Firefox SSL-Certificate Debate Rages On

[Vin DSL]

SOURCE

With Firefox 3, Mozilla has changed the way Firefox handles SSL certificates. This change could scare away visitors from tens of thousands of websites that have expired or self-signed SSL certificates.

If you visit a website with either an expired or a self-signed SSL certificate, Firefox 3 will not show that page at all. Instead it will display an error message, similar to any other browser error (for example a “page not found” 404 message). To get past this error page, users have to go through four different steps before they can access the website, which from a usability standpoint is far from ideal.

This way of handling websites with expired or self-signed SSL certificates is bound to scare away a lot of inexperienced users, no matter how legitimate the website is.

It should be noted that this is not something that only affects smaller websites. For example, the SSL certificate for the official US Army website is declared invalid by Firefox 3...

[Pawel Kowalski]

Why would you even use an untrusted self signed certificate as a generic internet user? I'm actually glad FireFox is making a big deal out of this.

[Connie]

Fortunately I have only a small percentage of visitors to Condells that use FireFox.

At least for a expired certificate they should just let the person know that the certificate is valid but expired like it does now. I few years ago I failed to renew my certificate and it expired. Some people would still place the order. If FireFox makes a user jump through hoops they will probably just leave.

Pawel I doubt anyone who is serious about an Internet business would be using a self signed certificate. I used to use one on a test website.

[the_ancient]

Why would you even use an untrusted self signed certificate as a generic internet user? I'm actually glad FireFox is making a big deal out of this.

The Prime Example is IntraNets,

and apparently the DoD ,who is the authority on Cryptography in most cases, is not a "good" signing authority for FF, Verisign (who I would not trust with a a bag of peanuts) is though... hmmm

[mattsiegman]

The new SSL stuff in Firefox is some seriously stupid bull****. I don't want to pay VeriSign for their racket on 'valid' certificates. Any asshole can buy a certificate from VS...

The fact that it takes more than one click to do what I need to do is obscene. Luckily, most of the people where I work use IE, so this isn't a problem...

Even Google forgot to renew their certificates...

Firefox 3 got shoved out the door too quickly, with way to much incredibly stupid BS left in it.

[Pawel Kowalski]

I forgot about this thread.

But invalid certificates are a serious problem that many regular internet users don't take very seriously. A man in the middle attack is far too common. Anyone could fetch an untrusted certificate to the user and many people would just hit ignore on the warning message their browser gave them. Like Connie said people would still place orders after they saw an invalid certificate, not a smart thing to do.

If you are using untrusted certificates like connie said you are probably doing it for testing purposes, so jumping through a couple extra hoops shouldn't be that big of a deal for you. You can write as many hate mails to verisign as you want, but they do what they are supposed to do, verify that a certificate is trusted. Any CA that doesn't do that is useless for internet use (ignoring the politics of it) and the more warnings people see the better in my opinion.

[the_ancient]

I forgot about this thread.

But invalid certificates are a serious problem that many regular internet users don't take very seriously. A man in the middle attack is far too common. Anyone could fetch an untrusted certificate to the user and many people would just hit ignore on the warning message their browser gave them. Like Connie said people would still place orders after they saw an invalid certificate, not a smart thing to do.

If you are using untrusted certificates like connie said you are probably doing it for testing purposes, so jumping through a couple extra hoops shouldn't be that big of a deal for you. You can write as many hate mails to verisign as you want, but they do what they are supposed to do, verify that a certificate is trusted. Any CA that doesn't do that is useless for internet use (ignoring the politics of it) and the more warnings people see the better in my opinion.

hmmm I did not realize I agree to have the Mozilla Foundation be my netnanny when I downloaded FireFox

and FYI, I have Uninstall FF3, and am usi9ng FF2 once again

[Pawel Kowalski]

It's nothing to do with being your net nanny, it has to do with making sure that naive people don't fall for some basic scams. If you are using an untrusted certificate you should be smart enough to complete 3 or 4 extra steps, I really don't see what the big deal is. And the question still remains, why in the world would you be sending information to a server without a valid certificate in the first place? Even if it is self signed you should have already installed it as a trusted certificate.

[the_ancient]

It's nothing to do with being your net nanny, it has to do with making sure that naive people don't fall for some basic scams. If you are using an untrusted certificate you should be smart enough to complete 3 or 4 extra steps, I really don't see what the big deal is. And the question still remains, why in the world would you be sending information to a server without a valid certificate in the first place? Even if it is self signed you should have already installed it as a trusted certificate.

Naive People should be Scammed, I am tried of Stupid People making my life harder

[Pawel Kowalski]

Great attitude. If you aren't computer savy don't use the internet? I guess that eliminates at least 80% of the internet user base. The whole point is to make the internet as easy and as safe for people to use as possible, not scare them away because people like you can't be bothered to click 4 buttons on extremely rare occasions. And you actually run a web site? I guess you should put in some kind of computer challange question before your visitors will be allowed to view your content? That will show them!

And making your life harder? Lets get real for a second. It's 4 extra clicks for gods sake. And as I already said you should have already installed the certificate as trusted, otherwise you shouldn't be doing any communication with that web site in the first place. There really is nothing wrong with what firefox did here, I think you guys are bitching just for the sake of bitching.

[Ron]

I agree with both of you. You can't imagine (well, maybe T_A can) how annoyed I get when I use the shared certificate with IE7 and it gives me a warning page (instead of a dialog) and offers: "Continue to site (not recommended)" in red.
In addition to the fact that I use the cert for CPanel and other private uses like transferring names and emails, and don't need my own cert, I really dislike the fact that it strongly resembles a 404 page that the less savvy might not understand. Fortunately it is only me and one other who uses this functionality now.

On the other hand, it IS everything to do with being my net nanny. It's kind of th definition of being a nanny is watching out for the naive, n'est pas?

On the third hand, the browser SHOULD give a warning, but the former dialog box was sufficient IMHO.

[Pawel Kowalski]

Ron, why don't you install the certificate you are using for your cPanel? This will prevent you from seeing that warning and now you can actually confirm that your communication is secure without having to look at the certificate each time.

[the_ancient]

Great attitude. If you aren't computer savy don't use the internet? I guess that eliminates at least 80% of the internet user base. The whole point is to make the internet as easy and as safe for people to use as possible, not scare them away because people like you can't be bothered to click 4 buttons on extremely rare occasions. And you actually run a web site? I guess you should put in some kind of computer challange question before your visitors will be allowed to view your content? That will show them!

Personally I feel everyone should be given a IQ test and all stupid people put 6ft under....

And making your life harder? Lets get real for a second. It's 4 extra clicks for gods sake. And as I already said you should have already installed the certificate as trusted, otherwise you shouldn't be doing any communication with that web site in the first place. There really is nothing wrong with what firefox did here, I think you guys are bitching just for the sake of bitching.

[the_ancient]

On the third hand, the browser SHOULD give a warning, but the former dialog box was sufficient IMHO.

We have a winner...

Warnings are fine.... Making everything look like a 404, is what is f'ed up

[Ron]

Ron, why don't you install the certificate you are using for your cPanel? This will prevent you from seeing that warning and now you can actually confirm that your communication is secure without having to look at the certificate each time.

I am on a bulk reseller machine... it is essentially a shared machine. Is this possible with a *.nocdirect.com cert?