Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mozilla SSL Policy Considered Bad For the Web

kdawson posted more than 6 years ago | from the among-these-shall-be-life-liberty-and-acces-to-https dept.

Mozilla 897

Chandon Seldon writes "The issue of digital certificates for SSL and the policies surrounding them comes up repeatedly. I've written an article criticizing the behavior in Firefox 3, which includes a serious comparison of the current Mozilla policy — restricting encrypted HTTP to paying customers — to a violation of net neutrality."

Sorry! There are no comments related to the filter you selected.

Seconded. (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24464679)

I second this complaint.

Re:Seconded. (-1, Offtopic)

Adult film producer (866485) | more than 6 years ago | (#24464693)

I second post your complaint.

Re:Seconded. (5, Insightful)

lukas84 (912874) | more than 6 years ago | (#24464759)

This is bullshit.

It's not like Firefox makes it impossible to access a web site with a self signed certificate. It just makes it very obvious that something is wrong with the certificate, and tells the user that he shouldn't trust it to much.

Now, who uses self signed certificates or certificates signed by an internal CA?

* Test environments (not an end user scenario)
* Unprofessional webhosters (good riddance)
* Companies with their own CA (they can preload the certificate)
* Hobbyist systems (they can reconfigure their browser)

In the end, the only ones hurt by this are unprofessional webhosters - and i don't think anyone should care about them.

Re:Seconded. (4, Insightful)

Hes Nikke (237581) | more than 6 years ago | (#24464831)

On the other side of the coin, it subsidizes the CA industry just like compulsory auto insurance subsidizes the auto insurance industry.

Re:Seconded. (4, Insightful)

Thiez (1281866) | more than 6 years ago | (#24465065)

Except that there is nothing compulsory about ff. You are free to trust any certificate you want, the browser merely warns you that it could be a bad idea to do so.

Re:Seconded. (0)

Anonymous Coward | more than 6 years ago | (#24464893)

Now, who uses self signed certificates or certificates signed by an internal CA?

I do for our extranet which we allow a handful of clients access to. Why should we pay some external company for their certificates when all we need is encryption?

no it does. (5, Insightful)

unity100 (970058) | more than 6 years ago | (#24464961)

It's not like Firefox makes it impossible to access a web site with a self signed certificate. It just makes it very obvious that something is wrong with the certificate, and tells the user that he shouldn't trust it to much.

there close to a billion people on the net that wouldnt tell what to do when faced with such a disastrous looking warning as ff 3 prints out when met with a self signed ca.

also there are equally many people that would rather skip visiting/subscribing to a site when they see the hassle ff3 puts out.

therefore many small service providers, businesses, communities that would not afford a decent certificate will be hurt in all respects, not to mention many users.

excuse me, but this is a very stupid, self righteous and jacobin move.

that is the EXACT kind of thing slashdot criticizes almost EVERY government, country, organization, corporation for, yet, you people are actually applauding it in this case.

Re:no it does. (5, Insightful)

spottedkangaroo (451692) | more than 6 years ago | (#24465049)

SSL isn't meant just for encrypting pages, it's meant for verifying identity also.

There are two solutions to this problem.

1. create your own CA and tell your customers to import the CA by clicking here (before putting them in ssl mode). It's really not much trouble to set up your own CA.

2. buy a cheap ass certificate from godaddy for $10. Your domain registration likely costs this much as well, but we don't complain about that, do we? The service is actually worth $10.

Without the above, the ff3 presentation is correct, the certificate is bad and should not be trusted. Otherwise you're in real danger of man in the middle attacks.

Not much to say (-1, Offtopic)

JiminyJones (1334765) | more than 6 years ago | (#24464691)

Except that the entire issue somehow reminds me of Moby Dick

dumb (-1)

oliderid (710055) | more than 6 years ago | (#24464699)

looks like I will have to switch to internet explorer to access self signed https extranet. There are various cases where you do not need any third party to prove your identity. Firefox 2.X was already quite annoying with this. Firefox 3 seems to be even more.

Re:dumb (2, Informative)

Cheesey (70139) | more than 6 years ago | (#24464811)

I suppose you could just add an exception for the site you want to access. (Four clicks?) Or your corporate IT people could add their signing certificate to the version of Firefox they distribute.

I don't understand the "antifeature" accusation at all.

Re:dumb (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24464953)

Jesus, what a Firefox cock sucker. You must like the taste of Open Sores jizzum all over your lips and mouth.

Re:dumb (1)

Darfeld (1147131) | more than 6 years ago | (#24464821)

Not so much... You can accept certificate once and for all for a site, it's not that much annoying.

Well, the betta of FF3 was annoying because it wasn't clear how you could accept those certificate, but they fixed that. Now it's as simple as in FF2.

One Question (5, Insightful)

frodo from middle ea (602941) | more than 6 years ago | (#24464701)

wouldn't implementing what the author suggest, defeat the very purpose of having a CA ? SSL is not just for encryption you know. There is a little thing called 'trust' which pays a big part in it too.

Re:One Question (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24464739)

Exactly.

A "secure" and encrypted connection to a compromised or malicious server is worthless.

Re:One Question (5, Insightful)

Iamthecheese (1264298) | more than 6 years ago | (#24464765)

It didn't make sense, the thing you just said. The author is proposing an easier flow to accepting self-signed certificates. How could that defeat the purpose of having a CA?

While he may have a valid point, I resent and disagree strongly with the author's implication that there is a profit motive to this. A bad decision, but not one made for profit.

Re:One Question (5, Insightful)

adamwright (536224) | more than 6 years ago | (#24464775)

If there was any real "trust" component, I'd buy this argument. SSL certificate authorities are supposed to be sources of trust - we trust them to have authenticated that the FooCorp who bought a certificate really is FooCorp Ltd (and not F0oCorpe). However, the only inducement most vendors need to issue a certificate these days is money.

I've successfully bought SSL certificates for companies that I had little or no verifiable connection with, from authorities that are trusted by all major browsers. Now, I obtained these with full permission of the companies in question, as a contractor, but as far as the authority was concerned, I was Joe Bloggs. They've even realised that now, and introduced the new EV Certificates - now with Extra Validation! Until of course, these get paid off as well, and we need EEV Certificates and so forth.

Using SSL for trust based on the word of companies like Verisign is pointless - you have to do manual authentication. The only use I see for them these days is transport encryption.

Re:One Question (3, Interesting)

morgan_greywolf (835522) | more than 6 years ago | (#24464973)

I've successfully bought SSL certificates for companies that I had little or no verifiable connection with, from authorities that are trusted by all major browsers. Now, I obtained these with full permission of the companies in question, as a contractor, but as far as the authority was concerned, I was Joe Bloggs.

Same exact experience here. And the thing is that they don't even bother calling anyone to verify anything. I've even used my own credit card to buy certificates.

