Firefox 3 improves handling of invalid SSL certificates
I have downloaded the beta of Firefox 3 to check out the improvements related to SSL. First, there's the added support for Extended Validation SSL certificates, but I am not very excited about that (I wrote about this previously in Extended Validation SSL certificates not going anywhere, as predicted). It's a nice feature, but it's not going to bring much good overall. On the other hand, I am very happy with the improvements to the handling of invalid SSL certificates.
Firefox 2.x allows users to simply click-through their way to a site that uses an invalid certificate. There is a warning of some sort, but who reads warnings anyway? (Internet Explorer is not much better in this respect, although at least its warning is very clear about not recommending the user to proceed.)
With Firefox 3.x, the situation is much better. First you get the same style of error response as you would for any other network problem:
The beauty of this page is that it does not allow you to proceed to the site. To go through you have to create an exception, which is a multi-step process that you can start by clicking on that link at the bottom. You then get the following:
Another warning; very good. Clicking the Add Exception... button gives you the form that is used to actually create exceptions. There's a nice final warning on the top of the form, which will hopefully deter those who will be attempting to create an exception for the wrong reasons:
The changes represent a great step forward, and significantly reduce the likelihood of successful man-in-the-middle attacks. Still, I wouldn't mention exceptions at all on the error page: advanced users will find a way to do what they must, but normal users are better-off not knowing anything about exceptions.
Update (7 May 2008): My request to make hide the functionality to create exceptions from the error page was rejected. It's good to know that the issue was considered, even if the decision is not the one I would have made. Daniel Veditz pointed me to Johnath's blog post, which describes the history behind the new SSL error page. Very interesting.
The way Firefox3 handles invalid ssl certificates is just plain stupid. They're losing major usability and it is too damn obscure for a normal user how to "add an exception".
A few days ago, When accessing my univ. web page I got this new invalid ssl certificate page and my girlfriend promptly said "That's odd, I've never seen this page offline".
She's quite tech savvy and I`m sure she'd figure out how to proceed after a few moments. But I doubt the common webbrowsing-only people would ever READ the message and even if they did, they woudn't figure out what the heck is this exception to ssl certification thing is.
This is a large backstep in ease of use IMO.
Posted by: Caio Nascimento | April 29, 2008 at 08:22 PM
It's only a large step backwards if you think that Firefox should optimize the experience to the benefit of attackers and broken websites.
If, on the other hand, you think that Firefox should help users make informed decisions about their online safety, then it's a huge step forward.
There are many who, like the author of this post, think that the exception UI should be hidden or go away entirely.
Web sites using invalid certs should be fixed. They're the boy crying wolf so much that users don't notice when the real wolf is at the door. They should be shamed and badgered out of this bad behavior.
In the meantime, while we wait for them to clean up their busted sites, users get real actionable information and a much better warning system for when they are being targeted by the bad guys.
- A
Posted by: Asa Dotzler | April 30, 2008 at 03:16 AM
It's a pain in the ass for all websites using CAcert certificates, too. I wrote about this some time ago in my blog.
Posted by: Alex | April 30, 2008 at 12:06 PM
@Caio,
You should really be angry at your University, because today, when SSL certificates are as cheap as they are, there is really no excuse for a proper site to use an invalid certificate. The issue at stake is the ability to detect man-in-the-middle (MITM) attacks, which occur when someone hijacks the communication channel between you and the site you are visiting. One of the design goals for SSL was to be able to resist such attacks. When an MITM attack takes place, it manifests through an invalid certificates. Thus, in order to understand they are being attacked, the users must be able to differentiate between valid and invalid certificates.
Posted by: Ivan Ristic | April 30, 2008 at 03:08 PM
Alex, CAcert has not passed the audit necessary to have its root certificate approved for inclusion in Firefox (or other Gecko-based products). You can see exactly why here: https://bugzilla.mozilla.org/show_bug.cgi?id=215243#c158
- A
Posted by: Asa Dotzler | April 30, 2008 at 07:36 PM
If you think this is going to really stop MITM your really misinformed. EV SSL is a better approach but it is still not great. The problem with the Internet is there is no true way to for a user to authenticate properly with a server. (take a XSS attack on a website and load it with malicious script from another website)
Now Firefox is a dog's breakfast for handling SSL websites. It's like Vista - with it's User Announce control. They need to handle trusted sites a lot easier. For internal intranets for companies this is a pain, even breaks sites like google. If you have 1,800 intranet sites in the bank I work for, there is no way they are going to pay for that many certs.
