Firefox 3 and SSL certificates
I should not single out only Firefox 3 for this issue, but because it's the browser I use, it gets criticised.
Recent UI usability changes in web browsers towards handling self-signed and other “invalid”
SSL certificates leave a lot to be desired.
Take my use-case. I want to use a HTTPS secured connection for bugzilla.banu.com
(which is a website I setup for my projects). I don't have the dough to get my wildcard certificate for *.banu.com signed by a CA.
So I use a self-signed certificate. This self-signed certificate does not mean that the bugzilla website accessible via HTTPS is any more malicious
to any end-user than the main Banu website at www.banu.com accessible via HTTP.
I want new visitors who use my Bugzilla to be able to use it as any other plain-old website without suggestion that it's somehow malicious.
Google or Wikipedia for example wouldn't like it if the browser screamed “This host uses an invalid security certificate” when someone
visited http://www.google.com/ or http://en.wikipedia.org/.
HTTPS is simply an access protocol here. It can serve both authenticated and unauthenticated sessions. This whole issue would seem even
more stupid if we didn't have HTTPS but something like STARTTLS
for HTTP. Most web surfers do not know the difference between HTTP and HTTPS. They would go by what their browser shows them about whether
a website is to be trusted or not. Current browser wording for messages that are displayed when a certificate is not signed by a known CA leans
towards suggesting that somehow the remote website is malicious. A website using a self-signed certificate may not be malicious. In fact, statistics
lean towards the fact that most websites are not malicious. Browsers would gladly present any content using HTTP, but when an
unknown certificate is reached, it's now a stopping point and you now need to do a lot of actions in a browser such as Firefox 3 to get past to the website.
A more usable UI would be to simply indicate that the session was protected when the certificate is deemed as valid (via any padlock
icons, or the green/blue Extended Validation info, or the yellow URL bar), and allow a user to simply browse the website otherwise without
indicating in the UI that there is any secure connection, without having to go through any extra steps to accept a self-signed certificate.
This would raise some questions. What about forms which post to HTTPS URLs? Would having the browser stop you when it reaches an
“invalid” certificate be correct to stop the browser posting to such URLs? No, this won't serve any purpose, as users hardly
ever check the action URL of a form to see if it's SSL protected or not before submitting form information. They would look to trust the
page which contains the form in the first place, to do the right thing.
With the change suggested above, a user visiting my bugzilla website would not see any icons or other UI indicators in her browser
to say that her connection is authenticated even though she's using HTTPS. Nothing would discourage her from using my
website. On the other hand, if I add my self-signed wildcard certificate to my list of personal certificates in Firefox, I can have an
indiciation that my session is authenticated.
Update: In response to my own post, it occured to me that someone could hijack and force a renegotiation
with a malicious server and get posted form fields if the above was implemented, i.e., if your form was served by an authenticated
website, but when you submitted it, a MITM attack directed the posted form to a different webserver. So this is probably a bad idea.
Syndicated 2008-07-05 13:54:00 from Mukund's blog