Re:One Question (1)

Nursie (632944) | more than 6 years ago | (#24464999)

No, the certificates verify that you are talking to whoever the CA gave the certificate to. That's all they do, and that's very important. You don't have to go any further than that.

Re:One Question (1)

duffbeer703 (177751) | more than 6 years ago | (#24465029)

Newspapers can get the news wrong. Does that mean that we should only accept news heard via word of mouth?

Even with a minimally verifying SSL provider, the police do have some ability to track a transaction back to a specific individual or company via the payment trail. Or they can use a stolen credit card, which is easy to detect.

Re:One Question (1)

jgtg32a (1173373) | more than 6 years ago | (#24464783)

Do you really trust the CA? Its really not that hard to get a certificate, you pay them money and then they give you certificate.

Re:One Question (1)

gnasher719 (869701) | more than 6 years ago | (#24464791)

wouldn't implementing what the author suggest, defeat the very purpose of having a CA ? SSL is not just for encryption you know. There is a little thing called 'trust' which pays a big part in it too.

Absolutely. As a rule, leaving security to amateurs (and even more rank amateurs like the author of the article) leads to insecurity. This is like everyone else discussing how to protect your house from burglars who might try to sneak in by the most obscure routes, and here we have a guy who doesn't even complain that locks on doors are impractical, he complains that we should do away with doors in the first place.

Re:One Question (4, Insightful)

pmontra (738736) | more than 6 years ago | (#24464941)

CAs do very little to ensure that the site you're connecting to is really the one it claims to be. So SSL is almost useless for authentication and trust. It's worth using it only for encryption and self signed certificates are as good for that as the ones you buy with money.

As a webmaster and owner of a site that uses SSL I second the author's proposal and more: let's stop pretending CAs can ensure the identity of the communicating parties, shut them down, save money and use SSL only for encrypting data.

Re:One Question (5, Insightful)

Nursie (632944) | more than 6 years ago | (#24465031)

No.

Seriously, stop being a retard.

If I'm connecting to my bank, and I get a certificate that matches the domain name and was signed by a widely trusted 3rd party, that gives me much more confidence than selecting some bozo's self-signed certificate.

Does it guarantee the identity and trustworthiness of the entity? Not absolutely, but it's a whole hell of a lot better than just encrypting comms and sending them to whoever happens to be running a man in the middle attack today.

Re:One Question (5, Insightful)

Rakishi (759894) | more than 6 years ago | (#24465043)

The problem with this is that it does not guarantee that your connection is actually encrypted. There is a reason why CAs where created and it has a lot to do with ensuring proper encryption. Basically a man in the middle attack can with self-signed CAs fake the user into accepting their CA instead of the website's CA. You now have the illusion of security and encryption which some would consider worse than no encryption at all. To the end user they would be identical and while there may be a complaint about different keys, if the user went to the site before, most users would probably ignore them (especially after they seem them a dozen times for legitimate sites that for some reason changed their keys).

trust? (1)

Animaether (411575) | more than 6 years ago | (#24464795)

what do you mean, trust?

An SSL certificate automagically means that it is impossible for the site to be hacker, or some guy internally running away with sensitive data, etc. ?

At best, it will say "Why yes, this -is- the website you are looking for.".. beyond that, there's no more trust than I would give a warezyporn website hosted on a .tk domain.

SSL may not be just for encryption, but perhaps it should be.. or should have been. It should never have served this dual purpose - and the story explains quite nicely -why-.

Re:trust? (2, Insightful)

frodo from middle ea (602941) | more than 6 years ago | (#24464981)

That was my implied point, the author of the article should be complaining about the trustworthiness aspect of the SSL, and not mozilla's policy about accepting self signed certificates. As things stand today, SSL means 2 things a) encryption and b) trust (i.e. the site is what it claims it is). And to provide the part b, it relies on the concept of CAs. Now whether this is a good thing or just a money grabbing policy by the big CAs is a totally different thing, but what Mozilla is doing is nothing wrong. May be they can have a easier way to import a self-signed certificate, rather than having to go through 3/4 clicks as it stands now, but I sure wouldn't want that warning to go away the first time. I am completely aware that all it takes to buy a certificate is money, but that is not mozilla's or SSL's fault, it is rather the fault of the companies behind the CA business.

Re:One Question (3, Insightful)

Anonymous Brave Guy (457657) | more than 6 years ago | (#24464825)

Sure, but frankly, anyone who relies on the "trust" aspect of SSL certificates today for anything serious needs their head examined. In this world, trustworthy == willing and able to pay.

The encryption is by far the most important aspect of SSL for most applications, and you can use that regardless of any issues with CAs and trust.

This is stupid (4, Insightful)

duffbeer703 (177751) | more than 6 years ago | (#24464713)

The whole point of SSL is to have some assurance that you are connecting to whom you think you're are connecting to.

While the model of paying a CA to assure your identity is not perfect by any means, ignoring the issue isn't either. Many slashdotters seem to have a hard time getting this.

IMHO, the system in Firefox 3 is superior. While self-signed sites are blocked by default, it is not easier to explicitly trust a self-signed SSL site. In the past, most people would just click past the nag dialog when it popped up.

Re:This is stupid (5, Informative)

jgtg32a (1173373) | more than 6 years ago | (#24464815)

But there's one problem you understand what the error message says and means.
My parents couldn't get past that message even after I explained it. I had to downgrade FF because they would freak out when they saw that message.
From a usability point of view its terrible.

Re:This is stupid (5, Insightful)

quantumplacet (1195335) | more than 6 years ago | (#24464895)

I think that's exactly the point. If you can't understand what a self signed certificate is, you shouldn't be accepting them.

Re:This is stupid (2, Insightful)

Anonymous Coward | more than 6 years ago | (#24464943)

Self-signed certs are still strictly more secure that completely unencrypted traffic. If it warns you about a self-signed cert, then it should warn you /every/ time you visit a completely insecure site. In reality, it should just accept self-signed without indicating that its secure, and have an icon for people who know/are expecting self-signed certs to indicate that is what has been given.

Re:This is stupid (5, Insightful)

mapsjanhere (1130359) | more than 6 years ago | (#24465027)

Insecure is less dangerous than encrypted untrusted. How many less-than-savvy users are trained by their more geeky relatives to check for two things - the httpS and the little lock icon. How easy do you want to make it for the phisher if he can safely pretend to be https://cidybank.com/ [cidybank.com] with the lock icon? Getting "trust" established was one of the hardest thing for e-commerce to do. Anything that undermines it needs to be stamped out.

Re:This is stupid (1)

Darfeld (1147131) | more than 6 years ago | (#24465039)

I don't know... It's a choice to let the user do anything (right or wrong) or to protect them from themself. From a clue-less user point of view, the latter seems better. For a well-informed user, it doesn't really matter (One clic at the first visit, and that's it...).

