RSSHas Firefox 3 certificate handling become too 'scary?'
By Scott M. Fulton, III | Published August 19, 2008, 5:48 PM
In a scenario reminiscent of the fairy tale about the fellow who cries "wolf" too often, security engineers are actively wondering whether Firefox' "blowing of the whistle" on self-signed certificates is a) frightening, and b) fair to developers.
One of the oft-touted improvements in Mozilla's Firefox 3.0 Web browser has been its improved handling for sites that authenticate their own identities using SSL certificates -- the kind used to initiate encrypted transactions with HTTPS protocol. For instance, a site whose authentication is verified will be indicated in Firefox's address bar by having its icon expanded to a full name, printed on a green background. Supposedly, this is to reassure the user that everything's copacetic.
But on the other end of the scale is the browser's handling of certificates it cannot validate, which in recent weeks, multiple users and developers alike have characterized with the word "scary." Now, Firefox replaces the Web page with a full-screen warning, featuring a traffic-cop pictogram and explaining the problem in detail. The color scheme is yellow, not red (which Firefox reserves for such things as suspected phishing sites or scam practitioners). Still, developers are asking whether the level of alarms Firefox raises now are so intense that many users will actually choose to ignore them rather than pay attention to them.
The issue may have become critically important earlier this year, when a major potential Internet-wide exploit was uncovered by security researcher Dan Kaminsky. As security software provider Qualys' Chief Technical Officer Wolfgang Kandek told BetaNews in an interview last month, the success of spoofs that involved that exploit may have come down to whether Web browser users actually read the warnings that tell them the SSL certificates they've received don't match or can't be validated.
In order for you, the everyday user, to avoid falling into the trap yourself, Kandek told us, "you would depend on a browser popping up saying a certificate does not match. The question would be, how many people understand that? How many people simply do not acknowledge that? What happens every once in a while is that [a certificate] expires, or there is a redirect. I get these messages every once in a while, I usually read them, and then decide, can I go on or not? Of course, a common person would [have trouble with] that because you have to be reasonably security-savvy to understand the warning message and decide what to do."
Mozilla began implementing a stricter policy on warning its users, according to its developers' site, after having received no fewer than three independently created warnings about how, at that time, Firefox 2 handled so-called self-signed certificates (SSC). These are valid, though not authenticated, certificates that can be used for encrypting connections, as long as the user is willing to trust their validity in the absence of a third party certificate authority (CA) -- such as VeriSign -- that can do the validation on the user's behalf.
The warning, essentially, stated that the earlier method's handling of SSCs gave users a kind of a plea to become accepted. Once it was, its acceptance extended to any so-called alternate site names the certificate may contain, even though those alternate names weren't presented to the user. Conceivably, an SSC could be used as a kind of gadget for maneuvering invalid Web sites into becoming validated automatically, leveraging the user's willingness to just trust the main site for what it says it is, and get on with it.
Developers often build SSCs for themselves. It's an easy process, especially if you have Internet Information Services 7.0; and both Microsoft Internet Explorer 7 and Firefox (versions 3.0 and above, as well as version 2.0.0.15), in fairness, have tightened their behavior with regard to recognizing a self-signed certificate that a CA can't vouch for.
Sometimes it makes sense for a Web developer to create SSCs from a security standpoint -- for instance, it may not be a good idea to register on the books of a third party, the name, IP, and DNS addresses for a project operating in stealth. Otherwise, SSCs are often just more convenient for developers than having to register, and then pay for, every certificate for every project.
Meanwhile, SSCs and expired certificates turn up in the most unusual places, including such places as Google Checkout, Yahoo's publisher network, and LinkedIn, according to the SSL developers' blog SSL Shopper.
So Firefox's sudden treatment of SSCs as "second-class citizens" -- or, in a sense, as more prone to suspicion than a standard HTTP site with no encryption at all -- is annoying many independent developers, including open source advocates, some of whom go so far as to question whether they should be paying for authentication.
