firefox and bad ssl certificates
ubuntu at kitterman.com
Thu May 8 01:38:09 UTC 2008
On Wed, 7 May 2008 17:36:54 -0600 Neal McBurnett <neal at bcn.boulder.co.us>
>On Thu, May 08, 2008 at 12:45:46AM +0200, Martin Pitt wrote:
>> Peio Ziarsolo [2008-05-07 13:03 +0200]:
>> > But for power user that know the significance of a bad certificate it's
>> > annoniying add exceptions (this morning I have to add 3 esceptions).
>> This doesn't have anything to do with power users/n00bs. An invalid
>> SSL certificate isn't any better or worse depending on the type of
>> user. If a site sets up SSL with an invalid certificate, then this
>> buys the user nothing but a false sense of security.
>> The proper approach to this IMHO is to make adding exceptions in all
>> web browsers (especially IE) as hard and explicit as in Firefox 3.
>> This would perhaps force site admins to get a grip and stop ignoring
>> broken SSL certs, once they get a flood of complaints.
>> > Is there any key to toogle off this new feature?
>> I *so much* hope that there isn't. People should really start to
>> understand that this is a SERIOUS error and shouldn't at all be
>> considered 'normal'.
>Invalid certs are one thing. But doesn't this also affect self-signed
>Self-signed certs are appropriate for many use cases in which the goal
>is primarily encryption (e.g. to protect data flowing back from the
>server to the user), rather than e.g. protecting bank accounts by
>authenticating the server to the user. E.g. connecting to a local
>ebox management port, or a small community wiki.
>In many low-security situations, this change pushes server operators
>into buying pricey certs from certificate vendors who often offer
>little or no meaningful vetting and accept zero liability.
>This stuff is complicated, involves politics, and can't be painted
>with such a broad brush. Education is a big part of it, like with most
>The current warnings are confusing, and are being improved. Let's try
>to see to it that they communicate as well as possible. Otherwise too
>many grass-roots sites will just go back to asking folks to enter
>passwords over unencrypted connections, or users will get used to
>bypassing yet another set of dialogs and phishing will continue
>E.g. how hard is it for folks to buy in to their own web of trust and
>get e.g. all CACert certs accepted?
I think you are correct. This "improved security" may well have the
Additionally, a valid SSL cert for a particular domain does nothing to
solve phishing based on near-match (cousin) domains. Unlike email, exact
domain forgery is not the major problem. If I own paypa1.com, I can get a
valid SSL cert for it too.
SSL (aka TLS) is about securing data from external observation. Trying to
overlaod it with a hierarchical CA cert system does not provide substantial
endpoint authentication. At best it helps against exact domain spoofing
(via DNS attacks). At worst it encreases user risk due a false sense of
In my experience these kinds of U/I hurdles just annoy and desensitize the
user and do not provide any real security.
More information about the Ubuntu-devel-discuss