In the end, SSL isn't that common. You could always add exceptions in FF so they wouldn't cross the warning again.

Re:This is stupid (5, Insightful)

js_sebastian (946118) | more than 6 years ago | (#24464889)

The whole point of SSL is to have some assurance that you are connecting to whom you think you're are connecting to.

No. As TFA says, there are 2 points to SSL. 1 is to provide confidentiality (encryption) the other is to authenticate the server to the user. A server with a self-signed certificate provides protection against passing (but not active) snooping. This is worse than what a real, trusted-third-party signed certificate provides, but it is better than no encryption at all!

So why does the firefox GUI make a site with a self-signed certificate appear (to the non-technical user) less secure than a plain HTTP site?

IMHO TFA is very much correct this is a problem. The solution is not obvious, because users are used to the lock icon and may not understand the concept that confidentiality and authentication are 2 separate protperties, so how do we design a GUI which does not mislead him.

Re:This is stupid (3, Insightful)

duffbeer703 (177751) | more than 6 years ago | (#24464955)

IMHO TFA is very much correct this is a problem. The solution is not obvious, because users are used to the lock icon and may not understand the concept that confidentiality and authentication are 2 separate protperties, so how do we design a GUI which does not mislead him.

The people who don't understand this are not IT people who are going to be futzing with self-signed certs, or are IT people who need to clue up and understand the implications of using self-signed certs.

Re:This is stupid (4, Insightful)

pmontra (738736) | more than 6 years ago | (#24465071)

Let's do it with alert boxes.

HTTP only: "The communication with this site is insecure because it doesn't ecrypt the data you're sending to it. Furthermore there is no guarantee that it's owned by the organization that it claims to belong to. [checkbox] Don't tell this to me anymore.

Self signed HTTPS: "The communication with this site is secure because it encrypts the data you're sending to it. However there is no guarantee that it's owned by the organization that it claims to belong to. [checkbox] Don't tell this to me anymore."

CA's signed HTTPS: "The communication with this site is secure because it encrypts the data you're sending to it. Furthermore [the name of the CA] guarantees that the site is really owned by the organization that it claims to belong to. [checkbox] Don't tell this to me anymore."

However one has to be really naive to believe the guarantee part of the last statement or that CAs are willing to have any legal responsibility for the claims they're issuing with any certificate. Actually that third alert box might be harmful as it perpetuates the delusion that certificates do anything about authentication.

Eventually it's not a problem of GUIs but a problem of understanding what certificates are really for.

Re:This is stupid (2, Insightful)

elFarto the 2nd (709099) | more than 6 years ago | (#24464921)

While I like Firefox 3, I find it annoying that I have to accept a self-signed certificate forever. I'd much prefer to accept it from my current session only. Accepting it forever seems a little insecure to me.

Regards
elFarto

Re:This is stupid (0)

Anonymous Coward | more than 6 years ago | (#24464991)

Oh you're so right, encryption is definitively useless, especially when I want to read my mails on a public wifi area.

Most clueless article ever? (3, Interesting)

gnasher719 (869701) | more than 6 years ago | (#24464715)

I think it is. Half of SSL is about encrypting a connection, the other half is about knowing whether you can trust the other side. What the article suggests (that SSL connections when the other side uses a self-signed certificate should give no warning) would completely destroy security of the Internet.

Re:Most clueless article ever? (4, Insightful)

Hes Nikke (237581) | more than 6 years ago | (#24464769)

There is a "warning," and then there is a "WARNING: YOU MUST CLICK FIVE TIMES TO SEE THIS PAGE." A simple bar across the top of the page with a warning that the sites identity couldn't be verified, but that the connection was still encrypted would work just fine.

Re:Most clueless article ever? (1)

lukas84 (912874) | more than 6 years ago | (#24464819)

No, it wouldn't. Users need to be protected from themselves, and the Firefox/IE approach is the right way to do this.

Re:Most clueless article ever? (-1, Troll)

mikael_j (106439) | more than 6 years ago | (#24464865)

I disagree, IMO one warning should be enough, if you're too stupid to figure out your computer then you should get rid of it. I'm serious, I've dealt with way too many users who had no good reason to use a computer to begin with and who clearly barely had the skills to understand directions along the lines of "Now move your mouse pointer to the bottom left corner of the screen and LEFT-click the big button with a flag and the text Start on it.", this is also serious, I have dealt with people who were otherwise intelligent productive members of society who really couldn't figure things out beyond the start menu and "The big blue 'e' gets me my intarwebs", these people should not be protected from themselves.

/Mikael

Re:Most clueless article ever? (1)

lukas84 (912874) | more than 6 years ago | (#24464933)

I disagree, IMO one warning should be enough, if you're too stupid to figure out your computer then you should get rid of it.

Yeah, and i would like it if everyone who disagress with me would be shot. Sadly, this hasn't happened yet, nor will it ever.

It's the same thing that you want - you don't want idiots that are almost to stupid to breathe use a computer. This isn't going to stop either - heck, driving a car requires a license, yet i encounter many stupid drivers daily.

It's how the world is right now - deal with it.

Re:Most clueless article ever? (1)

mikael_j (106439) | more than 6 years ago | (#24465079)

So why aren't cars made of rubber and only capable of going 20 km/h? Oh that's right, we've chosen to attempts to educate the idiots and force them to pass tests before being allowed to use a computer^Wcar on public roads

One of those "joke" ideas that would actually be kind of funny would be if in order to sign up with an ISP to get internet access you'd be required to pass a basic test that starts along the lines of "click the red square" and ends with "Is the computer in the picture: a) The box under the desk? b) The big thing with pictures on top of the desk? c) The thing on the desk that prints out text on papers?". it wouldn't even compare to the theoretical exam for getting a driver's license here in .se but I suspect the internet population would seriously decrease... (Yes, in Sweden you actually have to know how to diagnose simple problems with your car and know the names of the different parts. And yes, I miss the days when getting online wasn't something that any idiot could accomplish, sure there were idiots online but the vast hordes of drooling mouth-breathing morons were kept out)

/Mikael

Re:Most clueless article ever? (0)

Anonymous Coward | more than 6 years ago | (#24464859)

There is a "warning," and then there is a "WARNING: YOU MUST CLICK FIVE TIMES TO SEE THIS PAGE."

Seriously? They really do that? If so, that's a major nag screen there.

Makes me glad I stuck with Firefox 2 for now.

Re:Most clueless article ever? (1)

Culture20 (968837) | more than 6 years ago | (#24464863)

A simple bar across the top of the page with a warning that the sites identity couldn't be verified, but that the connection was still encrypted would work just fine.

