There must be a million posts on the internet (and no doubt some scrawled in frustration on bathroom walls) about Firefox 3 and it’s broken handling of SSL certificates.
Commentary is as numerous as complaints. Though there’s little in the way of action.
In particular, self-signed certificates have 2 issues.
One is just a really bad UI design based on a misunderstanding by the folks at Firefox (RIP Mozilla) of what:
- SSL is used for and
- a certificate authority does.
That issue is that Firefox actually blocks people from visiting sites they want to visit in a misguided attempt at protecting them from themselves. Their theory is that if it is theoretically possible for someone to intercept internet communication (it hasn’t been done in real life yet), adding several buttons saying “beware”, “warning”, and “go away” will stop people from wanting to visit sites on the internet that haven’t paid a company $20 to join the “safe companies on the internet” club.
Note to Firefox: Anyone who goes to the effort to intercept internet communications is willing to spend $20 to join that club. They’re shooting for a minimum gross income of at least $21 anyway to make it worth their while.
Firefox doesn’t realize that the real reason people want to use SSL is to protect their communication on the internet. They trust the source, they want to give them money (or information) and don’t want anybody snooping inbetween. They want encryption, and they want host verification. They don’t really care about the Verisign logo (which is actually extra now) in the corner of the browser.
But since back in 1995 (before the IPO), the only income Netscape could get was from a little startup (with government backing) who thought they could create a brand of the “safe internet club” and sell it to businesses wanting to “get online” and their plan was to put their logo in the browser. So because pre-IPO Netscape got government money channeled through a would-be entrepreneur bereaucrat (who was beat by a solo programmer from South Africa who used their monopoly buy-out money to go to Space) we have Firefox 3’s horrible UI for “beware of the non internet safe club website”
PS. self-signed certs are most definitely proof that the host is who they say they are. You can’t go phishing by showing your ID. The real issue is with DNS.
But enough about their deliberately bad UI. Microsoft’s is little better. That’s just to show a potential motive for why they’ve ignored the real problem for years.
“Permanently store this exception” seems to be temporary
Firefox 2 just had a popup warning. There was a byzantine and obscure way to actually bypass their silly marketing scheme disguised as warnings, but Firefox 3 has been broken since day 1, as far as I can tell. Firefox 3 actually avoids the popup (for some strange reason — not enough XUL, I guess) and it’s easier to find a way to turn of their Verisign spam (which is kind of pointless for the internal networks it troubles most), but the problem is that when you check “Permanently store this exception” — it doesn’t.
It’s a lie and they know it. They pretend it isn’t an issue, they try to scare ignorant people that the world will end if they use a self-signed cert, or they try to change the subject.
I believe many of them just don’t understand the issue, don’t understand what SSL is for and how it works, and are just too lazy to try to reproduce it. But you can’t really deny it when there is a third party extension published on your own website that actually tries to fix the bug:
Remember Certificate Exception
Of course, my additional problem (and the cause for this rant) is that the Remember Certificate Extension doesn’t work with Selenium. You can’t automate around the problem. Firefox 3 is dead in the water for SSL in testing environments (where you almost always have to self-sign — or use an “untrusted” verifier for your certs.)
And what’s more, Firefox won’t let you download Firefox 2.