Basically, the bank was going to roll firefox after my years of pushing for a better browser than IE, however, with version 3.0 we have decided that the pain is not worth it.
I am very annoyed, I love good security but this is over the top and users don't know how to do this, so we are training them once again in bad security....Great!
Posted by: Andrew | May 01, 2008 at 09:19 PM
Andrew,
Would you care to explain how one can execute a successful MITM attack without breaking SSL? With Firefox 3, if an MITM attack is executed the site will just break with an error page. Exactly the outcome needed to prevent exploitation. With Firefox 2 the user will simply click through the warning message and fall into the hands of the attacker.
Why doesn't the bank you work for have its own root certificate embedded in all internal browsers? That would allow them to issue their own certificates for free. Sounds like bad planning to me.
Posted by: Ivan Ristic | May 01, 2008 at 09:36 PM
Hi Ivan
Would you care to explain how one can execute a successful MITM attack without breaking SSL?
In two ways:
- the most common way it is broken today - from browser hijacks / spyware/ trojan. Is Firefox 3 new SSL processing going to help with that? No. [Better Anti-phishing protection would help a lot more]
- the user is still the weakest link, the user will learn to click through 3 pages then one will bring about the same amount of MITM attacks. [due to a number of their sites they go to not working anymore]
There has only been a 4% decrease of people not entering their passwords from clicking on links in emails. So come on, is Firefox 3 going to stop this No. It's going to make people move to other browsers like Safari. There is a fine line between usability and security, and I think in this case Firefox 3 did not get it right. I think they got it right for EV SSL.
From real life experience, better web url filtering protection is a lot better than standard SSL certificate verification.
As for certificate processing, always hard to get right. Take a look at the code for NSS crypto library 3.12 changes the whole certificate verification code. This will make writing chaining rules easier, but one bug in this could bring Firefox, Thunderbird, etc to it's knees.
Extended Verification Certificates is better approach then doing this UI craziness as it's easy to train users to see changes to the address bar in color that they are at paypal and not paypa1.
As for your point on CA certificates and internal browsers, yeah we have a very detailed internal CA process. Our production servers all use this. However we have development servers, integration servers, etc. For our PKI team to support all these developer domains would be a $3m cost. A lot of cost for rolling out a new browser.
cheers,
andrew
Posted by: Andrew | May 01, 2008 at 10:37 PM
On Usability, the FF3 pages are unreadable for the normal web surfer.
Let me walk you through it, comments inline:
As from above
The certifcate is not trusted because it is self signed
----- how many people know what a self signed certificate is? -------
----- should be the certificate could not be verified by someone you trust ----
The certificate is only valid for Unknown
------ What??? this means nothing for the end user)
(Err code: sec_error_untrusted_issuer)
---- another waste for the end user -----
- This could be a problem with the server's configuration, or it could be someone trying to impersonate the server
---- hmmm, how does the user check for that, should be, something like did you really want to go to the website : , we can't verify that it's authenticate, if you proceed, proceed with caution. Maybe a antiphishing check.
- If you have connected to this server successfully in the past, the error may be temporary, an you can try again later
---- so they come back later and still same problem....they might NEVER get past this point...bad messages again ---
The messages need to be clear to the user, they aren't, they are great for security professionals but not good for users.
I am all for improving security of the Internet, this is just to much knee jerk and not enough thinking. IMHO
cheers,
andrew
Posted by: Andrew | May 01, 2008 at 10:47 PM
Andrew,
What you describe is not breaking SSL, it's finding other ways to intercept the communication channel. To defend against workstation compromise is out of the scope of Firefox, or any browser. Same for phishing through email. I agree with you on the second point, except that my opinion is that Firefox 3 is not doing enough to hide the exception interface from the users.
On the point of usability, I fully agree with you. The message needs to be reworded to hide the technical details and to give clear instructions to the users (to not proceed and to try to contact the web site operator somehow to deal with the problem).
Posted by: Ivan Ristic | May 02, 2008 at 11:06 AM
FYI, I've submitted two bugs to the Firefox development team:
Handling of invalid SSL certificates lacks in usability
https://bugzilla.mozilla.org/show_bug.cgi?id=431826
Exceptions for invalid SSL certificates are too easy to add
https://bugzilla.mozilla.org/show_bug.cgi?id=431827
Posted by: Ivan Ristic | May 02, 2008 at 11:31 AM
The Firefox 3.0 GUI handling of not validated certificates is the worst example of GUI Interface "dialog" with the user ...
