Comments on: Firefox 3, SSL and self-signed certs

By: Robert

Robert — Tue, 21 Jun 2011 15:34:57 +0000

I’d settle for a warning and the option to carry on gracefully. The current set-up is nearly unworkable and turning all the warnings off is silly. The last time I checked there were more options than #000000 and #FFFFFF

By: scooter

scooter — Tue, 21 Jun 2011 03:18:12 +0000

@Christoper. Looks like the bypass [MitM Me (SSL Error Bypass) firefox plugin] for this improvement has been disabled by the adminstrator.

By: Dmytry

Dmytry — Thu, 04 Mar 2010 18:58:01 +0000

“SSL does not provide any security without identity”
You, being a developer, should know full well that SSL without identity does provide security against sniffing, which is the reason why routers commonly use SSL, and why every login form should use SSL (people use same password on multiple sites). Sniffing is a lot easier than man in the middle, and is extremely common.
You’re using your knowledge to knowingly mislead and misinform less technically inclined users with half truths or worse, less than half truths; that is in my opinion extremely shameful.
Furthermore, phishing is not affected by this warning due to fact that phishers are for most part NOT using self signed or expired certificates.

By: Can we disable Firefox’s stupid self-signed encryption dialog? « Richard WM Jones

Sat, 21 Nov 2009 10:19:34 +0000

[...] lot has been written about how Firefox’s stupid dialog is a big step backwards for the [...]

By: Firefox 3 handling of SSL Certs is broken « Fiji Ecuador Seattle Greece Montana

Tue, 13 Oct 2009 17:38:26 +0000

[...] http://www.0xdeadbeef.com/weblog/?p=521 [...]

By: John Wulf

John Wulf — Wed, 07 Oct 2009 06:18:06 +0000

OH MY FIN GAWD…. I am an IT tech. I have 25 routers around the country. MOST are the same model of nergear, FVS318. I am FINALLY getting around to storing these in my favorites directory. I stored one, then 5 days later I connected to another one, planning on storing it, but OH MY GAWD, I can’t even connect to it, because IT is using the SAME self signed certificate that the previous Netgear device is using, and I added an exemption, and NOW I get a failure that I can’t even click around. I had to go find the previous certificate that I had added and exception for, delete it, then add this exception, which I will have to delete once I connect to the next one….
Just take this pistol and shoot me why don’t you.

By: Christopher Blizzard

Christopher Blizzard — Tue, 07 Jul 2009 08:13:18 +0000

You can install this add-on if you want:

https://addons.mozilla.org/en-US/firefox/addon/6843

Bypasses all those “improvements.”

By: Robert

Robert — Tue, 07 Jul 2009 00:02:29 +0000

For people who spend a significant part of their day working with hardware devices Firefox is no longer even an option. You have “improved” yourself out of the hunt…I suppose I could run IE7 under Wine…it actually sucks (as opposed to being poorly implemented) but I can connect to my hardware with it.

Better yet, where is the source code? I could get my guys to remove that “improvement” and recompile.

By: Tom

Tom — Thu, 28 May 2009 05:44:10 +0000

Why can we not disable this? At least for a specific subset of hosts…

I understand the goal, but some people want a browser that “just works” and for all of our internal machines and network devices with self-signed certificates Firefox no longer “just works”.

Please fix this. soon.

By: nmn

nmn — Tue, 19 May 2009 06:56:36 +0000

This whole mess has made me start pushing users to move to Google Chrome or SRWare Iron over Firefox. Please fix it. It’s ridiculous, I have to go through an ordeal just to help someone through a self-signed page that has no intentions whatsoever of preventing man-in-the-middle. And no, there’s not a single damn soul who would care whether or not it takes 4 steps or 1 to go to the page; they’re either going to go or not, it doesn’t matter how many jumping jacks you ask them to do. Take it from Google, they’ve mastered ease of use and security in one swipe and they’re doing it in one step.

I don’t want to offend, but this is absolutely ridiculous to deal with. There at least should be a way to disable via about:config. Didn’t anyone think about the possibility that what they were doing was just about as effective as UAC? (annoys users, still makes it completely plausible to get exploited – although to the power user, UAC actually has value. Not only that, UAC can be disabled.)

Something must be done about this. This is a big deal.