Back to the main page

The new SSL error pages in Firefox 3 suck.

Until now, if you had a private website which required a login or collected private data (for example a small online shop), you could create a self-signed certificate or a certificate signed by http://www.cacert.org/ for free. There would be a somewhat confusing error message in all browsers, but that wasn’t a big issue.

Now, let’s see what they did in Firefox 3 (Beta 1):
SSL in Firefox 3

The website will not be displayed and there’s only a small link at the bottom (which most people won’t see). Clicking this unfriendly link requires you to confirm two additional questions and maybe do additional settings. In short, most people won’t be able to access your site at all.

So what are possible consequences of this change for private websites?

  • They will stop using SSL. That’s the easiest way. Who cares about encryption? The user won’t notice anyway.
  • They will use a certificate from http://cert.startcom.org/, which is the only certificate issuer I know which should not display this nasty error message. Unfortunately, if you want wildcards (i.e. make the certificate valid for all your subdomains), you still need to pay for a “Class 2″ certificate (http://www.startssl.com/), and most providers don’t give you enough IP addresses, but that’s another issue. So there’s no free solution for wildcard domains.

What could be done to avoid this problem?

  • In my opinion, encryption and trust should be separated. It is more secure to visit a website which has encryption enabled than any other website without encryption. Ideally, every website would be transferred encrypted. If someone wants trust, i.e. allow people to see that your server is really your server, then he or she could buy a certificate. In the end, you can’t really trust any website (what, if the server has been compromised?), but encryption is always a good thing (your provider or your network administrator can’t read the data).
  • CAcert should be included in mainstream browsers, which unfortunately doesn’t seem to be the case, not even in Firefox.
  • There should be more free certificate issuers. You shouldn’t have to pay for encryption (or trust).

What’s your opinion about this topic?

38 Responses to “The new SSL error pages in Firefox 3 suck.”

  1. Zoli Says:

    When i first saw this error message in Firefox, i was happy, because it means Firefox have learned a lot from IT security experts :)

    But let me answer your problems (real world examples will follow) :

    1. Im working in the financial industry, and my company has an internet banking site. We had a lot of phishing attacks in the past. What we suggest to the costumers, is that they have to look at the padlock icon, and check if the site is trusted. If any bad guy creating a phishing site could do trusted certificates, then our suggestion is worthless. Thats why im scared, when i look at http://cert.startcom.org/ . I tried to create a certificate for our site, and he asked for accesss to
    webmaster@mydomain.com
    hostmaster@mydomain.com
    postmaster@mydomain.com
    hostmaster@myregistrar.com

    I dont know who has access for these sites, but it is a big security risk. Usually trusted CA-s need proof of identity, not only these mail addresses.

    2. If you use encryption without authentication (or as you mentioned, trust), you dont know who are you communicating to, so it can be your network administrator :)

    3. You mentioned that “CAcert should be included in mainstream browsers, which unfortunately doesn’t seem to be the case, not even in Firefox.” Thats why i use firefox, because i dont want to trust anyone in the world :)

    4. You said “There should be more free certificate issuers.” My opinion is that no way :)

    5. Lot of experts agree that self signed certificates pose a high security risk, and firefox 3 is decreasing this risk with this error page :)

    6. Look at IE7, they have also changed the lookout of the certificate error page. But i think firefox 3 error page is better. And in microsoft Trusted CA-s startssl.com is not listed. I dont know why firefox trust it, but my next step will be to delete it :)

    My final opinion is, that it is a great advance in security :)

  2. B4ls4 Says:

    I think Firefox developers had the guts to do what apparently no other mainstream browser developers dared to do: they placed security before functionality. And they did it at a point where being secure is usually way more important than the ability to continue the session.

    Saying encryption and trust should be separated is like saying to keep something secret you don’t necessarily have to check who you share it with, you can tell it to ANYONE, all you need to make sure is that you whisper so nobody ELSE will hear it. Encryption is good for only one thing: preventing unauthorized access to information. And here’s why encryption without authentication is fundamentally flawed: how can you prevent unauthorized access if you have not authenticated the remote party? You may well be communicating with the very party you don’t want to share the information with.

    As for the “somewhat confusing error message in all browsers, but that wasn’t a big issue”, let me ask you this: if you entered the URL of your internet banking site in your browser and the browser presented such a warning dialog, saying there was some problem with the certificate, would you log in? I hope you wouldn’t. But that is precisely what many people have done, and the browser should have prevented them from doing so.

    The ability to access SSL sites with broken certificates should be a feature reserved for those that know what they are doing. And that doesn’t include most users.

