Firefox SSL-Certificate Debate Rages On 733
BobB-nw points out the ever more raucous debate over the way Firefox 3 handles self-signed certificates. The scary browser warnings have affected a number of legitimate sites (such as Google AdWords and LinkedIn) that didn't renew certs in time. Lauren Weinstein loudly called attention to the problem early in July. "If you visit a website with either an expired or a self-signed SSL certificate, Firefox 3 will not show that page at all. Instead it will display an error message... To get past this error page, users have to go through four different steps before they can access the website, which from a usability standpoint is far from ideal. This way of handling websites with expired or self-signed SSL certificates is bound to scare away a lot of inexperienced users, no matter how legitimate the website is."
Security Is worth It With all the Troll Sites (Score:5, Interesting)
Another Solution to Self Signing? (Score:4, Interesting)
Obviously, self signing is meaningless for anonymous strangers. It works just fine for you and your friends/colleagues, but not for anyone outside your immediately trusted group.
What are the free alternatives to VeriSign's hefty [verisign.com] fees? Some kind of community effort to create trust, much like PGP key signing seems like it would be a good solution.
Besides being expensive, it looks like any shmo can register with verisign and then conduct all sorts of questionable practices behind their cert. It doesn't look like there's any sort of vetting in the process. I didn't complete the signup process, but it looked like once they had my money, they'd send me a certificate. While the connection is secure, that doesn't tell me a darn thing about what they are going to do with my data, or weather or not they're going to try something malicious.
Is this really a debate at all? (Score:1, Interesting)
Some guy on some blog somewhere seconds another blog post.
If Google and LinkedIn didn't care about the message, why should you?
Re:That's the point. (Score:4, Interesting)
Because not all of these sites are questionable...
All it does is force these sites to buy certificates from the existing ssl certificate cartel.
Your site isn't questionable, but the business or sysadmin behind it IS. I'm sorry, but when you find you want/need to run SSL encryption, an SSL cert is around $150/year. Not exactly extortion when you consider all the other expenses to run a website (hardware, OS licenses, bandwith).
Re:Worth it. (Score:3, Interesting)
In fact, all browsers really bitch about self-signed certs, which is why none of my websites use https - when it would clearly be more secure.
The only reason you would do that, is because people attach trust to https:/// [https] so I propose that all secure sites (valid certs) make the whole fricken browser light up yellow with a big ass padlock to show it's secure. Self-signed, and expired certs will just get https:/// [https] invalid certs will get a warning. And plaintext will get http:/// [http]
Everyone's happy, and people will feel secure going to their bank site with a *big* padlock (that should be noticable if absent).
It need not be annoying (Score:1, Interesting)
If you need to run a lot of SSL'd sites, do the following and become your own Certificate Authority:
1. Make a CA cert
2. Import your CA cert into your browser
3. Make certs for all the sites you need to sign
4. Sign them with your own personal CA
5. All browsers you administer stop complaining about your sites
6. (optional) Get your CA cert included in the standard list that the various flavors of Linux, Firefox, Apple and Microsoft use and start selling certs to people over the internet (doing proper identity verification first).
7. Profit
Besides, 4 separate dialogs are more likely to make the people who blindly click to make dialog boxes go away perhaps actually read them first. Or maybe less likely to read them, who can say?
Re:Security Is worth It With all the Troll Sites (Score:4, Interesting)
Unfortunately, you donot get it at all.
Those people using self-signed certificates could also simply run a normal HTTP server, and you'd be none the wiser. You donot get warnings for "regular" HTTP sites.
You are basically saying that a website with an expired certificate or self-signed certificate is WORSE than regular HTTP sites, while in reality they atleast provide you with an encrypted connection and a warning if the certificate changed since the last time you connected to that site (and when that happens, THEN you should get a BIG RED WARNING).
Re:As long as we're complaining about browsers (Score:1, Interesting)
So big guy, I've tried to find these free root authorities. I've found plenty of free trials. Fuck off with that, I want real honest to fuck long time certificates. Not 30 day fuck around and come back and pay $150 a year (which is more then the *hosting*).
So yeah, got any links to these free root authorities?
Actually, that's a massive problem with the whole SSL/TSL system. Getting a cert costs more then the entire freaking hosting! $10 a month will get you a sweet deal (a "business" account even) at a number of places. But if you want to run a commercial operation and/or take personal details or whatever (or are promoting security), then you need to pay more then what you pay for your hosting.
It isn't going to happen.
At the current place, there is the option for "shared" certs, but that is something like ssl.hostingcompany.example.com/yourdomainhere.info which doesn't really look so pro. (Even if it beats not having security at all.)