No, it wouldn't. A simple step makes the monkeys learn to click. A difficult set of steps makes them think about what they're doing, and possibly check with the sysadmin to verify the self-signed cert. Even worse than a simple step though, is a mere notification. It would be ignored, and encryption without assurance of sender/receiver is essentially worthless (although it does limit your exposure to one bad guy at a time instead of multiple).

Re:Most clueless article ever? (0)

Anonymous Coward | more than 6 years ago | (#24464847)

Right. If you have personal reasons to trust the server, you can just add an exception, and if you don't Firefox is quite right to warn you.

Re:Most clueless article ever? (1)

Omnifarious (11933) | more than 6 years ago | (#24464855)

What I would like to see is an ssh-like mechanism where Firefox remembers the key previously associated with a website and complains if you appear to be accessing the same website but it's presenting a different key than it did before. Perhaps the existing mechanism of trusted roots could be kept as well, though IMHO, I would like to see that replaced by my scheme as well with an explanation of who the root is and why you should trust them instead.

I do not like Firefox randomly making a decision that certain root CAs are trustworthy and requiring those CAs to give them money for the privilege of being considered trustworthy.

On reading the article, it doesn't sound like the author is totally clueless. Though I do think self-signed certificates deserve a warning of some kind. I really do think that the whole trusted root thing is a bit of a scam and users should be allowed to make choices about who they consider a trusted root.

Re:Most clueless article ever? (2, Informative)

Anonymous Coward | more than 6 years ago | (#24464997)

Users are allowed to decide for themselves who they consider a trusted root. Firefox -> Preferences -> Advanced -> Encryption -> View Certificates. Add and remove root certificates to your heart's content.

Re:Most clueless article ever? (2, Insightful)

jgtg32a (1173373) | more than 6 years ago | (#24464899)

I don't think so, there is nothing inherently wrong with a self signed cert. The issue is if you goto a fake bank site and all you notice that the "security lock" is on and you just trust that lock.

When it comes down to it what the user need to know is, is there 3rd party verification, which is what a CA will provide.

The Lock only indicates that encryption is used, it doesn't indicate 3rd party verification. What's really needed is a different "security lock" that indicates 3rd party verification, because that check is what is really needed for users.

Re:Most clueless article ever? (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24464927)

The problem is that the padlock icon was invented to indicate an encrypted connection. Some clueless idiot then decided that it meant a verified certificate.

What the clueless idiot should have done is invent a second icon, a big green tick, to signify a verified certificate in conjunction with an encrypted link.

It's too late to change it now. Maybe the next best thing is for firefox to do away with the warnings and in the case of an encrypted connection display nothing extra. Only display a padlock if a chain/web of trust can be established for the certificate.

Re:Most clueless article ever? (2, Insightful)

Kjella (173770) | more than 6 years ago | (#24464975)

I think it is. Half of SSL is about encrypting a connection, the other half is about knowing whether you can trust the other side. What the article suggests (that SSL connections when the other side uses a self-signed certificate should give no warning) would completely destroy security of the Internet.

If self-signed SSL sites were indentified similar to "trusted" sites, then yes. But self-signed SSL certificates are a good step up in security over HTTP. For example, anyone only able to wiretap won't get anything at all. Intercepting streams for a MITM is a much more difficult thing to do, particularly if you're talking large volumes in real time. Also you'd get uh-ohs like "This site is now using a different key than last time" and some would compare fingerprints through some other secure channel so mass MITM would easily be detected. To take a stupid analogy, HTTP is the postcard, self-signed is an envelope and trusted is Cerified Mail. It's rather dumb to block the envelopes because people might be misled to think they're secure...

This causes real problems. (4, Insightful)

Daryen (1138567) | more than 6 years ago | (#24464721)

I encourage all of my users to use Firefox by including it on our PC images, showing them it's cool features, and letting them know about how it's more secure. I've been running into problems with self-signed SSL certificates though.

I run a router/firewall based on the Untangle software, which in turn is a modified Debian/Knoppix setup. It also does VPN, based on the open source openVPN software, and it uses self-signed SSL certificates for it. While I don't mind adding our firewalls to a safe list, my users freak out with all of the warnings and aren't sure what they should do. I've been telling them to use Internet Explorer, but it makes my skin crawl to say it. Hopefully the Mozilla team will reconsider their position to make their software more open-source friendly.

Re:This causes real problems. (1)

lukas84 (912874) | more than 6 years ago | (#24464779)

Why don't you just deploy the self signed certificate to all your users?

Or, if your users vary that much, just buy a certificate für 29$ a year?

Besides, IE gives ugly error messages too when accessing a site without a validated trust chain.

You are dumb (-1, Flamebait)

duffbeer703 (177751) | more than 6 years ago | (#24464837)

This isn't an IE/Firefox issue. It's about you being too cheap to buy a validated cert while simultaneously being too dumb to force your users to accept your certs.

If you are running your infrastructure with self-signed certs, just put the certs on your clients.

Re:This causes real problems. (1)

Culture20 (968837) | more than 6 years ago | (#24464995)

Why not use your own private CA and add that CA to your FF deployments?

This article should be tagged flamebait (-1)

Anonymous Coward | more than 6 years ago | (#24464723)

"...I've written an article criticizing the behavior in Firefox 3..."

This reads like flamebait.

Yeah it stinks, but (1)

tphockenberry (126512) | more than 6 years ago | (#24464729)

As the article admits, you can import the cert and access any SSL website. It's kinda weird to write an article about using a scary "you are being hacked" warning and then post a scary "firefox 3 doesn't let you use SSL unless you pay" statement.

I'd like to make my own decisions please..... (0)

ocularb0b (1042776) | more than 6 years ago | (#24464731)

Yeah this is no good. And its a real shame that it comes from the "good" browser. I'd expect this from safari or IE. All we need is the information about the cert. Let the user decide if he/she is ok with using the site.

Re:I'd like to make my own decisions please..... (3, Informative)

Hes Nikke (237581) | more than 6 years ago | (#24464945)

I can't speak for IE, but safari pops up a sheet telling the user that the site has an untrusted cert with 3 options: use the cert once (you'll get the warning again,) always trust this site, and don't load the page. i think this is how firefox should behave (perhaps even loading the page and then warning the user)

Damn right you are. (2, Interesting)

w4rl5ck (531459) | more than 6 years ago | (#24464735)

For some small sites, we need to encrypt traffic to protect consumer data from being "spyed on" by misconfigured switches, WLAN eavesdropping, and so on.

For those sites, buying a certificate is possible, but the costs are high compared to the gains (as this is *only* about protection of the data, not about "being sure this is site XY). Based on the certificate IDs/hash it's possible in this environment for anyone to compare whether the certificate is a trustworthy one, or not. The certificate identification is, in this case, possible.

But it's a lot harder to explain why this really, really scary message (it scares the HELL out of customers) appears now and then, when someone moved to a new computer or something.

The old FF2 behaviour was "better" in this respect.