In a personal blog post three weeks ago, developer Nat Tuck wrote, "Mozilla Firefox 3 limits usable encrypted (SSL) web sites to those who are willing to pay money to one of their approved digital certificate vendors. This policy is bad for the Web. Not only does it make users less secure overall by reducing the number of encrypted connections, it damages the basic principle of equality among Web participants."
In a blog post two weeks ago intended to put the entire issue to rest, Mozilla developer Jonathan Nightingale responded to this claim and others by saying Firefox 2's warnings were easier for users to ignore or just blindly accept, and that a real security issue could emerge from that acceptance.
"With a self-signed certificate, we don't know whether to trust it or not," Nightingale wrote. "It's not that these certificates are implicitly evil, it's that they are implicitly untrusted -- no one has vouched for them, so we ask the user. There is language in the dialogs that talks about how legitimate banks and other public web sites shouldn't use them, because it is in precisely those cases that we want novice users to feel some trepidation, and exercise some caution. There is a real possibility there, hopefully slim, that they are being attacked, and there is no other way for us to know."
As for developers who sign their own certificates for their own purposes, he goes on, well, they know who they are, and certainly it's up to them whether they trust themselves or not. But the new warning is meant to wake people up, and give them an opportunity to override Firefox's default behavior -- which is now to distrust -- with a statement of trust that is applied specifically to the main site under suspicion.
One alternative to the use of SSLs that many developers may not be aware of comes from a company called StartCom, which offers some Class 1 digital certificates for free.
The Warning Should Say...
Warning: Self-signed Certificate In Use
Connection Is Secure, Site Identity Unknown...
The connection to this site is Secure, but the Identity of the site cannot be verified...if you trust this site, you may proceed, if you're not sure, you SHOULD NOT proceed...
This is not a common error message...(you should not ignore it)...
It is not common for popular Banking or Shopping sites to have this message, if you are accessing a Banking, Shopping or any site that deals with your personal info you SHOULD NOT continue until you have confirmed if this is OK for this site...
Not Sure?...
If you are not sure what to do...
DO NOT PROCEED!
...get someone knowledgeable about computers to help you. Print this error message for them to read...
[I trust this site, Proceed] [I don't trust this site, Cancel]
[I don't know! Get me outta here!]
...I'm sure some would say it's verbose, but I'd ask you to have your mom/grandma read my warning & ask them if they'd be confused...of course here, in this comment box, I can't change font size, color or use bold to highlight parts of it, but I could make a nice looking, semi-scary/non-scary warning that is clear...
Also there needs to be a way (actually by default) to only accept SSCs for *that site* only, not accept them as a CA for other sites...
There should also be a way to get an SSL cert free...(an easy way)...
Score: 0
|That is a really clear and well worded message.
Yours is much better than the current Mozilla default.
Score: 0
|For the novice is scary.
For the experienced is troublesome and tiring.
In any case I think this should be changed. We don't need 10 steps to allow such certificates but just two.
Score: 0
|This is not a big deal. Even with FF 2 or IE, with certain security software, you would get a message about a problem with Cetificate problems. Most of the time, these are legit sites. The difference with FF 3 is that it won't allow you to go to the site. There may be a workaround but this problem with cerificates are endemic to the web. Even Google's home page brings up this issue.
Alot of sites don't take the time to do this process properly and maybe FF has gone to far by not giving the user the option to continue or not.
Score: 0
|I even got the "Secure Connection Failed" warning when connecting to bugzilla:
https://bugzilla.mozilla.../show_bug.cgi?id=435778
Further, regarding a credit card website, I added an exception for the certificate but now when I go to the login page it embeds the connection failure warning in the web page without offering me the chance to work around it.
Score: 0
|"One alternative to the use of SSLs that many developers may not be aware of comes from a company called StartCom, which offers some Class 1 digital certificates for free."
Note these free certificates do not work in Internet Explorer (7) so the value is as high as a self-signed certificate.
Score: 0
|Surely the issue here is that a SSC is to ensure that the communications is encrypted, that "eve" can't intercept the communication, where as a full certificate verifies that the site is who it claims to be.
The confusion of "encrypted" with "secure" is, to be fair, also done by IE.
