Firefox 3 developer explains "broken" SSL error pages

I used to use FireFox3. I am moving away from it more and more because I cannot finish my work.

I recently have gotten more and more of the:

signin.ebay.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.

(Error code: sec_error_unknown_issuer)

types of messages all over the net. As a user, I do not know or hardly know to care why. I want to complete my business, not mess around with the guts of internet security.

I am going to ebay to BUY an item. And am stymied by this message. I go to IE7 and for better or worse, I get done.

Bye, Bye FF3.

There should be seperate mechanisms for handling encryption and trust. Sometimes you don't need trust, you need encryption. Like an intranet. Sometimes you don't need encryption, you need trust.

Tying two very different concepts into one great, needlessly expensive, whole is ridiculous.

Firefox's warning doesn't help educate users. It's designed to scare them into being over-cautious so Firefox don't get bitched at. It doesn't help them make an informed decision and is detrimental to anyone who isn't in the business of selling SSL certificates (the large majority of which are completely free to produce anyway... even EV ones don't require much work).

I work in an environment that uses self signed certs for a variety of purposes within an isolated management network. The nature of the network is such that if the device is there, it is known and physically trusted. Physical isolation and locked data cabinets, security guards etc enforce all the security we need, and guess what. I can't tell firefox that "yes, it's ok *I* choose to trust this certificate.

Please - Mozilla - don't do this Microsoft BS! Don't *assume* - as you do in this rationale - that you know better than me what I *really* want, and what I don't want. I am a tech-savvy user - an engineer who knows a bit more than *you* do perhaps - and *I* and *I alone* am qualified to tell anyone *what I really want*. What I want is the freedom to choose how I use the technology in my environment.

Firefox has been good to me for so long. It's too bad I have to give it the flick over something as *stupid* as this.

Cheers

If "You never *just* want encryption" then why do they incluse DH ciphers?

Not to mention OpenPGP is part of the TLS family, I don't need some third party to tell me who is and who isn't my friends, of course anyone with enough money would be my friends.

If mozilla could, it would still be costly to mozilla. They need to get their root certificates into -all- browsers (read: IE especially [Good luck dealing with MS]). Then they need to verify the identity of the holder of any certificate before they sign it, which is a lot of paperwork. Being a CA is a lot of costly work and a difficult thing to do for free. And @Duane DH works fine until there is a man-in-the-middle which is the entire point of CAs in the first place. CA signed certificates are for businesses, and -aren't- that expensive for the people that need them.

Duane,

If you read Jonathan's quotes in the post you would realize that the lack of a certificate authority leads you open to a man in the middle attack. It doesn't matter what cipher you are using, without a certificate authority there is no way to bind a web address to a key in a trustworthy way.

Certificates *are* prohibitively expensive for many uses and an alternative system for more casual use (something like a web of trust) is certainly desirable. Self signing certificates however, really isn't a very effective solution, and Firefox's behaviour in this regard is wise.

This would solve the problem and do the world a favor. A free CA service is very much needed.

This could be handled the same way SSH and GPG have both handled it forever: you get the key, actually *look* at the certificate, check the fingerprint, and if it matches the one you memorized or wrote down, make an exception! Firefox 3 has a nice "Add an exception..." button, and it works just fine. The warning is ominous, because anybody who doesn't understand what it means is right to be afraid of it, and anybody who does understand what it means an ignore the ominousness and look at the cert.

Look, true self-signed certs are silly. Make your own CA and sign a server (and maybe a client!) cert with that, and add your personal CA to your firefox list of trusted CAs. It's point and click with "TinyCA2", assuming you're on linux.

Firefox SHOULD give a disconcerting message for self-signed certs.

Steve, you can tell Firefox to always trust a certificate. When you get the error, just click on "Add and exception" then click on "Add exception...", "Get Certificate", and then "Confirm Security Exception". The permanently store this exception checkbox is checked by default.

I think you could also import the certificate into Firefox's certificate store and you would never see that error message. You could also try one of the Firefox plug-ins that change this behavior.

