Is Mozilla's SSL policy bad for the Web?

Nat Tuck Thu has posted about how Mozilla's policy of displaying harsh warning when a site uses an untrusted certificate is causing many sites to not use SSL when they should be. He also says that it "it damages the basic principle of equality among web participants." The warning that he is complaining about is this one:

Firefox 3's Self-Signed Certificate Error

It requires four clicks to get around. Nat compares this policy to Net Neutrality:

This is really an issue of the basic principles of internet openness. Everyone has equal access to the features of HTTP or SSH, there’s no reason why there should be artifical constraints on access to HTTPS. But that’s exactly what the Firefox SSL behavior does.

For bandwidth, the basic princple of internet equality is called Network Neutrality. When ISPs have threatened it, suggesting that Google (for example) should pay them for "fast lane" preferred treatment at the expense of smaller internet participants, there has been a massive uproar from those who value this principle of equality.

There should be an equally massive uproar about Mozilla’s SSL policy. Encrypted connections may not be as immediately visible as poor quality streaming video or VoIP sound quality, but it’s similarly important. Dividing the web into a "fast lane" of commercial entities willing to pay and a "slow lane" of hobbyists and non-profits who get unusable service is bad for the internet in either case.

Mozilla is Free/Open Source. Antifeatures like the SSL policy shouldn’t be a problem - users can simply remove them if they’re bothered that much. Unfortunately, that’s not good enough in this case. A webmaster doesn’t just need his web browser to work correctly, he needs the web browser of every site visitor to work correctly.

For this problem to be solved, the most popular F/OSS browser(s) must accept self-signed certificates. If Mozilla is unwilling to change their policies, it would be worth the effort of trying to create a *more popular* fork with full SSL functionality.

Nat's solution has several (maybe not-so-obvious) problems. I like how two users on Slashdot put it. lukas84 wrote:

This is bullshit.

It's not like Firefox makes it impossible to access a web site with a self signed certificate. It just makes it very obvious that something is wrong with the certificate, and tells the user that he shouldn't trust it to much.

Now, who uses self signed certificates or certificates signed by an internal CA?

* Test environments (not an end user scenario)
* Unprofessional webhosters (good riddance)
* Companies with their own CA (they can preload the certificate)
* Hobbyist systems (they can reconfigure their browser)

In the end, the only ones hurt by this are unprofessional webhosters - and i don't think anyone should care about them.

And loopkin wrote:

...the way SSL (and most other secure protocols, as SSH) is designed, having encryption without authentication is pointless, because man in the middle attacks are too easy to set up.
With SSL, the real 3 options you have are:
1- no ssl
2- "1 way authentication" SSL (usually only the server has a certificate: this ensures the client it is reaching the right server, but the server cannot trust the client)
3- mutual authentification SSL (aka "strong authentication": server and client have a certificate)

I think TFA is completely out of topic and blatantly ignorant: what would you think if SSH wouldn't warn you when the host you're trying to connect to has changed ?

On a related note, the way that Firefox 3 distinguished a non-EV certificate can be very confusing. A normal, non-EV certificate will look like this when the site identification button is pressed:

Firefox 3's Displaying a non-EV certificate

It says "which is run by (unknown)". It seems to make sense that the organization should be displayed differently since many CAs and types of certificates verify them differently but is Adobe.com really run by (unknown)?

Ryan Cartwright has posted one possible (though currently impractical) solution.

Mozilla SSL policy bad for the Web - [Nat's Blog]

Originally posted on Mon Aug 4, 2008

Comments

kL(2014-12-13)
It's a good policy, because self-signed certificates are worthless. They're like saying "I'm not a crook, trust me!", which can be said by any crook.
Onur Safak(2014-12-13)
I completely agree on this one. Who uses self-signed certificates? People who are not willing to pay a hundred dollars per year for their personal websites and want the security against network sniffers in public. Who cares about them? Most of the web browser developers. But the question is who does care about their visitors. Yes, firefox has not began to block their users from viewing self-signed ssl pages, they just began blocking their average and below average users. And annoying some of their professional users who find it annoying to make additional clicks and to add an exception for something they'll never view again.
Joe(2014-12-13)
As a one man business trying to keep open in this tough economy, I'd like to offer a thought. I'm concerned about the "who cares about them" attitude. I set up a web page for my company myself after enrolling in a design course at a local college. It has worked fine for ten years. Every dime counts around here and I've got four people working even though I've had to plug in some of my own finances to make it happen. My hope is, things will get better. Their hope is they'll continue to have money coming in. So for those of you who worry about a struggling small firm that is too cheap to pay a $100 to some web company for a certificate, I say it is not always an option to find whatever the price of a certificate is. My experience has been that once a computer professional gets involved, the price keeps getting higher and the ability for local control evaporates. When I need to create or modify a web page, I can't afford to farm it out. I stay up at night and work weekends to get the job done. In the techie world the latest and greatest gadgets might be close at hand. In the small business operation, internet videos, movies and hours spent facebooking or otherwise being socially connected is not a necessity, it is harmful to being able to pay workers and other bills. 85 percent of America's workforce is employed in what are classified as small businesses. I'm not sure what a certificate is and how it functions, but if not having one takes my firm off the internet, it may be the straw that broke the camel's back. It may be my reaction is misplaced because I don't understand this conversation. However, I ask, where is the concern for the little guy and the small businessman trying to make sure the people working with him can get paid. If all this certificate stuff means my web page will no longer be viewable, I'm scared...for them, my family the for staying in business. Joe
Phil(2014-12-13)
If you know that you can only use "self signed" then don't enable https, it really gives you noting as "man in the middle" attacks are still just as easy. There's no point encrypting if the person you're talking to is not who you think they are. To make https worth anything, the person accessing your site must ALREADY have a signature they trust to verify your site is what it says it is. That's what the CAs are for and that's what we pay them for. If you don't want your users getting all the horrible messages then ask your users to install your certificate.
Le Roux(2014-12-13)
Surely self-signed certificates are not less secure than normal unencrypted http? So why can't it just be white like normal http? Then just tell people not to give sites money unless they have at least blue. Or just add a little icon to the statusbar if it is such a problem. If self-signed certificates were allowed, then all the millions of sites on the web where you signup or login and fill in a password could at least be secure without amateurs, hobbyists, bloggers, etc all handing over some money to the web security cartel... I think the web would definitely be a better place and it would certainly not hurt anyone.
Duane(2014-12-13)
The policy makes little sense for the majority of websites you visit, a simple, yellow drop bar like they have for pop-ups and things trying to install would be sufficient. Otherwise we end up where we are, how many sites do you visit that don't use any encryption that you type usernames and passwords into?

Is Mozilla's SSL policy bad for the Web?

Comments

Top Resources

Menu