Firefox 3 improves handling of invalid SSL certificates
I have downloaded the beta of Firefox 3 to check out the improvements related to SSL. First, there's the added support for Extended Validation SSL certificates, but I am not very excited about that (I wrote about this previously in Extended Validation SSL certificates not going anywhere, as predicted). It's a nice feature, but it's not going to bring much good overall. On the other hand, I am very happy with the improvements to the handling of invalid SSL certificates.
Firefox 2.x allows users to simply click-through their way to a site that uses an invalid certificate. There is a warning of some sort, but who reads warnings anyway? (Internet Explorer is not much better in this respect, although at least its warning is very clear about not recommending the user to proceed.)
With Firefox 3.x, the situation is much better. First you get the same style of error response as you would for any other network problem:
The beauty of this page is that it does not allow you to proceed to the site. To go through you have to create an exception, which is a multi-step process that you can start by clicking on that link at the bottom. You then get the following:
Another warning; very good. Clicking the Add Exception... button gives you the form that is used to actually create exceptions. There's a nice final warning on the top of the form, which will hopefully deter those who will be attempting to create an exception for the wrong reasons:
The changes represent a great step forward, and significantly reduce the likelihood of successful man-in-the-middle attacks. Still, I wouldn't mention exceptions at all on the error page: advanced users will find a way to do what they must, but normal users are better-off not knowing anything about exceptions.
Update (7 May 2008): My request to make hide the functionality to create exceptions from the error page was rejected. It's good to know that the issue was considered, even if the decision is not the one I would have made. Daniel Veditz pointed me to Johnath's blog post, which describes the history behind the new SSL error page. Very interesting.
I believe this is a bug. I have amended browser.xul.error_pages.expert_bad_cert and browser.ssl_override_behavior but it is still too difficult to access a page with an unsigned certificate. I agree there should be a single dialogue box warning as in Firefox 2 but it should not be more difficult.
If I want to easily access a site with an unsigned certificate I should be able to do so. I feel the Firefox developers are treating me as if I were an idiot.
An option should be available, in about:config perhaps to keep inexperienced users away, to return the functionality to how it was in Firefox 2.
Posted by: johnboy | July 13, 2008 at 02:14 PM
This is really similar to the way IE7 does it, but of course FF3 does it better. I don't see an issue with this, we need to get users back to reading prompts, not just auto-accepting as has been taught to them by the windows, next, next, next finish procdure.
I am sure I could pop-up a window on a users machine on a website that said "To continue we will need to wipe all your saved files" "OK" "Cancel". I am sure 90% would click ok.
Posted by: Morgan Storey | July 16, 2008 at 03:02 AM
I've just upgraded to FF3.0.1 manually, as updates were turned off.
In Serbian version of FF3.0.1 I manage to visit https:// with invalid certificate.
I would have to try and see, but this is my first 5 minutes of using the updated FF. You could try it too.
Posted by: Nikolas | July 17, 2008 at 04:02 PM
You know what's even funnier, In a moment of pure crazyness I visited https://mozilla.org, and got this:
mozilla.org uses an invalid security certificate.
The certificate is only valid for *.mozilla.org
(Error code: ssl_error_bad_cert_domain)
Good job guys!
SSL: Secure Socket Layer, way of providing secure connection to a service on the internet. In no way should this imply the validation of the authentity of the service, I just want the data I send to be sent in an ensrypted manner and not plain text.
There should be something else Authentified SSL.
By treating people like idiots they become more idiot.
Posted by: SomeoneElse | July 18, 2008 at 02:15 PM
The new SSL handling of Firefox is VERY annoying. When I connect to an application server on my OWN machine it refuses complaining about self signed certificates. I don't even get the option to connect any way. Why should I have to bother to add a certificate to the application server on my developpment machine?
If you have security concerns, fine, keep your Nazi dialog as default, but give me the option to disable it in the configuration somewhere.
Posted by: Leander Eyer | August 05, 2008 at 05:22 PM
Personally, I'm contemplating either downgrading to Firefox 2 or switching to Opera because I can't find how to disable this disruptive behavior in Firefox 3.
I'm an adult, and I'd gladly take responsibility for my own browsing if the browser could at least let me. I don't want to be annoyed every time I encounter a message board with an expired certificate: I just want to read the posts Google pointed me to! My time is too valuable to fight with Firefox 3 all the time I hit a new one.
Also, in Firefox 2, you could elect to accept a broken certificate "just this once." With Firefox 3, our only options are to either go away, or accept the certificate PERMANENTLY.
Anyone serious about security would tell you that's a huge step backwards.
Posted by: Annoyed User | November 21, 2008 at 11:57 PM
You can add the exception temporarily, just untick the box "permenantly store this exception". Seriously about security this warning is simply there to let people know that the certificate is expired, to let them know the risks.
If it is a self signed cert, and you know that you can safely add the exception permenantly then use this as a type of security as if the cert exception comes up again you know you have been redirected.
Personally I think the new method is fine, it is clearer that you have hit upon an error. Try IE7/8 it is truly difficult, and tries through colouring and other methods to get you to not continue to the site.
Posted by: Morgan Storey | November 23, 2008 at 09:50 PM
I find this Firefox "handling of invalid SSL certificates" a bogus mess each time I attempt to log on to my server, I have to jump through the hoops placed in my way by this "handling". It would be fine if the damn "permanently store this exception" button actually stored this preference PERMANENTLY. It DOES NOT... Every time I go onto the Internet I have to jump through the hoops to get online.
I know its the Servers fault, right, but this discussion is about a failed component that PERMANENTLY is to store users preference.
I have resorted to logging on using IE, pushing one button, close and then open FF3 and not be hassled with the whole mess...
Posted by: Steve | January 24, 2009 at 06:35 AM