-signed certificate rather than a regular http connection because (and here's the point) authentication in the browser is a myth. Let me walk you through this.

Authentication doesn't exist on the internet because getting a genuine CA-signed certificate from a CA with a root that is already in your browser is hardly any more difficult or expensive than making a self-signed certificate. The tragedy is that the lock icon makes people feel safe when in reality, the authentication of the transaction relies entirely on supposed background checks which may or may not have been done by some CA that you won't know about unless you examine the certificate.

Does anyone else see the problem with this!?

A better idea is for the browser to raise the big warning flags for changed certificates (CA-signed or otherwise) so users can check manually whether it is a man-in-the-middle attempt or an official updated certificate from the site, and treat all https transactions as encrypted and better than a transaction with no encryption (regular http).

A better long-term fix for this problem is to create a system (or use the system we have) to actually ensure authentication on the internet. For this to happen, we need browsers to stop including CA roots from CAs which happily sign certificates with zero or insufficient background checks. Of course this isn't bulletproof, but it would go a long way to providing real authentication on the internet.

In the meantime, people need to stop thinking CA-signed certificates are very much safer than self-signed certificates. A CA-signed certificate from a specific CA that is known to provide good background checks is useful for authentication, but a CA-signed certificate from some random hole-in-the-wall CA that has a root in your browser provides no more authentication than a self-signed certificate does. At least its a step in the right direction for FF3 to show some information about the certificate from the URL bar rather than making users examine the certificate so that we can make our own determination of whether we trust the site based on if we trust the CA or not. Anyway, it's really the changed certificate that you need to worry about, regardless of who signed it, and encryption is also better than no encryption since at least the sniffers won't also get your info.

That's the point.

[WPIDalamar]

Isn't scaring away inexperienced users from sites with questionable security the whole point of those warnings?

I mean a user friendly message that lets someone get past it really easily wouldn't exactly get the job done.

Re:That's the point.

[Cormacus]

If we need to change the way SSL certificates are issued and who has control over it (etc) . . . that is one issue.

Encouraging web browsers to ignore security irregularities and allow users to access sites that handle private information *without* bringing it to the user's attention is just irresponsible.

Re:That's the point.

Didn't scare me away. I just bought a laptop from neweggs.com for a fantastic price, and their cert was expired. They even added a second layer of security for credit card transactions, requesting my SSN and driver's license. I can appreciate that level of trust from a website.

Re:That's the point.

[swilver]

No, they are not. I'm afraid you are not as experienced as you think.

You see, self-signed certificates are only wide open to MITM attacks if the person monitoring you was replacing all certificates pro-actively before you even visited the website once. If you however have visited the site before, Firefox will warn you that the certicate has changed when a MITM changes it. At this point Firefox should display a big red warning.

Furthermore, and this is the part that people like you donot seem to grasp, there IS use for encryption beyond protection from MITM attacks. Using SSL encryption protects me from password sniffers that sit on my network, or in my wireless neighbourhood or from some comprimised router my request travels over. It protects me from some script kiddy running a network monitor seeing what I'm typing in HTTP forms. Yes, it does not protect me from a REAL MITM attack (unless of course I've been there before, and see that the certicate changed), however the sites providing simple SSL encryption just for the sake of not sending stuff in plain text are not worth attacking anyway.

Security Is worth It With all the Troll Sites

[curmudgeon99]

With all the sites out there just looking to steal information from you, and to introduce Cross-Site scripting elements, this is a good idea. I want my browser to warn me when I'm going into uncertain territory. And if a website owner screwed up and did not renew their certs--to hell with them. We're supposed to accept a security risk because they couldn't get off their asses as renew? I don't think so.

Re:Security Is worth It With all the Troll Sites

[Lord+Ender]

A false sense of security is worse than a known insecurity.

This is the RIGHT solution...

[volxdragon]

If you EVER want to combat man in the middle attacks and phishing sites, this is the best solution. Sites whining that people are being scared away??!? Get a fucking grip, and get a real certificate from a real certificate authority so your users can actually trust you. People/companies are cheap and lazy, and unfortunately this leads to a whole host of problems...keeping your certificate legitimate and up to date should be no different than taking care of your insurance or other critical infrastructure.

expected behaviour

[AndyST]

This way of handling websites with expired or self-signed SSL certificates is bound to scare away a lot of inexperienced users, no matter how legitimate the website is.

Well that's the point. The certificate is not valid and there is no way to tell the website is legitimate. If one would insist on using TLS/SSL for HTTP with a self-signed certificate, have users install your own CA keys you gave them through another secure channel, or at least let them check the fingerprint. Nobody keeps you from doing that. It's sad that some of these things are so widely misunderstood that it actually reduces privacy and security:

• login forms on http: URI, posted to https: URI. Please, the website should identify first.
• Session Cookies which are sent for both secure and unsecure connections.
• people asking me to sign their openPGP keys they sent via e-mail wondering why I call them in return to verify the fingerprint. (This guy had a Ph.D. in computer science and after a heated exchange on the phone and e-mail I just gave up. He hates me ever since.)

The new behavior of Firefox 3 is not a problem, it's people failing to security-enable their website the right way.

Re:There's another hassle too

[bunratty]

Why doesn't Linksys provide the certificate used to sign the certificates on all those routers? Then you could add that certificate to your root certificates and no longer get any warnings at all. It looks to me like Linksys dropped the ball on this one. Perhaps the changes to Firefox 3 and Internet Explorer 7 will help companies get more serious about ensuring security.

Certificate hijacking

[elfguy]

SSL Certificate hijacking is a real issue so it should not be underestimated. Users should not be able to just dismiss a warning dialog like they can do with IE. However I do think self signed certs shouldn't be discriminated this way. Learn more with presentation #11 here:

http://www.securitypresentations.com/#11

Before everyone posts the 'so obvious' facts...