I also see benefits of the efforts made to clarify this encryption/identification stuff for normal users, like the green address bar. That's really a gift, showing the user "everything all-right with your banking application or amazon store".

But this behaviour marking "self-signed" certificates as something über-evil out of the deepest depth of hell, is crossing a line a bit to far, in my opinion.

A short warning with a better explanation, or even a yellow bar - encrypted, but not "that secure" - might have been a better way.

Well, patches welcome, I hope :)

Still better than just praying the 2012-expected Internet Nightmare 9 misteriously replacing the old behaviour with something worse. You know what I'm talking about, are you? ;)

Why not use a startSSL cert then? (3, Informative)

Anonymous Coward | more than 6 years ago | (#24464913)

For those sites, buying a certificate is possible, but the costs are high compared to the gains (as this is *only* about protection of the data, not about "being sure this is site XY). Based on the certificate IDs/hash it's possible in this environment for anyone to compare whether the certificate is a trustworthy one, or not. The certificate identification is, in this case, possible.

I don't understand this. You want to be sure that the data transfered is protected, but you're happy to have it redirected to any site.

As to the cost/benefit, how about a cert from startssl [startssl.com] ? This has the cost of $0 and the benefit of being supported by Firefox. It's not supported by IE unless the user installs a root cert by hand, but then it wasn't IE you were complaining about. Firefox actually seems to be ahead of IE in this regard.

Average user and security (4, Insightful)

RomSteady (533144) | more than 6 years ago | (#24464737)

The average user doesn't notice any security feature unless it is in their face.

Given the number of phishing sites out there, it could be argued that every additional slap to the face that a user would have to get through in order to get to a phishing site (known phishing site, self-signed SSL, acknowledge that you are a fucking retard for bypassing the last two warnings, etc.) may be worth it.

Just remember that just because the precepts of net neutrality (all bandwidth is equal) means that we should let a user shoot themselves in the head doesn't mean that we shouldn't at least make a passing effort to put a safety on the gun they are using.

How about a plugin? (1)

dattaway (3088) | more than 6 years ago | (#24464741)

Is it wrong to have quick and dirty arbitrary secure end to end connections?

glowbull WARMongerING execrable bad for all (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24464745)

one needs only to pay attention, which is cost effective, & could lead to our survival. see you there? the lights are coming up all over now. conspiracy theorists are being vindicated. some might choose a tin umbrella to go with their hats. the fairytail is winding down now. let your conscience be yOUR guide. you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

http://news.google.com/?ncl=1216734813&hl=en&topic=n
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A
http://www.nytimes.com/2008/05/29/world/29amnesty.html?hp
http://www.cnn.com/2008/US/06/02/nasa.global.warming.ap/index.html
http://www.cnn.com/2008/US/weather/06/05/severe.weather.ap/index.html
http://www.cnn.com/2008/US/weather/06/02/honore.preparedness/index.html
http://www.nytimes.com/2008/06/01/opinion/01dowd.html?em&ex=1212638400&en=744b7cebc86723e5&ei=5087%0A
http://www.cnn.com/2008/POLITICS/06/05/senate.iraq/index.html
http://www.nytimes.com/2008/06/17/washington/17contractor.html?hp
http://www.nytimes.com/2008/07/03/world/middleeast/03kurdistan.html?_r=1&hp&oref=slogin
http://biz.yahoo.com/ap/080708/cheney_climate.html

is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.

http://www.google.com/search?hl=en&q=weather+manipulation&btnG=Search
http://video.google.com/videosearch?hl=en&q=video+cloud+spraying

dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);

http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html

the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.

corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7

as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable. some of US should consider ourselves somewhat fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate. it's right in the manual, 'world without end', etc.... as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis. concern about the course of events that will occur should the life0cidal execrable fail to be intervened upon is in order. 'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."

meanwhile, the life0cidal philistines continue on their path of death, debt, & disruption for most of US. gov. bush denies health care for the little ones;

http://www.cnn.com/2007/POLITICS/10/03/bush.veto/index.html

whilst demanding/extorting billions to paint more targets on the bigger kids;

http://www.cnn.com/2007/POLITICS/12/12/bush.war.funding/index.html

& pretending that it isn't happening here;

http://www.timesonline.co.uk/tol/news/world/us_and_americas/article3086937.ece
all is not lost/forgotten/forgiven

(yOUR elected) president al gore (deciding not to wait for the much anticipated 'lonesome al answers yOUR questions' interview here on /.) continues to attempt to shed some light on yOUR foibles. talk about reverse polarity;

http://www.timesonline.co.uk/tol/news/environment/article3046116.ece

four clicks (4, Informative)

Bazman (4849) | more than 6 years ago | (#24464751)

In four mouse clicks I've added that site to my exceptions list. It warned me, I read and understood the warning, I acted. I saw the https page and the web site owner didn't have to pay for a certificate.

So, the article is wrong:
"Mozilla Firefox 3 limits usable encrypted (SSL) web sites to those who are willing to pay money to one of their approved digital certificate vendors"

please add 'or click four times to add the site to an exception list'.

Re:four clicks (2, Funny)

urcreepyneighbor (1171755) | more than 6 years ago | (#24464965)

In four mouse clicks I've added that site to my exceptions list. It warned me, I read and understood the warning, I acted.

Good for you, but people like you - and me and the rest of the people here - aren't "normal". Grandma won't know what the hell to do (besides call you). She might even think "those evil hackers" "got her".

Self-signed certs are a potential problem, but Firefox could have worked out a better way of handling it. A more novice-friendly way.

Basically, we need Bruce Schneier [schneier.com] and Jakob Nielsen [useit.com] to marry and have children. We'd better contact Dr. Moreau [wikipedia.org] to work out the breeding program. :)

Re:four clicks (0)

Anonymous Coward | more than 6 years ago | (#24464967)

And how many times do you plan on phone-walking Aunt Tillie through that procedure?

Come on, I'm an IT professional myself and I understand the importance of secure trust chains, but *four clicks* is at least two too many.

https (0)

Anonymous Coward | more than 6 years ago | (#24464761)

fta:
"This is really an issue of the basic principles of internet openness. Everyone has equal access to the features of HTTP or SSH, there's no reason why there should be artifical constraints on access to HTTPS. But that's exactly what the Firefox SSL behavior does."

The above statement makes it sound as if SSH and HTTP(s) are related. Quick summary:

http
ssl
https = http + ssl
ftp
ftps = ftp + ssl

ssh/sftp (they stand alone)

Blocking Self Signed Certificates is GOOD! (3, Insightful)

PC and Sony Fanboy (1248258) | more than 6 years ago | (#24464767)

I'm not sure what the problem here is - If a website claims that it isn't part of the malware revolution with a self signed certificate, it isn't any more authentic than NOT having one.

