More Discussion About How Firefox 3 Handles SSL Certificates

Though it has been talked about many times before, several sites, including Slashdot, continue to discuss whether Firefox 3 handles invalid SSL certificates in the right way. On the Pingdom blog an articles entitled New SSL policy in Firefox hurting tens of thousands of sites comments on how Firefox 3 displays a big ugly warning when it encounters a self-signed or expired certificate.

The blog attempts to explain how common it is for SSL certificates to expire:

Expired SSL certificates are actually quite common. According to a study by Venafi, referenced here, as many as 18% of the Fortune 1000 websites have expired SSL certificates.

According to Netcraft data, the number of SSL websites passed 600,000 in 2007. If we make a rough estimate and assume the same ratio as for the Fortune 1000 websites, that would mean that there are around 108,000 websites with expired SSL certificates. All these would get the “error page” in Firefox 3.

Anyone can forget to update their certificate; some examples are Google (for Adwords, Checkout and Gmail), Yahoo! and LinkedIn.

 It then explains how to get around the error using this nice graphic:

1. The initial error page. It basically looks like any other error page that would show up when you can’t load a page. Note the little “Or you can add an exception…”
2. When you click on the link you get the two buttons ”Get me out of here!” and “Add exception”, as well as an additional warning.
3. Get the certificate, provided you clicked on “add exception”.
4. Accept the certificate.
5. Finally land on the actual page.

Though Johnathan Nightingale, the designer of this interface in Firefox 3, has commented about why it was done this way, people continue to debate. The comments posted on Slashdot about this issue at least seem to be more aware of the security concerns than previous posts have been. For example, bunratty commented:

It's supposed to be creepy, because it may be the only warning you're the victim of a DNS poisoning and you're not at the site you think you are, or you're the victim of a man-in-the-middle attack and your "encrypted" communications are being intercepted and read. At least in Firefox 3 you need to add an exception to see the site, so you see the warning only once. In Internet Explorer 7, you can see the site by clicking a link, but you will see the scary warning every time you visit the site. Users will disregard the warning if they see it very often, making the warning ineffective.

Mike Fratto from InformationWeek has commented about this issue in his article, Untrusted SSL Certificates Indicate A Failure.

Originally posted on Fri Aug 22, 2008

Comments

Duane(2014-12-13)

So let me see, just so people only see the warning once per bad certificate means they won't click through willy nilly, of course that's assuming that they don't hit most or all the 108,000 sites with expired, but previously legit certificates in which case they will end up clicking through time after time after time in any case. Do these developers even eat their own dog food?

Henk(2014-12-13)

This approach to self signed or expired certs does more harm than good. Here is what is happening: 1. Users have no choice than to accept the certificate. They want to access the site and the popups are in the way. 2. At first you read the cert as you have been told. After 100 certs that look okay (do you know what to look for?) you get really annoyed and ignore the warning. 3. Then when a real malicious site is encountered, you just click accept. In effect the FF approach has exactly the unintended effect. By giving constant false positives in warnings the alarm function disappears and turns into an annoyance. FF has trained the user to ignore real warnings. What should happen is very simple (to explain): A good site should give no warning and a malicious site should give a big fat security warning. If you don't know how to build such a system then don't pretend to do the right thing by annoying people.

pleva(2014-12-13)

well I would accept giving the exception for the site i trust once when using FF3. But it looses the information when you delete cookies after closing FF. So every time you come to your trusted site FF gives you that same stupid information again and again. GET rid of such stupid programmer mistake.

Richard(2014-12-13)

We recently updated our site with a cert from a pretty well known SSL provider. After a full install and check, firefox (on the PC, not Mac) decided that the cert could not be trusted. Cost us some £300.00 to put right (dropped our Hosting provider, bought a VPS and now looking for a new cert). With Firefox making up 30% of all users online now, it's best to plan ahead. Hope chrome puts them in a grave.... it ain't good business expecting devs to play catch up with your browser...

xprt(2014-12-13)

Good thing this is fixed already, also you should use https://en.wikipedia.org/wi...