Why Firefox 3's handling of self-signed SSL certificates is wrong
October 16, 2008
There has been a certain amount of uproar about how Firefox 3 handles self-signed SSL certificates, and a certain amount of attempts to justify it. I disagree violently with the attempts to excuse the behavior, because what it comes down to for me is that Firefox 3 has made it more attractive to have no SSL certificate at all than to have a self-signed one. This is both insane and inane; it does nothing to further security on the Internet, and it has basically nothing to do with the sorts of real attacks that happen today (none of which require SSL man in the middle attacks, because people are not that suspicious).
(Sadly, Firefox 3 is far from alone in how it treats self-signed certificates.)
Now, man in the middle attacks are a real problem (or at least a potential real problem). But there are potential better ways right now of handling almost all of the problems that Firefox 3 is trying to confront, even if they are not as provably secure as forcing the user to jump through a succession of flaming hoops. And imperfect but usable security is much better than perfect but unusable security.
(I do sort of sympathize with Firefox 3, because there are hard questions. But ultimately I think that the hard questions are being used as excuses, unless people can show that there are significant active risks, not just theoretical ones. Real security always involves risk assessment and tradeoffs.)
Written on 16 October 2008.
* * *