The only real use for a self signed certificate is for large institutions that already have the trust of the user (ie: universities) - but you have to assume that they havn't been compromised, because it would be easy to have a second certificate, signed by the owner of the hijacked site.

Anyways, firefox 3 does a great job, and it isn't hard to add an exception - and it isn't annoying like UAE...

Non-issue? (0)

Anonymous Coward | more than 6 years ago | (#24464771)

Surely this is the same as has been implemented in all browsers since SSL came along? the only real difference here is in how the message to the user is displayed. Previously, a dialog box would have popped up warning the user, and most users would automatically scan for the OK button and click it without giving it further thought, or indeed reading the dialog box.

Because this message appears where the page would normally appear, people seem to be actually taking notice of it. It's not about net neutrality, it's about trust. There are a number of trusted root certificate people out there, and that number is small for a reason. If everybody could create a trustworthy certificate, then what would be the point. It's a shame users have in the past been so useless at exercising judgement in what sites are trustworthy and which aren't.

At least now, they are forced to consider the implications clicking through, and that can only be a good thing.

Dont be cheap (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#24464803)

Dude,

Like has been said, it is mostly saying, yes, this is the person your talking about. Anyway, who really cares? SSL certs arent that fucking expensive, you pay 10 bucks a month for any half assed hosting service anyway, whats an extra 20 a year to have your ssl show up right?

dont be a cheap ass

you cant afford to be too jacobin (2, Insightful)

unity100 (970058) | more than 6 years ago | (#24464809)

"we are programmers and developers, and as a community we think this is the right thing to do" - this does NOT fly. public accepts what they like, they refuse what they dont. this is as simple as that, REGARDLESS OF what they accept or refuse may be good, or bad.

it is utterly stupid to go overly jacobin and enforce something on people 'for improving the security on the web', in an open source project that is made by people FOR the people.

a lot of websites, service owners, businesses using vpn and their clients and their users are going to experience hell lot of problems due to this extreme self righteousness forced upon them, if they go for firefox 3.

to be honest, despite im fighting for free and open internet, linux, open source by the means available to me as much as i can, i will be advising friends and clients to stay away from ff3 because of that certificate issue.

Bad Article (5, Informative)

MasterOfMagic (151058) | more than 6 years ago | (#24464823)

As mentioned on the Firehose comments page about this article (http://tech.slashdot.org/comments.pl?sid=634651&cid=24461415):

CAcert is working to be included by default in all Mozilla Foundation software [mozilla.org] . CAcert [cacert.org] is based on having certificates for everybody, not just for paying customers. They are already included in many current distro version of Firefox [cacert.org] . There's no objection in the Mozilla Foundation to including certificate authorities like CAcert in Mozilla. Mozilla just needs to verify that they are secure [mozilla.org] - a process that takes a long time and doesn't cost any money - otherwise they could undermine the security of their users. Five minutes of research would have shown this.

For this problem to be solved, the most popular F/OSS browser(s) must accept self-signed certificates. If Mozilla is unwilling to change their policies, it would be worth the effort of trying to create a *more popular* fork with full SSL functionality.

This shows a lacking understanding of computer security practice. Self-signed certificates are something that 90% of users need to be wary of because if you allow them by default, phishing sites will use them to their advantage and steal data, and Mozilla will be blamed for it because they'd be the only one to not warn about self-signed certificates. This is why people are warned and this is why there's already and override procedure in place so if you're one of the 10% of the users impacted by it, you can work around it.

This article seems like an attempt to insert drama where recognized security professionals already have agreed that this is best practice. Wait until CAcert is in Mozilla, and if it gets special treatment by not being treated the same as all of the other CAs, then you'll have something.

If the purpose of the Firehose is to vet articles, it's not doing a good job.

Re:Bad Article (1)

unity100 (970058) | more than 6 years ago | (#24464881)

This article seems like an attempt to insert drama where recognized security professionals already have agreed that this is best practice. Wait until CAcert is in Mozilla, and if it gets special treatment by not being treated the same as all of the other CAs, then you'll have something.

'security professionals' do not build the web, or do they constitute the market, or the people.

there are a LOT of community websites (that cater to thousands of people, the smallest one), small businesses, their customers, vpn users, a lot of people that are going to be hurt by this overly self righteous move.

it is easy to be indignant and force stuff upon people, saying 'it is the right thing', while working on an open source project part time, from a secure, corporate level information technology job.

one thinks it seems right for you, and therefore it is probably right for others. of course, all the while clueless about how many people, businesses, organizations and communities use self signed certs throughout the web, just because their isolated position.

I do not agree on your article (0)

Anonymous Coward | more than 6 years ago | (#24464829)

Certificates for most domains can be issued by a trusted root if you can get access to one of a few e-mail addresses on the domain. Other certs can be ordered if you commit fraud and uses false letterhead. So the trusted roots are most often not trusted.

If my browser trusts Equifax, then it basicly gives no security at all.

The only way to get SSL working again, and prevent man in the middle, is by zapping all trusted roots in the browser, and let the user individually accept whatever certs he trusts. He will then get a warning every time a server changes vert.

The trusted roots can stay, so the user has an option to see who issued a new cert.

Why would I trust the security of my online banking, creditcards etc to a company in Uruguay ? Everybody does, as it is a trusted narcs^H^H^H^H^Hroot dealer.

CN = SERVICIOS DE CERTIFICACION - A.N.C.
OU = SERVICIOS ELECTRONICOS
O = ADMINISTRACION NACIONAL DE CORREOS
C = UY

There are some majort issues to trusting so many roots, with different validation requirements.

Trust no one (1)

luca (6883) | more than 6 years ago | (#24465001)

You're right, it's extremely stupid to defer trust to a group of 3rd parties that have demonstrated in the past that they're not really good at verifying the identity they supposedly certify.
Firefox should just have no preconfigured ca and pop up the warning with every new ca it sees, asking "do you trust verisign/thawte/whatever? Here are some links about their track record."
Alas, users are stupid and they'll just click OK anyway.

Mozilla is right (1)

rlp (11898) | more than 6 years ago | (#24464839)

People who know what they are doing can easily add an exception for a test or in-house cert. People who don't know what they are doing are less likely to be taken in by a phishing site using a self-signed cert. So, what's the problem?

it is stupid anyway (1)

unity100 (970058) | more than 6 years ago | (#24464845)

its basically letting go of half of the security for improving the other half.

lets see, what are proponents of this are saying ? they are arguing "ssl is not just about encryption, its also about knowing that you can trust the source"

well, thats basically an entirely stupid approach, when you consider that a LOT of websites who are now using self signed certificates will be just removing ssl encryption rather than pay yearly fees to a 'certified' vendor or annoy their users with the HORRIBLE 'youre being hacked !' style ssl warning in ff3.

what happens ? basically you will have let half of the security go while improving the other half. net gain ? zero.

utterly stupid.