I'm not going to argue with Nightingale as though he were not a raving lunatic. He's nuts (obsessive/compulsive) and misguided. Someone should say so. As a scientist/lawyer of nearly 40 years experience, guess its up to me.

Mozilla is ABUSIVELY imposing a POV on the internet based on a flawed understanding of security. The solution is new development management at Mozilla for the ssl handling of Firefox.
"Ownership" of a site is not the issue, what nutcase would think it was?

A certificate (or a signing cert) is verified as authentic by its fingerprint, obtained from a trusted source. It is that damn simple. Mozilla doesn't decide what is a trusted source, the user does. Mozilla does not decide what is proper risk/benefit for the internet, the Internet commmunity does.

Some level of warning and opportunity to verify and accept a certificate is warranted, but Mozilla's approach here is oppressive, over the top, unwise, unnecessary, and ultimately damaging to the internet and to Firefox.

This approach constructively forces use of "Trusted" CA signed certs in circumstances where these are not appropriate. What nutcase trusts Verisign anyway, I don't. The reality is the banks control and use and trust Verisign it for THEIR purposes of commerce. That's all. Only a stupid whackout on spiked koolaid would think otherwise, or would elevate a group of banking crooks to a position of authority on the internet.

Even Micro$oft knows better. Mozilla, FIRE somebody and get someone in their that can actually think and respond to community that uses your product. Do it or lose it. Hey.

Duane,
You have some good points. You always have a choice... just don't use Firefox.

"Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number."

If you get that error (the code being sec_error_reused_issuer_and_serial) then there is *no* way to add an exception. Can you not understand that I want to choose to whether to go to that site myself?

i use to love firefox but since i cant find a single easy way to fix this or to do my banking on- line i reccomend to drop firefox alltogether good by i use to love u

I just set up a self-signed certificate for an internal website. Both IE and Firefox will warn you that the certificate is not trusted. Since my users and I trust the internal systems, the constant warning does become a small annoyance, so I went about configuring the browser to accept the certificate.

In order to install the certificate into IE, you have to download the certifcate to each user's system and install it using a Windows wizard. You have to change the default setting to specify the certificate store - it must be placed in the "Trusted Root Certification Authorities" store for it to work. A few more click-throughs and it finishes.

In Firefox, you click on the "add exception" button, click another button, click a "Get Certificate" button, and then OK. Finished in about 5 seconds. If you want to save the certificate to a different location, you can change the default to something else.

Based on this experience, I'd say FF is easier and faster to set up, provides the same choices, and, like all open source software, gives you way more freedom than IE. All the hate flying around at FF just seems unfounded.

I am a system admin and have used FF for as long as I can remember.. however..

This new SSL policy has forced me to migrate dozens of networks off FF due to the SSL errors.. My clients use the USPS site for shipping and apparently, FF has decided that they are not trustworthy (Comodo cert no less)

I hope someone sees how this could be an issue and finds some kind of resolution (at the very least an bypass on a per site basis)..

Currently in testing with Safari and Chrome... this sucks...

Hi, several comments have been made about how difficult it is to use self signed certs in an intranet with many servers.
I use to work in a 20,000+ user and 100+ server organisation and we solved it by running our own CA and distributing the root CA certificate to all machines, we included the cert in all image builds for desktops and sent an email with a url pointing to the root CA to all users.
Importing this in to firefox and ie was not difficult, chrome was the odd one, it would just download the certificate rather than offer to import it.
This was a one hit operation, subsequently all server certs signed by our CA were trusted as if they were issued by a commercial CA.

Regards,
Andrew.

Good to see everyone missed my point, I wasn't advocating the use of DH ciphers merely pointing out that Firefox supports using them.

The real point to my comment which everyone seems to have ignored is OpenPGP has a valid RFC against it allowing to to be used as an alternative to X.509 certs, however so far no browsers or even plugins support using those certificates which could be a much better alternative to X.509 with its woeful take up rate of less than 0.5% of all websites or there abouts.

Some food for thought: http://open-pgp.info/wiki/i...