    Finally, you are saying there should be more free certificate issuers. Why not lead by example? I encourage you to set up a certificate authority and provide your services to the public for free. Of course, in order to have your certificates be included in most mainstream browsers you must build a reputation as a trusted authority. And yes, it will cost you a lot of time and money, but hey, you are saying others should do it for free, so put your money where your mouth is.

  3. tom Says:

    Thank you for you comments and for pointing out that free certificate authorities are not a good idea.

    Still, there exist free CAs and I see the following issues at the moment:

    Zoli:
    1/2: Right, so if the network administrator has access to any of these e-mail addresses (which he probably has, as he can read the traffic), he can create a new certificate for the site, install it on a machine he has access to and redirect the traffic to this machine. Now he can see the sensitive data and most people will not notice anything (they will see the SSL lock, so the site must be secure!), unless the site has an extend validation certificate (which is very expensive) where the address bar of their IE would turn green normally. So SSL basically doesn’t solve the problem with the network administrator.

    5: On a private site, a self-signed certificate is better than no certificate. With the new warning, people think that a website which uses plain HTTP is more secure than a HTTPS site with a certificate which is not accepted by the browser.

  4. Eddy Nigg Says:

    Hi there…

    Just found your article and wanted to reply to “Zoli”, that if you feel to delete the CA roots of StartCom than please delete ALL CA roots since most if not all CAs issue domain validated certificates exactly in the same manner as StartCom does.

    Obviously the Class 1 certificates are exactly here to enable encryption without identity validation (or without the trust factor). The difference with StartCom is, that it provides this service for free.

    Concerning the wild card certificates: They require Class 2 validation because of the higher risk involved and the inability to monitor web sites using wild card certificates. Still the price for Class 2 validation isn’t much higher than the domain itself (for which you obviously paid) making it a fair option if you need it. In the case of StartCom you actually pay only for the validation, not for the certificate. But as anything in life there is a small price tag on that kind service.

  5. Eddy Nigg Says:

    Sorry for the multiple post…just one word more about why StartCom is for example shipped with Firefox or Safari on OSX. That’s because StartCom conforms to or exceeds the requirements of the Mozilla CA policy at http://www.mozilla.org/projects/security/certs/policy/ or http://www.apple.com/certificateauthority/ca_program.html for Apple. Those are the requirements for all CAs which are built into the browser. (With the exception of Microsoft which in StartCom’s case is a purely political decision).

  6. Zoli Says:

    I think we are all adrift. So, the risk with StartCom is not so big as i first mentioned, but i think that my main statement about firefox 3 ssl error handling is a good way of security.
    And i think wildcard certificates are bad :) But this is another topic.

    And to reply for Tom’s post, i think the good way is to trust the web server certificate for first time visitors, and after installing it in the browser you dont have to mess with “security popups”. And if sou see SSL error page, you will be suspicious. If you are browsing with ie6 or older, you are not enforced to trust this certificate forever, you are only enforced to click on every ssl error popup you see. And you are “teached” that the accept bad certificate button means “go on, i would like to see the page and i dont care about security” button.

  7. B4ls4 Says:

    @Eddy,
    Deleting all but one trusted CA certificates is indeed the appropriate thing to do in certain environments where you know for a fact that you will only want to accept certificates issued by a specific CA. This may not be practical in the case of a generic browser, though.

    @tom,
    “On a private site, a self-signed certificate is better than no certificate. With the new warning, people think that a website which uses plain HTTP is more secure than a HTTPS site with a certificate which is not accepted by the browser.”

    And without the error page, some people will think that the SSL error actually proves that now they are dealing with a site that uses encryption, therefore the site must be secure (I have actually heard people telling this very thing to their colleagues). This produces a false sense of security - which is often worse than no promise of security at all. True, the warning is there for users to read, but experience shows that people won’t read the message, and even if they do, they won’t have a clue of what that means.

    People also get accustomed to clicking “Yes” to the question, “Do you wish to continue anyway?”, and they will do the same for other sites without thinking. Is this really what we want? Is this what you would want your wife/mother/child to do?

    If browsers will start to simply refuse to display pages with bad certificates, sysadmins maybe (but just maybe) will finally start to think seriously about certificates and eventually go ahead and buy valid ones - or install their own CA certificates into their clients’ browsers. Until this happens, SSL will not give us the protection it is capable of, and which it is designed to give.

