Firefox 3, SSL and self-signed certs

Anyone currently using a self-signed certificate should go get a certificate from StartCom instead. It costs nothing, and most non-IE browsers accept it. IE users will continue to see a warning, but they get warned for self-signed certificates anyway.

I like the way it handles self-signed certs better than the way it used to. Instead of getting a dialog every time you visit the site, you now only have to override it once, and it’ll never bother you again unless the cert changes. You can actually tell it now “I explicitly trust this certificate” and it believes you. You couldn’t do that on Firefox 2, especially if there was a hostname mismatch on the cert (say you’re cheap and only have one IP and are hosting several domains on it, and more than one of them uses SSL). That gives me piece of mind, knowing that Firefox will tell me if the cert changes.

I guess none of the developer use a Linksys WRT54G router. Because this thing, each time it reboots, it change the certificate. Worse. If you made the exception permanent, you are double screwed as I had to *guess* which certificate to remove from the list to be able to at least access my wireless router.

Hub: I have a Linksys WRT54G (two of them, actually), and I never noticed that. Of course, the fact that I immediately wiped the default firmware and re-flashed them with OpenWRT after getting them probably has something to do with that. Linksys makes awesome router hardware, but their firmware is usually lacking a bit. Putting third-party firmware on them gives you a kick-ass router without lots of strange problems like randomly-changing SSL certs and randomly-dropped connections.

Explaining why you did it doesn’t make it better. Its simply broken by design. SSL is about privacy as much as about authentication and 99.9999% of all warnings are false positives for perfectly legitimate sites. Which makes it stupid. And even if a warning is ok, the huge warning sign with the 4 click procedure to get rid of it is borderline idiotic. Fix it please.

“If you can’t prove who you are talking to then you can’t prove that the connection is secure”

That is true, you cannot prove that the connection is secure. But if you are connected to the correct website and there is no man-in-the-middle attack (which will be the case almost all the time) SSL is still better than simply using http because other people cannot listen to your communication.
So even not-verified SSL has its uses. Identity may be a huge part of SSL but it sure as hell isn’t everything.
And even if that was not the case nobody argues against a warning. But no 500*500 red pixel warning which forces you to do a 4-click marathon to get rid of it. How about a good old popup window with:

The encryption of this site isn’t authenticated by a verified authority so the identity cannot be proven.

* Bring me out of here
* Ignore once
* Ignore always for this site.

Thats how potentially dangerous actions like executing downloaded files, looking at attachements and allowing programs access to the firewall are handled across a multitude of products. I (and everyone else) wants to be in control of the computer not the other way round.

You may be correct in principle but if almost everyone who is using your product doesn’t like how something is done and a change is easy perhaps it would be good to acknowledge this and simply change it.

Hi. The new self signed ssl thing sucks. With all due respect. Here’s why – I’m currently developing a website to track local reptile and amphibian populations in Shasta County – with the worldwide amphibian decline, we’ve already lost a few and some others are almost gone – scattered in small isolated populations that aren’t reproducing. No one in the science community seems to be tracking the populations until it is too late.

So I’m putting together a site explicitly for the purpose of allowing hobbyists to upload their field data, and we can track populations. This needs a login, and login should be secure. All I’m using SSL for is registration, user prefs, and login.

I ain’t paying for a SSL cert, I’m already spending hosting fees plus many hours of database/php development, and I’m not making a dead dime.

Because I want the site to be safer for my users providing an SSL login, FireFox has the audacity to tell users that I’m not a legitimate site because legitimate sites won’t ask them to accept a self signed cert?

With all due respect, screw you! Handle it the way Opera does – just as secure, less of a PITA.

SSL is intended to provide a secure public/private key encryption.
Many PUBLIC websites have legitimate use for such encryption that do not need the hassle and extortion fees of certificate authorties.

You want to warn my users that you do not recommend credit card / personal info be submitted, fine – I don’t want or ask for that stuff anyway. I just want to know when and where the frogs are hopping and the snakes are crawling. But to tell my users a legitimate public site wouldn’t ask them to accept a self signed cert? That’s a flat out presumptuous lie. Plenty do.

I’m sorry for the tone of my rant, but if I wanted a “big brother” giving the choice of not using SSL (less secure for my users), paying a fee I have no need to pay as a site that does not ask for sensitive information, or having my users jump through hoops – I’m sorry, but I find that highly offensive.

As a Linux user exclusively, I’ve been an advocate of mozilla for year – since very early on in the pre 1.0 days. This however really ticks me off.

Take care,

Michael A. Peters

PS – my Linksys wireless router also uses a self signed cert, another legitimate use of SSL that doesn’t need a certificate authority signature …

So, what make the SSL certificates too expensive? Why it can’t bee cheap as a domain name? Why each domain can’t have a SSL for free?

I’m sick of people forcing their “naderers” (“Once their naderers go, they do the damnedest things”; ‘Deus Irae’ Philip K Dick), down my throat, then telling it’s for my “safety”. Let me count the ways …

Firefox & Epiphany (self signed certs rejected), Ubuntu Jaunty (boot to root login disabled, su to root doesn’t work because Gtk+ GUI is broken after an su/sudo [because of a Gnome re-write ]), 3Ware 3DM2 raid management software requiring root access and said Gtk+ GUI for installation, and https (for “security”, even on localhost) with a self-signed cert for access.

So a one hour RAID controller install turns into an 18-hour ordeal.
(I’m skipping a couple of hardware problems. 6hr h/w, 12hr s/w)
To quote the CAPTCHA below “not kindness”. How Ironic.

I suggest all software has 3 configuration levels.
Experts: All naderers disabled.
PowerUsers: Only the most important naderers enabled.
Novices: More naderers enabled;
Know Nothings: As many naderers as you can think of.

From the depths of my ennui,
boblogic

P.S. I also hate the cluttered, annoying “smart bar” with no off switch.
To turn it off, you have to install a plugin/extension, which opens more security holes. It’s called “cutting the string in two, then tying the ends together to make it longer”.

Why can we not disable this? At least for a specific subset of hosts…

I understand the goal, but some people want a browser that “just works” and for all of our internal machines and network devices with self-signed certificates Firefox no longer “just works”.

Please fix this. soon.

“SSL does not provide any security without identity”
You, being a developer, should know full well that SSL without identity does provide security against sniffing, which is the reason why routers commonly use SSL, and why every login form should use SSL (people use same password on multiple sites). Sniffing is a lot easier than man in the middle, and is extremely common.
You’re using your knowledge to knowingly mislead and misinform less technically inclined users with half truths or worse, less than half truths; that is in my opinion extremely shameful.
Furthermore, phishing is not affected by this warning due to fact that phishers are for most part NOT using self signed or expired certificates.