firefox and bad ssl certificates

Phillip Susi psusi at
Fri May 9 21:02:28 UTC 2008

Martin Pitt wrote:
> I don't consider it a new feature, but a better UI. Firefox has always
> complained about invalid certificates, but until version 2 it was just
> the well-known 'SSL yadayada cannot be verified mumblemumble click
> here to shut me up' popup dialog, and really everyone just clicked
> this away, right? Security click-through dialogs should be abolished,
> since they achieve nothing and are really just an excuse for the
> software provider: "I know it is unsafe, and cannot give you something
> better. Of course you can't know either, but at least I can make it
> your problem now."
> Now you get at least a proper error message page. I don't doubt that
> the text can be improved, and make more concise/clear, etc., but the
> UI is much better IMHO.

I could not disagree with this more strongly.  You can't go around 
applying nerf padding to everything to protect against the possibility 
of someone running head first into the wall.  When you try to protect 
people from themselves, and that protection has a negative impact on 
them, you aren't doing them any favors.  I don't like the fact that my 
car won't let me ( or my passenger ) choose to fiddle with the gps while 
  the wheels are turning, and I don't like this change to firefox.

An invalid cert is something that MIGHT be cause for concern, but often 
is not, so a notification is quite sufficient to let the user decide if 
it is ok to proceed or not.  Making them jump through hoops of fire to 
be SURE they want to proceed is a bad idea.

Now improving the existing message to be more informative and educate 
the user as to what is going on is something I'm all for, but you should 
not assume the user has no clue and must be locked up to protect him 
from himself.

More information about the Ubuntu-devel-discuss mailing list