  8. Eddy Nigg Says:

    To Zoli: I’m actively involved at Mozilla and was part of the decision making process concerning the new “security” behaviour of FF, an effort lead by Johnathan I think. It’s a good thing because it will eliminate over time the “popup-click-away” effect we’ve got used to (as you mentioned).

    Of course CAs perform a certain task for the relying parties - of which for example Mozilla is one too. This task isn’t something you can perform usually on a daily basis (or would be a waste of time perhaps). In StartCom’s case you would fare better with a site which was higher validated (and presents a wild card certificate) as a relying party. And also concerning wild cards, there will be more restrictions than previously in the Firefox browser.

    To Tom: Self signed certificates provide a wrong sense of security (if at all). You have no way of knowing if this is the site you really want to talk to (not for encryption and not otherwise). Except in case you have read the policies and practice statements of the issuing CA and have those confirmed by a third party (and yes, a self signed certificate is like being your own CA). Even inconvenient sometimes for web sites owners, CAs perform an important task for the relying parties in order to help protect content, prevent eaves dropping and identify the subscriber.

  9. Eddy Nigg Says:

    The later was for B4ls4 not Tom :S

  10. Jeff Says:

    I don’t want users broadcasting their passwords in the clear when they log into my site from a wireless network. That’s it. Transport encryption. I’m not asking for a “lock” icon, or a certificate of trust, or anything else from the browser’s UI.

    All the cross-platform CAs are expensive (to me) but I’m left little choice thanks to Firefox 3.

  11. FreeTheCerts! Says:

    I completely agree with the author here. There are many reasons why you would want encryption without the authentication/trust part. Here’s one example:

    My company specializes in automated monitoring of web transactions. Many of our clients use our service to monitor their own sites, so the trust thing is of course a non-issue, as they are going after what they know to be trustworthy url — their own. What they *do* want to achieve by the use of encryption is to eliminate network sniffing of passwords or other sensitive data between the monitoring stations and their own site. There is no need for them to pay an extortionists fee for a full-blown certificate for this type of access.

    I think the Mozilla folks are playing a stupid game of one-upsmanship in an area that doesn’t need it. Their new 10-step obfuscation technique is easy to compromise by determined hackers via socially-engineered extensions, and only serves as an unfortunate impediment to legitimate communications with legitimate sites. Ironically, this is an open-source corporation that has essentially black-listed an entire population of legitimate websites, with no alternative for a free solution. IMHOP, Mozilla should get out of the business of trying to institute a one-size-fits-all solution which narrowly limits existing use-cases.

    On another note, who says self-signed certs are the only way to provide ‘protection’ outside of pay-to-play fees to big conglomerates? Let the free-market system drive it. Remember when it used to cost hundreds of dollars just to get a domain name? Now they can be had for a few bucks. Same thing. THATS when happens when we break the death grip of a corporate cartel bent on locking up the industry for its own selfish gains.

  12. devnull Says:

    I want to enter my password to a site, which is a non-commerical entity, say a charity. They now need to pay for a ssl cert. These aren’t cheap at all. This is really a screw over by firefox people. I’d question what motives firefox have now, and I love you guys, but buying certs aren’t cheap

  13. Mikel Ward Says:

    But is four clicks really necessary? I’m pretty sure the Get Certificate button on the Add Security Exception box (the third click) could be eliminated. The first and second clicks could also be merged if the page was reworked slightly.

  14. mcm Says:

    Here’s my suggestion on the matter. For self signed certificates provide no visual clues the site is secure apart from the fact the url has to start with https i.e. no padlock and location bar not coloured yellow. Only for certificates issued from a trusted CA should these visual clues be displayed and only for invalid security certificates like incorrect domain display the security exception page.

  15. Brian Says:

    So I know this is rather old but how about simply offering either an extension or about.config setting that allows a behavior change for this - as opposed to even something like an Options setting for it, so users have to actively want to make this change, and seek out the information directing them to how to change it.

    The change is obviously important, as there are a terrifyingly small number of people out there that understand why certificate signing is important at all. But for those of us like myself who spend far too much time connecting to sites with self-signed certs - moreover, connecting to a site once or twice and then never again - we will be spending a lot of time being annoyed by this. I for one have gone back to (gasp!) Internet Explorer for testing sites, as I’m on Windows so I have it by default, and it handles this in a way far friendlier to what I do.

    Sad, because I love Firefox to a ridiculous extent.

  16. greg Says:

    I agree that this change is very important as well, BUT I can’t tell you how many times I’ve clicked on a google result to look at a mailing list site that has a self-signed or other “untrusted” issuer certificate and i do NOT want to add a permanent exception just to look at this message. Does anyone have any idea what the bugzilla ticket number related to this is? I’ve looked but have not found it.

