Comments on: Firefox 3, SSL and self-signed certs

By: Dmytry

Dmytry — Thu, 04 Mar 2010 18:58:01 +0000

“SSL does not provide any security without identity”
You, being a developer, should know full well that SSL without identity does provide security against sniffing, which is the reason why routers commonly use SSL, and why every login form should use SSL (people use same password on multiple sites). Sniffing is a lot easier than man in the middle, and is extremely common.
You’re using your knowledge to knowingly mislead and misinform less technically inclined users with half truths or worse, less than half truths; that is in my opinion extremely shameful.
Furthermore, phishing is not affected by this warning due to fact that phishers are for most part NOT using self signed or expired certificates.

By: Can we disable Firefox’s stupid self-signed encryption dialog? « Richard WM Jones

Sat, 21 Nov 2009 10:19:34 +0000

[...] lot has been written about how Firefox’s stupid dialog is a big step backwards for the [...]

By: Firefox 3 handling of SSL Certs is broken « Fiji Ecuador Seattle Greece Montana

Tue, 13 Oct 2009 17:38:26 +0000

[...] http://www.0xdeadbeef.com/weblog/?p=521 [...]

By: John Wulf

John Wulf — Wed, 07 Oct 2009 06:18:06 +0000

OH MY FIN GAWD…. I am an IT tech. I have 25 routers around the country. MOST are the same model of nergear, FVS318. I am FINALLY getting around to storing these in my favorites directory. I stored one, then 5 days later I connected to another one, planning on storing it, but OH MY GAWD, I can’t even connect to it, because IT is using the SAME self signed certificate that the previous Netgear device is using, and I added an exemption, and NOW I get a failure that I can’t even click around. I had to go find the previous certificate that I had added and exception for, delete it, then add this exception, which I will have to delete once I connect to the next one….
Just take this pistol and shoot me why don’t you.

By: Christopher Blizzard

Christopher Blizzard — Tue, 07 Jul 2009 08:13:18 +0000

You can install this add-on if you want:

https://addons.mozilla.org/en-US/firefox/addon/6843

Bypasses all those “improvements.”

By: Robert

Robert — Tue, 07 Jul 2009 00:02:29 +0000

For people who spend a significant part of their day working with hardware devices Firefox is no longer even an option. You have “improved” yourself out of the hunt…I suppose I could run IE7 under Wine…it actually sucks (as opposed to being poorly implemented) but I can connect to my hardware with it.

Better yet, where is the source code? I could get my guys to remove that “improvement” and recompile.

By: Tom

Tom — Thu, 28 May 2009 05:44:10 +0000

Why can we not disable this? At least for a specific subset of hosts…

I understand the goal, but some people want a browser that “just works” and for all of our internal machines and network devices with self-signed certificates Firefox no longer “just works”.

Please fix this. soon.

By: nmn

nmn — Tue, 19 May 2009 06:56:36 +0000

This whole mess has made me start pushing users to move to Google Chrome or SRWare Iron over Firefox. Please fix it. It’s ridiculous, I have to go through an ordeal just to help someone through a self-signed page that has no intentions whatsoever of preventing man-in-the-middle. And no, there’s not a single damn soul who would care whether or not it takes 4 steps or 1 to go to the page; they’re either going to go or not, it doesn’t matter how many jumping jacks you ask them to do. Take it from Google, they’ve mastered ease of use and security in one swipe and they’re doing it in one step.

I don’t want to offend, but this is absolutely ridiculous to deal with. There at least should be a way to disable via about:config. Didn’t anyone think about the possibility that what they were doing was just about as effective as UAC? (annoys users, still makes it completely plausible to get exploited – although to the power user, UAC actually has value. Not only that, UAC can be disabled.)

Something must be done about this. This is a big deal.

By: boblogic

boblogic — Mon, 18 May 2009 22:53:33 +0000

I’m sick of people forcing their “naderers” (“Once their naderers go, they do the damnedest things”; ‘Deus Irae’ Philip K Dick), down my throat, then telling it’s for my “safety”. Let me count the ways …

Firefox & Epiphany (self signed certs rejected), Ubuntu Jaunty (boot to root login disabled, su to root doesn’t work because Gtk+ GUI is broken after an su/sudo [because of a Gnome re-write ]), 3Ware 3DM2 raid management software requiring root access and said Gtk+ GUI for installation, and https (for “security”, even on localhost) with a self-signed cert for access.

So a one hour RAID controller install turns into an 18-hour ordeal.
(I’m skipping a couple of hardware problems. 6hr h/w, 12hr s/w)
To quote the CAPTCHA below “not kindness”. How Ironic.

I suggest all software has 3 configuration levels.
Experts: All naderers disabled.
PowerUsers: Only the most important naderers enabled.
Novices: More naderers enabled;
Know Nothings: As many naderers as you can think of.

From the depths of my ennui,
boblogic

P.S. I also hate the cluttered, annoying “smart bar” with no off switch.
To turn it off, you have to install a plugin/extension, which opens more security holes. It’s called “cutting the string in two, then tying the ends together to make it longer”.

By: Kevin Gunn

Kevin Gunn — Mon, 27 Apr 2009 16:02:08 +0000

Wow. This has turned into a major pain for me!

I understand the security desire, but even making changes in about:config in 3.0.9 I’m stuck.

In my case I just want endpoint-to-endpoint encryption to my home system for a couple of pages I have there to prevent eavesdropping along the way. There HAS to be a better way…