Most Popular

• BEA Weblogic Server SSL Installation Instructions
• Free SSL Certificates from a Free Certificate Authority
• SSL Host Headers in IIS 7
• How to Create A Self Signed Certificate
• The Most Common Java Keytool Keystore Commands

Login:

Is Mozilla's SSL policy bad for the Web?

Nat Tuck Thu has posted about how Mozilla's policy of displaying harsh warning when a site uses an untrusted certificate is causing many sites to not use SSL when they should be. He also says that it "it damages the basic principle of equality among web participants." The warning that he is complaining about is this one:

It requires four clicks to get around. Nat compares this policy to Net Neutrality:

This is really an issue of the basic principles of internet openness. Everyone has equal access to the features of HTTP or SSH, there’s no reason why there should be artifical constraints on access to HTTPS. But that’s exactly what the Firefox SSL behavior does.

For bandwidth, the basic princple of internet equality is called Network Neutrality. When ISPs have threatened it, suggesting that Google (for example) should pay them for "fast lane" preferred treatment at the expense of smaller internet participants, there has been a massive uproar from those who value this principle of equality.

There should be an equally massive uproar about Mozilla’s SSL policy. Encrypted connections may not be as immediately visible as poor quality streaming video or VoIP sound quality, but it’s similarly important. Dividing the web into a "fast lane" of commercial entities willing to pay and a "slow lane" of hobbyists and non-profits who get unusable service is bad for the internet in either case.

Mozilla is Free/Open Source. Antifeatures like the SSL policy shouldn’t be a problem - users can simply remove them if they’re bothered that much. Unfortunately, that’s not good enough in this case. A webmaster doesn’t just need his web browser to work correctly, he needs the web browser of every site visitor to work correctly.

For this problem to be solved, the most popular F/OSS browser(s) must accept self-signed certificates. If Mozilla is unwilling to change their policies, it would be worth the effort of trying to create a *more popular* fork with full SSL functionality.

Nat's solution has several (maybe not-so-obvious) problems. I like how two users on Slashdot put it. lukas84 wrote:

And loopkin wrote:

...the way SSL (and most other secure protocols, as SSH) is designed, having encryption without authentication is pointless, because man in the middle attacks are too easy to set up.
With SSL, the real 3 options you have are:
1- no ssl
2- "1 way authentication" SSL (usually only the server has a certificate: this ensures the client it is reaching the right server, but the server cannot trust the client)
3- mutual authentification SSL (aka "strong authentication": server and client have a certificate)

I think TFA is completely out of topic and blatantly ignorant: what would you think if SSH wouldn't warn you when the host you're trying to connect to has changed ?

On a related note, the way that Firefox 3 distinguished a non-EV certificate can be very confusing. A normal, non-EV certificate will look like this when the site identification button is pressed:

It says "which is run by (unknown)". It seems to make sense that the organization should be displayed differently since many CAs and types of certificates verify them differently but is Adobe.com really run by (unknown)?

Ryan Cartwright has posted one possible (though currently impractical) solution.

Mozilla SSL policy bad for the Web - [Nat's Blog]

Digg Slashdot del.icio.us Reddit furl

Le Roux
Posts: 4

At least don't make them errors
Reply #4 on : Tue February 10, 2009, 13:37:29

---

Surely self-signed certificates are not less secure than normal unencrypted http? So why can't it just be white like normal http? Then just tell people not to give sites money unless they have at least blue. Or just add a little icon to the statusbar if it is such a problem.

If self-signed certificates were allowed, then all the millions of sites on the web where you signup or login and fill in a password could at least be secure without amateurs, hobbyists, bloggers, etc all handing over some money to the web security cartel...

I think the web would definitely be a better place and it would certainly not hurt anyone.

Onur Safak
Posts: 4

People don't understand an average user
Reply #3 on : Wed January 28, 2009, 07:53:03

---

I completely agree on this one.

Who uses self-signed certificates? People who are not willing to pay a hundred dollars per year for their personal websites and want the security against network sniffers in public.

Who cares about them? Most of the web browser developers. But the question is who does care about their visitors.

Yes, firefox has not began to block their users from viewing self-signed ssl pages, they just began blocking their average and below average users. And annoying some of their professional users who find it annoying to make additional clicks and to add an exception for something they'll never view again.

Duane
Posts: 4

What a load of non-sense
Reply #2 on : Tue August 05, 2008, 17:46:15

---

The policy makes little sense for the majority of websites you visit, a simple, yellow drop bar like they have for pop-ups and things trying to install would be sufficient.

Otherwise we end up where we are, how many sites do you visit that don't use any encryption that you type usernames and passwords into?

kL
Posts: 4

Re: Is Mozilla's SSL policy bad for the Web?
Reply #1 on : Mon August 04, 2008, 11:06:49

---

It's a good policy, because self-signed certificates are worthless. They're like saying "I'm not a crook, trust me!", which can be said by any crook.

Write a comment

Name:
Email: (not published)
Subject:
Comment:

Security Code:
 

Post Comment