  17. tom Says:

    @greg

    You can find the bugzilla tickets on the wiki page:
    http://wiki.mozilla.org/Security:SSLErrorPages

    That should be the following ticket:
    https://bugzilla.mozilla.org/show_bug.cgi?id=327181

  18. R Says:

    Aaargh! I installed Firefox 3 RC1 this morning (my first venture into 3.x territory), and within an hour I was googling for a way to get past this horrible new dialog for self signed certs. I test appliances with an https interface and we reinstall them frequently. Each install causes a new self signed cert to be generated. So I am accustomed to accepting them “for this session only”, since next time I start the browser it will probably be different. It was a couple keystrokes in 2.x. Aaargh! Now I guess I’m gonna have to write some scripts to jump through these hoops. Sigh.

  19. imker Says:

    Hi everybody. I’m with most of the guys here. But i also have to say that there should be a better way to handel self sienged certs.

    I’m just a PC nerd that shares his Pictures with his friends. So I have installed an apatche on my fileserver at home to do this. Yes i use ssl with a dyndns domain!

    Because my Pictures are just for me and my friends the gallery is password protected. And because the login shoul be save, and the Pics are just for me and my friends (not the man in the middle), as I saied before the side is ssl encryped.

    So should I pay a lot of money just to share my private pics with my friends in a secure way?

    I’m looking forward to all my friends calling me. “I’have clicked the Bookmark, but I don’t see the login page.”

    Thanks mozilla. Thanks.

    I know there are a lot of bad sides out there using self sienged certs as a social engeniering gag, but are u sure that’s the only and best way to slove this problem? I’m not sure about that.

  20. identity vs encryption Says:

    identity and encryption are two seperate things. One of the great things about encryption is that it allows some identity assurance. However, blocking anybody who is not using identity assurance from using ssl is very very stupid, they will just turn it off. What they need is a third icon indicating that a connection is secure, HOWEVER who you are talking to is not. The identity in the toolbar is a great first step in this. It could just say NO IDENTITY VERIFIED. Also those free certificated will only give you a name of asdf@asdf.com or www.asdf.com, they will NEVER EVER GIVE you ‘john smith’ or Smith Inc. These are very different things, and even that does give some verification that you are not being DNS spoofed, which has the potential to be the ultimate threat in phishing, and which signed SSL certificates is the only way to fight. Self-signed or otherwise invalid certificates need to NOT get the padlock (it would be nice, but it has become too much of a icon for ALL of SSL’s features) and be notified that their identity is just as secure as the rest of the non-encrypted web

  21. asd Says:

    if anybody can find a way to get back the old functionality to firefox 3,( there should be one) please post it

  22. Nobbie Says:

    >The website will not be displayed and there’s only a small link at the bottom (which most people won’t see).

    Sorry - I saw it immediately.
    It’s ok for me.

  23. Robert Borkowski Says:

    What I’d like is to be able to trust all self signed certificates within a certain IP address range. I’ve got 600 servers I administer via web browser, and each one has a self signed cert for the web interface. The new self-signed cert process in Firefox 3 has made it pretty much unusable for work :-(

  24. Dasmo Says:

    Well, it’s open source. Someone who’s good at tinkering could probably remove the “feature”.

    I’m not spending the time to add all my work servers, so I haven’t downloaded firefox 3 since the beta, and probably won’t. If firefox 2 becomes outdated, I’ll be using a different browser.

  25. DS Says:

    I absolutely agree with this. One of the reasons I switched to using Firefox many years ago is because IE kept nagging about security zones and popping up warnings for legitimate sites. Now, Firefox is the same.

    Since Firefox users can (effectively) no longer visit certain sites, the webmasters of those sites have to pay for a cert, which is not even feasible in situations like redistributable apps with a web interface. Or, more likely, they will switch to HTTP, opening up the traffic to anyone else on the network.

    What a step backwards in terms of security.

  26. Mozilla SUcks Says:

    I wonder how many gazillions mozilla got from verisign to do this horrible thing. I finally installed https://addons.mozilla.org/en-US/firefox/addon/6843 going back in security. Making users click more than neccicary is the stupidest thing ever. SSL isnt always about identity.
    Mozilla sucks

  27. Josh Says:

    I agree with Mozilla Sucks. SSL is better than no SSL and the THREE warnings issued before being allowed entry into a self-signed site (the third having the annoying property of “cancel” being its default action) under FF2 were bad enough. The new system is freakin’ ridiculous. I went to the site, show me the page, please. I don’t need a seatbelt or a crash helmet.

