Firefox 3, SSL and self-signed certificates

First off, for those who know what I’m talking about and are just as pissed…the fix! (sorta)
Open about:config and set the follwing settings:
browser.xul.error_pages.expert_bad_cert: true
browser.ssl_override_behavior: 2

This brings you down from five clicks to “only” two. :-/

So, a while back I got sick of the nag dialogs, caved and updated to Firefox 3. It works pretty much just as well as FF2, but one thing has been bugging me: Encrypted sites are second-class citizens. In previous FF versions (and pretty much any browser known to mankind), if you visited a site which had SSL encryption turned on but no “respectable” certificate, you would get a simple warning dialog about it, with the option to stop or continue (one click). Now however, this one-click process has been replaced by an extremely cumbersome process of navigating through several warnings, examining the certificate, and adding a special exception to the browser settings for that certificate (permanently). Now, viewing any of the Web’s increasingly “encrypted for the heck of it” pages is a giant pain in the ass.

By “respectable” certificate, I mean something that has been purchased from a certification company such as Verisign with an annual maintenance fee (currently about $400/yr), after said company has (claimed to have) performed some background checks on you to ensure that you are really who you say you are. The certificate then vouches, to any random onlooker, that your site is actually operated by you. This makes great sense if you are a bank, of course. You want your customers to know you’re really the bank, not some guy who bought a bank-like domain. For everyone who isn’t a bank, though, the main purpose of SSL is to encrypt data between the server and the user’s PC, preventing any random monkey-in-the-middle (bored local-yokel ISP admins, airport Wifi no-goodniks) from viewing or tampering with the data flowing between them. Since random hobbyists and bloggers can’t or won’t (and, ahem, shouldn’t) pay $400 a year for a CA certificate just to give away free content, this has historically been accomplished for free by a self-signed certificate, i.e. a certificate generated by the webmaster himself. Obviously, while it performs the encryption task just as well, it cannot vouch for the identify the webmaster – but if Joe’s Blog is just trying to keep some braindead ISP / censorware from “re-expressing” the site, is Joe’s SSL-enhanced blog less secure than Joe’s plain unencrypted HTTP (which does not generate alarm bells from Firefox) blog?. Duh, of course not. So why treat it as though it is?

Some more correct solutions would be:

  • Present the Dire Warning Dialog matryoshka exactly once. At the third click is the “I know what I’m doing” checkbox for advanced users which reverts behavior to that of to FF2 and most every other browser in existence (i.e. single-click dismissal for users who understand the difference between encryption and authentication). This approach worked surprisingly well on my LSP-Fix utility, which allows advanced (potentially destructive) operations with an “I know what I’m doing” checkbox and appropriate warnings about how much fun it is to reinstall one’s OS.
  • Same as #1, but with a very brief SSL test the user must pass to enable the checkbox, to prove they really understand the difference between encryption and authentication – or for that matter, between either of those and security.
  • Keep the 1-click dismissal from the start, but fix the wording for novices: WARNING: This site is no more secure than Joe Blow’s random blog. Do not submit your credit-card number or anything else you wouldn’t put on the frontpage of the New York Times.
  • Display a bright red titlebar / address bar and the familiar “broken padlock” symbol for sites with unverifiable certificates. A Bright Red Something works very well as a persistent visual reminder, hours after the dialog-clicking has faded from memory (I use this approach on any GUI logged in as administrator/root, reminding me that I have the power to really screw myself.)
  • Release the SSL behavior fix for FF3 as an extension that must be manually installed, for clueful users who want to surf Comcast-proofed sites in peace Looks like a Moz developer’s already done it, though compatibility with different FF3 versions sounds a bit hit-and-miss.

A Mozilla developer’s (non-SSL-encrypted) blog on the subject explains some of the logic behind this UX nightmare, including the (semi-sensible, I must admit) rationale behind making exceptions permanent by defaut. (This, too, should have an advanced-user override switch – I for one don’t want to permanently accept bad certs as good.) Be glad for what you got though, apparently they had initially decided not to allow self-signed pages to be accessed AT ALL.

(Yeah, apparently I’m not the first person to take offense at this behavior, though my beef is not so much in the wording but the sheer ten-click time-wastage and the implication that some encrypted sites are somehow less secure than plaintext ones.)

Leave a Reply