Before all the security fanatics start telling everyone to "just spend ten bucks on a cert"...

1. Embedded appliances (you know, the hundreds of millions of routers, firewalls, etc.) cannot use an authority cert. The choice is between self-signed and no encryption only, and Firefox is pushing manufacturers towards the less secure option.

2. Typically, you first encounter a self-signed cert in a secure context (for example, setting up such an appliance by plugging it directly into your PC and visiting the web interface). After that, all you care about is whether the cert changes. The whole man-in-the-middle thing is NOT a guaranteed problem with self-signed certs.

3. Real cert authorities are not the invulnerable swiss banks everyone thinks they are. They can and have issued certs when they shouldn't have. And that isn't just new certs; last week there was a story about a Firefox-trusted cert authority that issued a Microsoft live.com domain cert to someone. So those who think authority certs are secure are deluding themselves.

In the end, Firefox's current behavior does not promote security; it simply makes life hard and annoying for legitimate users.

That's the point

amen. The error message seems to be designed for people who know about these things, not mom and pop users.

Mom and pop users should never, ever go to a website with self-signed or expired certs. It's true that there a lot of legitimate sites that fit the category, it might even be true that most of the self-signed sites are legit. The problem is that mom and pop users are not savvy enough to distrust anything, unless there's a big fat warning there.

Firefox 3 allows you to permanently accept those certificates. If you're computer literate enough to know about these things, you whitelist those sites. If you're a mom and pop user, you call a tech savvy family member / friend / neighbor / neighbor's kid to vouch the site for you and whitelist it.

What has this got to do with Firefox?

[itsdapead]

I know using actual evidence is unfashionable, but lets try connecting to a self-signed https page from some popular browsers, shall we?

Firefox 3

Secure Connection Failed

phishing.itsdapead.org uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The certificate is only valid for mycomputer.itsdapead.com

• This could be a problem with the server's configuration, or it could be someone trying to impersonate the server.
• If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.

[Or you can add an exception]

Internet explorer 7:

There is a problem with this website's security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website was issued for a different website's address.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.

Click here to close this webpage.
Continue to this website (not recommended).

Or Safari 3:

The certificate for this website was signed by an unknown certifying authority. You might be connecting to a website that is pretending to be "phishing.itsdapead.org" which could put your confidential information at risk. Would you like to connect to the website anyway?

How about Opera 9.5?

The server's certificate chain is incomplete, and the signer(s) are not registered. Accept?

[Help] [Reject] [Approve]

Sorry, I don't believe that - Opera is meant to be good isn't it? Let's try again: (ahem) Opera 9.5?

The server's certificate chain is incomplete, and the signer(s) are not registered. Accept?

[Help] [Reject] [Approve]

Ye gods - I wasn't imagining it! Deary, deary me...

Now, from where I'm standing:

1. All browsers show minor variations on the same behavior - so why is Firefox singled out?
2. For my money, Safari does slightly better at explaining the issue with an appropriate level of detail. Marginally.
3. Only IE and Firefox have bothered to warn me that, not only is the cert self-signed but the URLs don't match
4. Opera's risible message was presumably written by someone who expects all internet users to have a CS degree. Hope that's fixed in later versions.

Plus, Firefox is pushing the extended info scheme whereby the certificate holder's name gets displayed on the info bar (as opposed to the old scheme where ploughing through the certificate might reveal the holder's name), which should be a good thing.

Unavoidable with devices

[IdahoEv]

I agree totally, the problem isn't the scary browser notices. It's websites and their poor security practices

Self-signed certs are not always "poor security practices". Consider, for example, devices like the ubiquitous Linksys broadband routers. They support ssl connections for administration, which is probably a good idea (tm).

But signed certs require a domain name, and cost real money (typically $100/year), which is probably a little much for a home user who just wants the extra security on their LAN. So self-signed certs are perfectly reasonable for uses like that.

Re:Unavoidable with devices

[Dr.Dubious+DDQ]

"Why pay anything per year?"

StartSSL supposedly offers free-as-in-free-beer SSL certificate-signing services, but even that's not really the issue in my opinion.

Why are we being told that we must get permission from a "trusted" authority in order to "legitimately" use encryption?

I wouldn't have even blinked if a commercial, proprietary browser started doing this...but "open source" Mozilla? Campaigning against do-it-yourself encryption? Just to "scare consumers" away from things that might possibly maybe be bad? That just seems completely wrong. The use-case mentioned above of the wifi router which can't necessarily get a "trusted authority" to verify due to lack of a FQDN is a good example of why this shouldn't just be of interest to do-it-yourself hobbyist nerds.

I still fail to see how being driven away from anti-eavesdropping (but unauthenticated) communications to completely unencrypted AND unauthenticated communications makes people "safer" and am a bit baffled that Mozilla is now treating unauthenticated certificates exactly like fraudelently authenticated certificates.

The usual retort here assumes that the only alternative is that self-signed certificates be treated the same as authenticated certificates and therefore people will somehow think they're "safe" even though there's a chance the site at the other end might possibly be involved with a "Man-in-the-middle" attack. There's also a disturbing assumption that only corporate "e-commerce" and government sites have any interest in "legitimate" encryption (the "they'll just go out of business if they don't 'buy' a certificate" arguments...). Of course, we do have to worry about the teeming masses of evildoers who break into people's houses to replace their wifi routers in order to steal their slashdot.org login password...

Why they don't want to consider having a third "encrypted but not 'secure'" state for correct but unauthenticated (self-signed) certificates or certificates that have gone past the arbitrary expiration date encoded in it I also don't know. Does Mozilla corporation have some kind of "partnership" with some of the big "Trusted Authorities" or something?