    DON’T TREAT THE USER LIKE A CHILD.

    What really pisses me off about this isn’t the stupid attempt at security, it’s the insinuation that three dialog boxes aren’t enough, somehow, to stop users from displaying a self-signed site. WELL? What should they do, fill out a form in triplicate and wait six months, like they would if they wanted to file a freakin’ firefox bug report?

    BY THE WAY, FF3 STILL tacks on port 80 when using Flash FileReference.upload() to send a file over https via POST. Nice job, guys. Keep goin’ like this and you’ll be the next microsoft in no time.

  28. dan Says:

    You might be interested in a research project of mine, which uses automated network probing from multiple vantage points on the Internet to allow Firefox to automatically override these errors pages without compromising security. I’d appreciate any feedback you have:

    http://www.cs.cmu.edu/~perspectives/

  29. Tronic Says:

    Another braindead feature in Firefox. Maybe it’s time to switch to Opera?

    Having to go thru this clicking marathon every time I want to reconfigure a local printer on a machine (CUPS runs at https://localhost:631/) is just stupid.

    I’d prefer no warning dialogs or error pages at all, but perhaps an extra warning bar at the top (like the other security features of Firefox do).

  30. blueskyy Says:

    Yes, I agree with you totally. Firefox 3 should give users the option of browsing a website even though the certificate is not trusted — just prompt the user every time, the way Firefox 2 was implemented. I hope there would be a solution soon.

    Another “feature” in Firefox 3 that I dislike is the build-in anti-virus. But that can be turn off easily in about:config.

    Firefox has always been a great browser, even now. It would be a pity if it goes down the same road as Windows, where the predecessor, XP is better than its successor, Vista.

    ps: Opps. Sounds like I am going off topic but this is generally what happens when you have a stupid boss, making decisions that he does not even understand!

  31. Clemens Cap Says:

    On http://www.informatik.uni-rostock.de/~cap/firefox-patch/README.txt I have a partial solution of the problem and demonstrate how to turn this annoyance of - at least in your own browser.

  32. Peter Says:

    I couldn’t believe it when I saw it for the first time. Now people who use SSL only for encryption (many kinds of web admin panels) and can’t afford buying a cert. are totally f..ked.

    All this mechanism could work some other way….

  33. Dustin Says:

    My annoyance with this issue is that you can’t access Military websites (ex.https://atiam.train.army.mil/soldierPortal/atia/adlsc/view/public/10919-1/fm/21-75/toc.htm) in FF3 because the cert is issued by the US DEPARTMENT OF DEFENCE which is apparently not a “trusted issuer”.

    Pfft.

  34. Peitschie Says:

    Just want to give another shout-out to the perspectives extension!

    http://www.cs.cmu.edu/~perspectives/firefox.html (as originally linked by the extension author a few posts earlier :) )

    It does what I think is the correct behaviour for this error page. Indeed, tell me if the site is self-signed, but don’t stop me visiting a self-signed (but valid) ssl site!

  35. John Says:

    I tried the perspectives extension, I don’t like it. I would like a simple extension which add a button and when I click on it tell to FF3 go I want to risk! Simple and fast as in FF2.
    The perspectives extension has
    unnecessary features for me.
    Exist a simple extension?
    I begin to develop it starting from perspectives extension.
    The patch is not acceptable for a browser as Firefox.
    You can change many features in this browser with a simple extension.

  36. Eric Says:

    For some people the security box is not bad, you get used to it, its just stupid though to have to click that many times…The problem is when firefox is used in education or business setting. Alot of staff members at colleges do not know what to do when they see this message. THEY FREAK OUT! This leads a lot of unnecessary calls. In fact our IT would rather use firefox 2 than use this crap. What is more secure firefox2 or 3??? If you made it one button click problem solved!

  37. shad-99 Says:

    There is a add-on plugin to fix that certificate problem for firefox 3. witch can be downloade from here:
    http://www.cs.cmu.edu/~perspectives/firefox.html

  38. Sisternicky Says:

    The warning site is mega crap! A SSL Connection originally was not intended to verify that the owner of the website is who he sais to be, but to secure the traffic between webserver and browser, so it cannot be sniffed.
    If someone wants to know if the site is genuine, he should look at the certificate, but should not get any big error message. A small warning somewhere would have sufficed!

eggdrop.ch blog is powered by WordPress
Entries (RSS) and Comments (RSS).