Surely it would be better to use a neutral colour (say, mauve) and a symbol such as a "crossed out eye" to denote a site that is encrypted and continue with the rather nice green bar you get when communicating with the bank.
Also the message needs to be made clearer that this is the case, something like:
"This site has a encrypted connection, but the owner has not identified itself to a trusted third party. Your communications to this server will not be intercepted, but it is your decision to trust the server owner."
etc
Score: 0
|I use Opera, we don't have that problem.
Score: 0
|And some people avoid the Internet all together.
Score: 0
|I recognise your crappy style of writing so well. You don't half confuse the issue by using superfluous words Scott. Just tell me what I need to know - nothing more. Your opening paragraph is not eye catching and is just plain nonsense. [tsk]
Score: 0
|many IT depts have to roll out new apps to users are are under 'secure communication' restrictions, ie no ftp, telnet, or http with cleartext username/passwords in them.
its not practical to sign every one of these simple apps...and its annoying to go through this with firefox
Score: 0
|In response to lvthunder, I agree about the idea that using SSL should mandate purchase of a cert. You can get a rapidssl cert for $14 from some vendors.
However, at the same time, I host over 150 websites. Parallels PLESK is the control panel that I use and unfortunately, accessing the control panel utilizes SSL, which means that every customer with FF3 was greeted with a demon warning about SSL. I am not going to buy each customer an SSL Certificate, nor do I want to buy a wildcard certificate to placate the FF3 users.
Firefox should handle this the same way that it handles pop-ups and installing extensions - the bright yellow drop down that appears with an audible noise. A browser shouldn't block content, that should be a plug-in or an option presented at setup so that the user is well informed.
Score: 0
|please help keep the forum readable by replying directly to people.
Score: 0
|Signed certs are mandatory for e-shops, banks, customer services, etc - anything that has something to do with money or sensitive information. For other sites self-signed certs are mostly OK.
Score: 0
|Is it too much to ask these so called developers to spend $30 for a cert with a valid CA. Give me a break. If your in beta or whatever just have your users add you as a CA. It's not that hard.
Score: 0
|I agree with the article about SSC, I tried asking for Firefox to treat them like a normal http url with no yellow bar or padlock and no warning messages, the only guide being that encryption is in use is that the url starts with https.
Score: 0
|If you trust the site, accept the cert. If you don't trust it, move along.
Score: 0
|I find this highly annoying. Due to the way the DoD handles its certificate signing policies, I receive this on any .mil domain I visit. I have looked and looked but there is no way to settle this down to a single click, or disable it altogether. Very annoying indeed.
Score: 0
|If you are a Windows, or in particular, a Vista user, you should be quite used to this.
;-)
Score: 0
|Used to this? Vista has nothing anywhere remotely as annoying as this. At least in vista, I don't have to worry about it in my day to day use unless I am installing something. Firefox still requires you manually click "add exception, get certificate, then add" before you can do anything. And let's hope they do not update their certificates with a new self-signed, oh no!
Score: 0
|OK, we'll go slow and explain the jest...
I was referring to the constant Vista (and Windows in general compared to other major platforms!) "are you sure you want to do this" popups...
Score: 0
|Funny, I see those maybe once every 3-4 days and thats only when installing a new program or rebooting and having to launch Process Explorer again.
UAC isn't as annoying as people make it out to be. It has actually helped me several times
Score: 0
|Only people that have never used Vista think it's annoying. Although when you FIRST start running Vista, you get those popups a lot since you're doing a lot of installing usually, but after that initial burst it goes away for the most part. Don't expect Fox to understand how all that stuff works though, he just knows how to write long posts with incorrect opinions.
He's basically the Jerome Corsi of Betanews.
Score: 0
|There are other major platforms? :)
Score: 0
|There are quite a number of people who have never used Vista and yet speak as if they have Ph.Ds on the subject of UAC.
It is unfair to single out and target 2 unique individuals. ;)
Score: 0
|So what is it? Skeery or annoying?
Considering most haven't a clue about certificates at all, I really don't see that many will deal with them much differently. They will remain either skeered or annoyed at being notified.
Score: 0
|