Behaviour of Firefox for untrusted certificates

Martin Graesslin ubuntu at martin-graesslin.com
Wed Apr 30 16:35:45 BST 2008 

Am Mittwoch, 30. April 2008 16:45:05 schrieben Sie:
> That page also offers the option to add an exception. This was
> done in order to prevent users from just clicking-through.
Which is very small compared to the big "secure connection failed". I don't 
think that the average user will notice this link. Also I don't think that it 
is a good naming as I don't expect to solve networking issues by adding 
exceptions.
>
> > IMHO this behaviour is wrong. Firefox should load the page nevertheless.
> > Authentification is not the most important feature of TLS, but
> > encryption.
>
> There are multiple features that make up TLS. If you make one of these
> features void, the whole building tumbles. In this particular case,
> making it easy to ignore untrusted issuer errors will train the user
> to not care about broken certificates at all, finally helping the bad
> guys to trick users into submitting confidential data to them and so
> on.
So in this case you think that blocking untrusted certificates is more 
important than usability. I thought Ubuntu is about human beeings and about 
usability. But I can't see anything usable by braking university pages. I 
would guess that many students do not know anything of certificates and don't 
understand that page. I just tested the webmail of my university (heidelberg) 
and I was not able to login because of this behaviour. I'm quite sure that 
most users will think the page is not working.

I understand quite well that the warning dialogs can teach users to just click 
OK and that would help the bad guys. But blocking "untrusted" selfsigned or 
CA-Cert certificates is just the wrong way because it is not usable. I don't 
see any reason why for example universities have to pay money to get "real" 
certificates.

I just hope for all the users that you will find a good solution for this 
problem. For me it is another reason to stay with Konqueror

Best regards
Martin


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part.
Url : https://lists.ubuntu.com/archives/ubuntu-mozillateam/attachments/20080430/fdd14182/attachment.pgp

More information about the Ubuntu-mozillateam mailing list