Re:No Excuses (Score:2, Interesting)
Re:Worth it. (Score:4, Interesting)
Re:No Excuses (Score:3, Interesting)
Actually it's CACert [mozilla.org] who could help this situation by working with Mozilla to have their CA included by default. That story has been dragging on for years with no end in sight.
Re:Why (Score:3, Interesting)
Re:Cancel or Allow? (Score:3, Interesting)
Let's say we're walking down the sidewalk and you see two people walking towards you.
Person 1: Average Joe, mid 20's, wearing t-shirt and jeans. Clean-shaven. Your assessment: Seems OK.
Person 2: Guy wearing a cheap cop costume, waving around a gun. Your assessment: ??? ("Hmm, well, he's trying to look like a cop, so it must be ok!")
I'm not in favor of the way Firefox chooses to handle the situation (I think it's overkill) but "Ignore it and hope nothing bad happens!" is exactly how companies don't bother to discover encryption until after their really important laptop gets stolen. Personally, rather than going with the tiny little bar at the top (that looks exactly like every other little bar I get on every single website since I don't have flash installed), I think Firefox should show a solid red page with a heading indicating that it cannot verify the website below automatically, with a link to learn more about fingerprints and such, a button to say you trust this website (adds this cert for this domain to the list of trusted sites), and inside that page with a 20px margin, have the actual website load in what would effectively be an iframe, so you can see the website immediately, and you get a nice bright red border around the website, so you know that something is up, and that something is different than every other little warning you've gotten.
Re:3 types of certificates for 3 scopes of use (Score:3, Interesting)
* Hint: If they are really scared of the self-signed certificates, why do they have the "Permanently store this exception" box checked by default?
That's the one part that makes some amount of sense. It lets the browser really complain if the cert changes (of course, who's going to notice the difference, since it complains so loudly about unsigned certs in the first place...), which should only happen if someone's trying to MitM your connection or if the admin is an idiot and deleted the cert file.
Re:That's the point (Score:2, Interesting)
No, I propose that the firefox team just comes up with a better interface for warning users about self signed certificates. The current interface makes http appear to be safe and self signed certificates appear evil. The lock color scheme option proposed earlier would be find with me. Or at least give me a configuration option to turn off the warning and let me surf at my own risk. I love the anti phishing stuff in firefox, and I'm sure that will save many users from giving away their private information. However, I don't believe that the firefox 3 interface for dealing with self-signed certificates will actually prevent any attacks, and it is obviously causing a lot of headaches based on the community response.
Re:Worth it. (Score:3, Interesting)
Sure, I agree. But I am not the average Internet user so I can check if a SSL cert has been signed by a trusthworty CA or not.
Perhaps we need browsers to display five star rating icon next to the padlock to indicate how trustworthy the CA is.
Re:Unavoidable with devices (Score:4, Interesting)
Why are we being told that we must get permission from a "trusted" authority in order to "legitimately" use encryption?
Because a certificate signed by a trusted authority is the only way to eliminate spoofing and man-in-the-middle attacks, such as those that are possible with a DNS exploit, or setting up an open wireless network and setting the SSID to "linksys".
I know of a company that sells caching proxy servers that support HTTPS; their clients use them on corporate LANs and they can see the contents of encrypted HTTPS sessions. This lets them do things like scan outgoing messages for sensitive information to detect when an employee might be using GMail to e-mail confidential documents to someone, even though the connection is encrypted. What makes this possible is, the client's IT department configures everyone's browsers to accept this company's own fake CA key, so they can spoof all HTTPS sites with a self-signed certificate. So it only works in a corporate LAN environment - and the only reason it doesn't work everywhere else too is because SSL certs have to be signed by a trusted CA.
The only possible alternative is to do what SSH does: exchange keys on the first connection, and just assume that you're probably on a trusted network the first time you log in. Then you get a security warning if the server's public key changes. Most of the time this is good enough, but when it comes to online banking, I'd rather be sure.
Re:Unavoidable with devices (Score:3, Interesting)
The right way to handle this sort of thing is to have a real web of trust of people, and then do caching of the fingerprints of the keys. The first part breaks the CA trusted-party monopoly, and the second avoids non-initial untrusted-cert MITM attacks.
For me at least, the ordering of methods of information transmission that I trust is fairly simple
That sending information to slashdot requires a single click, and sending information to my own https servers requires five seems rather silly; I should definetly be warned, but there's no reason to require me to click to pull up a dialog, click to get the certificate, click to accept, then click to dismiss the dialog. A single message with the certificate information as a warning with a display of what this all means and why it may be problematic is good enough.