Firefox 3 handling of SSL Certs is broken

There must be a million posts on the internet (and no doubt some scrawled in frustration on bathroom walls) about Firefox 3 and it’s broken handling of SSL certificates.

https://support.mozilla.com/tiki-view_forum_thread.php?comments_parentId=158991&forumId=1

Commentary  is as numerous as complaints.  Though there’s little in the way of action.

http://www.freesoftwaremagazine.com/columns/self_signed_certificates_and_firefox_3_possible_solution

http://www.cs.uml.edu/~ntuck/mozilla/

http://www.gerv.net/security/self-signed-certs/

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1326622,00.html

http://www.0xdeadbeef.com/weblog/?p=521

http://www.pcworld.com/businesscenter/article/150215/debating_the_firefox_ssl_certificate.html

In particular, self-signed certificates have 2 issues.

One is just a really bad UI design based on a misunderstanding by the folks at Firefox (RIP Mozilla) of what:

  1. SSL is used for and
  2. a certificate authority does.

That issue is that Firefox actually blocks people from visiting sites they want to visit in a misguided attempt at protecting them from themselves.  Their theory is that if it is theoretically possible for someone to intercept internet communication (it hasn’t been done in real life yet), adding several buttons saying “beware”, “warning”, and “go away” will stop people from wanting to visit sites on the internet that haven’t paid a company $20 to join the “safe companies on the internet” club.

Note to Firefox: Anyone who goes to the effort to intercept internet communications is willing to spend $20 to join that club.  They’re shooting for a minimum gross income of at least $21 anyway to make it worth their while.

Firefox doesn’t realize that the real reason people want to use SSL is to protect their communication on the internet.  They trust the source, they want to give them money (or information) and don’t want anybody snooping inbetween.  They want encryption, and they want host verification.  They don’t really care about the Verisign logo (which is actually extra now) in the corner of the browser.

But since back in 1995 (before the IPO), the only income Netscape could get was from a little startup (with government backing) who thought they could create a brand of the “safe internet club” and sell it to businesses wanting to “get online” and their plan was to put their logo in the browser.   So because pre-IPO Netscape got government money channeled through a would-be entrepreneur bereaucrat (who was beat by a solo programmer from South Africa who used their monopoly buy-out money to go to Space) we have Firefox 3’s horrible UI for “beware of the non internet safe club website”

PS.  self-signed certs are most definitely proof that the host is who they say they are.  You can’t go phishing by showing your ID.  The real issue is with DNS.

But enough about their deliberately bad UI.  Microsoft’s is little better.  That’s just to show a potential motive for why they’ve ignored the real problem for years.

“Permanently store this exception” seems to be temporary

Firefox 2 just had a popup warning. There was a byzantine and obscure way to actually bypass their silly marketing scheme disguised as warnings, but Firefox 3 has been broken since day 1, as far as I can tell.  Firefox 3 actually avoids the popup (for some strange reason — not enough XUL, I guess) and it’s easier to find a way to turn of their Verisign spam (which is kind of pointless for the internal networks it troubles most), but the problem is that when you check “Permanently store this exception” — it doesn’t.

It’s a lie and they know it.  They pretend it isn’t an issue, they try to scare ignorant people that the world will end if they use a self-signed cert, or they try to change the subject.

http://blog.johnath.com/2008/08/05/ssl-question-corner/

I believe many of them just don’t understand the issue, don’t understand what SSL is for and how it works, and are just too lazy to try to reproduce it.  But you can’t really deny it when there is a third party extension published on your own website that actually tries to fix the bug:

Remember Certificate Exception

Of course, my additional problem (and the cause for this rant) is that the Remember Certificate Extension doesn’t work with Selenium.  You can’t automate around the problem.  Firefox 3 is dead in the water for SSL in testing environments (where you almost always have to self-sign — or use an “untrusted” verifier for your certs.)

And what’s more, Firefox won’t let you download Firefox 2.

Advertisements

3 thoughts on “Firefox 3 handling of SSL Certs is broken

  1. http://blog.johnath.com/2008/08/05/ssl-question-corner/

    The above link by the Firefox employee responsible, who accuses anyone of complaining of calling him dumb, but then proceeds to evade the question as if he really doesn’t understand it — which might be possible. He actually seems to not understand the usability issues, but is very disingenuous about the security implications, and refuses to acknowledge the real bug.

    The one thing he is correct on is that warnings about SSL sites are not new. The difference now (and the reason everyone is up in arms) is that you can’t work around it (without the RCE plugin).

    They have a big friendly window (which used to be a more user-friendly pop-up dialog) that says “Permanently store this exception” in small print, but it doesn’t do it. It’s a bug. You can disagree about whether it should be permitted (and be wrong) but if you’re not going to allow it, don’t say you do.

  2. http://blog.thirstybear.co.uk/2008/05/selenium-and-https.html

    The problem – you want to test a web site where you get a popup to accept an unrecognised certificate, eg when using a self-generated certifictate. Selenium cannot click on the resulting confirmation window, but worse still Selenium does not store your decision even though you have selected ‘permanently accept’ manually the first time.

    The solution – basically Selenium is launching a clean copy of the browser each time. So you need to create a persistent profile to use each time

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s