Mozilla is correct (5, Insightful)

Antibozo (410516) | more than 6 years ago | (#24464851)

I think the author makes Mozilla's case for them, by not appearing to understand the risks, especially at a time when DNS cache poisoning has become unusually feasible. E.g., the statement

Snooping a connection (i.e. on a wireless link) is much easier than any of the impersonation attacks that SSL authentication prevents.

is simply not true for clients of unpatched DNS servers. It's much easier for an attacker to get a remote user's traffic redirected to a host of his choosing than it is for him to snoop on that user's traffic. Volume-based attacks on DNS become increasingly easier as bandwidth increases, and people who operate botnets have a good chance of poisoning a cache even on patched nameservers, simply through brute force. Meanwhile, that smaller class of attackers who are in a position to actually snoop on traffic are also in a position to use an arp spoofing attack. Encryption is simply not useful without knowing whom you're encrypting to.

If you're feeling lucky, you can always add the exception. You can also sign your certs with a CA cert, and import that into your certificate database. Of course, anyone who trusts that CA cert also trusts you not to generate bogus certs for bankofamerica.com, etc... The solution to the problem is not to make the browser more trusting by default; it's to migrate away from X.509 to a PKI that allows domain owners to generate certs at no additional cost, such as a DNSSEC-based PKI.

I think Mozilla has it 100% right.

Self signed certs (1)

cdrudge (68377) | more than 6 years ago | (#24464853)

So add the issuing server to the list of authoritative CAs. Only do this if you have secure control of the machine but it gets rid of the whole need to add an exception.

The best post in this story (0)

Anonymous Coward | more than 6 years ago | (#24464871)

So the argument is that encryption should be encouraged but that the current error message can only be avoided via 1) unencrypting traffic or 2) paying money to a trusted cert provider.

Encouraging encryption is good but unfortunately no one can come up with a good way of encouraging encryption whilst avoiding phishing sites (and other attacks). Infact stopping phishing is so bad that it was deemed more important than encryption.

So what's your proposed solution to distinguishing between these two things? Well there isn't one. The closest you get is to say that "Obviously it shouldn't show a green address bar [like a trusted cert]".

The usability problems of expressing a 'dangerous site' are many and until you come up with a way of clearly expressing the distinction between encrypted sites and phishing sites then you won't get far Nat. Firefox 3 made a the right choice for the majority of users who are non-technical.

Non-profit issuer the solution? (1)

SplatMan_DK (1035528) | more than 6 years ago | (#24464875)

Perhaps establishing a non-profit issuer is a possible solution?

Similar to the concept of OpenDNS it could be a free (as in freedom) and very cheap alternative to the large commercial certificate issuers?

If I wanted to undertake such a project myself, thereby contributing to the community, what would it involve? (I am ready to pull some cash out of my pockets, but I am no millionaire, just a tech-geek, so be realistic). And do you have the expertise to help establish such an "openCertificate" service?

- Jesper

No, it is not considered bad for the web.Blogrant. (5, Insightful)

mxs (42717) | more than 6 years ago | (#24464877)

I originally meant to post this as a comment to the blog post, but apparently the author does not care about testing their commenting feature. This alone should already tell you stories about how much thought he puts into this stuff.

-+-
Why in the world are you singling out Mozilla in this ? Every browser has this policy.

Every browser has avenues to add new root certs, too (I can just create my own CA, offer the certificate file on the web, and let users install that; all future communication with a site that has a certificate signed by that CA will not be bothered with these error messages). This may not be 100% convenient, you are correct. But it's not as if it was hard to do if you want to give your users the option of using encrypted sessions.

Oh, and there IS a way to get your shiny new non-profit CA into the main Firefox builds. All you need to do is comply with their procedures and requirements -- which include policies on how you verify the identity of the certificates you sign, how revocations work, etc., and requiring specific minimum requirements in these. If you think you can run a proper CA for free for everybody with proper identity checking and day-to-day operations, do it and get it added !

The default position Mozilla takes is quite simply that the CA should verify the identity of the entity the certificate is being issued to. You may not think that it is important for this to be such a prominent user interface feature, but many people do. Every user can add an exception for your site, you can add a CA of your own, you can get certified by a nonprofit CA (good luck finding one; I agree that most of them are scumbag operations that try to extract as much money from you as possible, but I have yet to see a proposal which both ensures identity checking and revocation management while being completely free ... Maybe you'll find a way).

This has nothing to do with network neutrality. Nothing at all. A more proper comparison would be comparing this situation with that of 2nd-level domain names. You can't get a .com domain for free, either. Nor a .net or .org or most of the country TLDs. You can open up your own Registrar (but will still have to pay dues for domains registered), just as you can open up your own CA. It'll be a rocky road, and it'll not be free -- least of all in work required.

My sites work just fine with SSL certs signed by my very own CA. Firefox displays them just fine (either by adding the root cert of my CA to it, or by simply adding an exception). All other browsers work fine, too. If you have visitors or customers that require validation of your certificate by a third party, you are SOL. But then again, you also would be were the warning worded differently (and there SHOULD be a warning for a certificate that is not signed by a trusted CA or one which you explicitly told the browser to trust. No matter what. Self-signed certs are alright for encryption, sure, but I want my browser to have a default setting of warning me when something is happening that very well could be an attack; especially when I have taken care to add a specific trusted CA (say, the one by my university).
-+-

Firefox 3 forgetting SSL certs (1)

Idimmu Xul (204345) | more than 6 years ago | (#24464885)

We use a lot of self signed certificates for a lot of our internal, non customer facing sites, things like Nagios, Munin, etc. etc. most of our IT department are all running the latest Ubuntu Hardy with Firefox 3 and whilst Firefox's initial behaviour when it sees a new site using one of our certs is as described, it's not the end of the world as you just click through it and save the cert.

The real bitch is every few days everyone's Firefox instances are forgetting the cert, so we're having to go through the process every couple of days. I don't know if this is a bug, or new behaviour (aka a feature) but it's really annoying and driving me mad.

SSL with unsigned certs makes little security sens (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24464887)

I've written an article criticizing the behavior in Firefox 3 [...]restricting encrypted HTTP to paying customers

Unfortunately, self-signed SSL certificates are vulnerable to man-in-the-middle attacks - for example, dodgy coffee shop WiFi, airpwn [evilscheme.org] , DNS cache poisoning, corrupt ISP employees, ISP/government conspiracies, and so on.

Now, if it's just you and some friends using your server you can e.g. memorise the key fingerprint. But then, you can also add the self-signed key at whatever computer you happen to be using.

If you're facing a larger audience, however, self-signed certificates do not provide sufficient security as, though they protect against passive snooping, they do not protect against the very real risk of active (man-in-the-middle) snooping.