The GUI science is about interpreting human "intention". So, the GUI solution to this problem is simple:
i) Firefox detect a site with not validated certificate
ii) Firefox inform the incident to the user, with a "do you want to know more about certificates and security link?" but a just simple dialog box with two buttons "Add Security Exception", "Cancel navigation to this site"
iii) End of story
KISS !!!
Posted by: orlando | May 02, 2008 at 05:37 PM
Thanks Ivan, much appreciated!
Posted by: Andrew | May 04, 2008 at 09:57 PM
Ivan, did you see how Mozilla broke all those good efforts with something inherently stupid? See https://blog.startcom.org/?p=86
For all those in need of a legitimate server certificate I invite them over to http://www.startssl.com/ and get them for free. It's an effort we are making for years to provide basic certification without cost and demand is certainly rising even more with the advance of FF3. I hope this helps anybody worried about the new exception handling.
Posted by: Eddy Nigg | May 23, 2008 at 12:48 PM
Eddy, you don't do your cause or your business any good by going around bashing Mozilla because your business is threatened by EV.
Posted by: Asa Dotzler | May 23, 2008 at 06:32 PM
Oh no, it's not! In that case you must have misunderstood something essential about the issue I mentioned above. Did you read it? Using the site icon (favicon) which is under the control of the web site as the indicator for SSL is an inherent unlucky design decision to say the least!
StartCom isn't threatened by EV, but I can't disclose more about this subject right now. Watch my corner for surprises...
Posted by: Eddy Nigg | May 23, 2008 at 11:14 PM
Adding exceptions is singularly difficult to add here. The error page does not give me an option to add an exception.
(Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0)
Posted by: vx0 | June 19, 2008 at 05:55 PM
Eddy, I am not happy with the new UI either, especially with the removal of the yellow colour. It's what users have been trained to observe (in all/most browsers); breaking that is only asking for trouble. I've been using FF3 for a while now, and I find it _really_ difficult to know if a site is secure or not.
Posted by: Ivan Ristić | June 19, 2008 at 06:53 PM
For me Firefox3 made the web unusable.
Nearly any page uses the selfsigned certificates to provide a https connection.
Most users will change the browser and switch over to disannoying - less secure - browsers like IE.
The consequence of this malicious attack towards the user is, that true firefoxusers like me will head over to FF2 or IE.
Cheers
Posted by: Sunbird | June 22, 2008 at 11:35 PM
I run my home gateway and self-signed certificate and I find the FF3's behavior odd. Simply whenever I try to access my site via FF3, I get the familiar warning ending with "or you can add exception" pointing to "javascript:showSecuritySection();".
Clicking on shows additional information "Немојте додавати изузетке ако користите везу којој не верујете у потпуности, или ако нисте навикли да добијате упозорења о овом серверу." Still it doesn't offer any further way of enabling the access to my site intuitively.
Is my browser's behavior any different than yours (due language issues?). Is there another dialogue box that I could use to add exception?
Posted by: nikolas | June 24, 2008 at 08:23 PM
@Nikolas, I too have noticed inconsistencies in how FF3 behaves when it comes to SSL certificates. You may be encountering a bug preventing you to add an exception. I don't have any problems doing that.
On the other hand, just the other day I went to this web site and FF3 complained with a message that said: "Certificate type not approved for application". No further explanations, no option to create an exception. This is a site I used to access normally with FF2.
Posted by: Ivan Ristić | July 03, 2008 at 11:43 AM
If I may add to this, on three desktop PC's (XP and Vista) where I have the Serbian version of Firefox installed the problem remains. On my Linux box the FF3 (standard English-US) acts just as you described (allowing me to add exceptions).
[I have just verified all of this again, to make sure there's consistency to its behavior.]
Posted by: nikolas | July 04, 2008 at 08:46 PM
Firefox just broke every home & business internal network that uses CUPS. https://server:631/ :(. Not very good at all.
Posted by: Someone | July 06, 2008 at 03:15 PM
Additonal:
Now I have to use safari to do the job. What's next, do I have to go back to lynx to manage printers?
Posted by: Someone | July 06, 2008 at 03:17 PM
Hi, I get the message: An error occurred during a connection to www... SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert) when I try to connect to ANY URL. The certificate is gone, and now Firefox 3 keeps the name of the website with the bad certificate in the upper left corner of a blank page, ignoring any URLs in the search bar. I cannot get it to accept any addresses. How do I get FF to ignore this website? Thanks, Ray
Posted by: Ray | July 11, 2008 at 06:02 PM