If you think Mozilla should have redesigned the SSL security model into a web of trust that's all very well, but frankly beyond Firefox's scope IMHO.

they provide encrytpion and that matters (2, Interesting)

unity100 (970058) | more than 6 years ago | (#24464925)

EVERYthing on the web is susceptible to various attacks. yet, we are not mandating anyone to pay to some 3rd party source for a 'fix' in any of them. yet, it is the case of ff3 and the self signed certs. how come ?

so you people are basically arguing that because there can be man in the middle attacks, we should be forcing EVERYONE into the lap of verisign ?

how populist, how public minded, how democratic.

HTTPS better than HTTP, always (1)

Frol (52495) | more than 6 years ago | (#24464917)

In my opinion the main point the article makes is:
- HTTPS with a self signed certificate is in no way worse than HTTP.

With HTTPS you are protected against all attacks that simply snoops your traffic. You are not protected against a man-in-the-middle attack, but they are much harder to perform. Thus, I believe a HTTPS connection should be showed exactly as a normal HTTP.

Also, think of the new law in Sweden that will allow a government agency to SNOOP all traffic transitioning the Swedish borders. They are not allowed to alter your data, and thus cannot fake a man-in-the-middle-attack.

Accept self-signed certs and I hack you in no time (5, Insightful)

rpp3po (641313) | more than 6 years ago | (#24464935)

When do people finally realize that self signed certificates don't work? If I share your WLAN access in a public cafe it's really no big deal to play man in the middle and exchange the presented certificate for my own. Ok, it's more work than without, but not much (about 5 minutes). The only case where self-signed certificates can be secure is when you manually verify the validity of a certificate beforehand and save it in your cert store. If your first check of a certificate's validity happens to be while I'm attacking you (maybe because you are visiting the site for the first time) you will "verify" my hacked one. And don't tell me about hashes on webpages. Maybe 1 in 1000000 users checks this once in a while for pure curiosity, but not more.

Am I missing something here? (1)

itsdapead (734413) | more than 6 years ago | (#24464947)

TFA seems to imply that Firefox won't let you connect to a HTTPS server using a self-signed certificate. Not so.

Having just successfully connected to a self-signed HTTPS server using Firefox 3, I really can't see how it differs from (say) Safari or Internet Explorer.

All of these browsers pop up a warning dialogue that might scare off an uninformed user.

All of these browsers also allow you to connect anyway. Look at TFA, you can see the "add an exception" link in the screen shot from Firefox? Click that, and firefox will bug you no more.

So what is the argument? Is the Firefox dialogue box somehow scarier than the equivalent scary warnings in Safari and IE? Is it the little icon of the Customs guy making users worry that if they click on "add an excecption" they'll hear the snap of the rubber glove?

Agree w/Mozilla: crypt w/o authentication useless (0)

Anonymous Coward | more than 6 years ago | (#24464959)

Hello,

without some assurance who you talk to (authentication), encryption is useless, since an attacker can insert themselves in the middle (called 'man-in-the-middle-attack -- MITM') as done by some chinese ISPs) without you noticing. Mozilla is 100% correct in their approach, some crypto-faschists would even go farther and not allow an exception through only 4 clicks.

Please learn some crypto before you complain about it.

Best regards,

os10000

What's wrong with good security?? (1)

traveler007 (821318) | more than 6 years ago | (#24464985)

I think the following is misleading:

restricting encrypted HTTP to paying customers

It doesn't restrict ssl's to paying customers, it simply warns if the cert is self-signed, but does give you the option of accepting it anyway. What's wrong with putting good security first, but letting the user over-ride.

I smell an ego-fuelled activist. (1)

julian67 (1022593) | more than 6 years ago | (#24464989)

The entire article is based on a false premise (and some hysterical shrieking), which is that connection to self-certificated ssl encrypted websites is unavailable. It is simply not true and the author is apparently either woefully incompetent or is dishonest. I smell an ego-fuelled activist. I hadn't been aware of Firefox's behaviour so I tried the self certificated example offered. As mentioned by other posters it's 4 clicks to add an exception. What I really appreciate is that Firefox's dialogues explain the situation in layman's terms, i.e clearly and concisely, and let even an uninformed user make an informed decision. This seems to me to be ideal. It is certainly a much better approach than I've experienced with older versions of Firefox, or with Epiphany or IE6/IE7 where it always feels like a roll of the dice when trying to make a quick decision.

Letting go of privacy, for more security (1)

unity100 (970058) | more than 6 years ago | (#24465003)

also do not forget that increasing privacy violation, deep packet inspections, surveillance and snooping is a MAJOR problem in every part of the world as of now.

ssl encryption provides the people with increased privacy, and makes it a tad harder for governments trying to peep on people.

yet, with this self righteous ssl cert move, firefox 3 is actually going to DETER the usage of self signed certs, and make it easier for governments or any interested party to snoop on many web users.

great move. very public minded.

Re:Letting go of privacy, for more security (1)

Frol (52495) | more than 6 years ago | (#24465035)

Exactly, you lose nothing by using a self-signed certificate, but gain protection from deep packet inspection and other entities who shouldn't be reading your data anyway.

Re:Letting go of privacy, for more security (1)

unity100 (970058) | more than 6 years ago | (#24465081)

precisely so. and i think that is our biggest problem as of now, since many countries from turkey to and even sweden, leave aside usa, has started monitoring everything that passes their countries' networks.

Overkill... (1)

david.emery (127135) | more than 6 years ago | (#24465007)

A warning to the effect that the site's identity could not be verified is what should be done here. And it should take -1- click to proceed (if you so choose, and with an option to permanently add this certificate to a list of accepted certificates.)

One can argue with the SSL approach that handles both encryption and identity with a single solution, but it is legitimate to use self-signed certificates when all you care about is encryption.

The same behavior should apply to email user agents.

Side issue: Whatever happened to the idea of an 'open source' certificate user? It bothers me that there is a list of closed (and not cheap) certificate authorities.

dave

Exceptions and Options (1)

Proudrooster (580120) | more than 6 years ago | (#24465045)

I haven't tried Firefox v3 or even read the criticism, but isn't this an option that can be enabled or disabled under options/exceptions? I doubt that this would get put in there without the option to turn it off. The reason I 'assume' this is because MANY companies accidentally let their security CERTS expire. If someone forgot to renew their CERT, like GMAIL [theregister.co.uk] did last month and there was no way to create an exception, imagine the interruption. It took me awhile to figure out what had happened after I upgraded Firefox last time and couldn't get to gmail.

Number of holes in the author's argument (5, Insightful)

bconway (63464) | more than 6 years ago | (#24465055)

A.) You don't need to buy certs from Mozilla, you can buy them from any number of CA's, for as little as $10. There are some free CA's, as well.
B.) This isn't in any way related to network neutrality.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?