Why Firefox 3's handling of self-signed SSL certificates is wrong

October 16, 2008

There has been a certain amount of uproar about how Firefox 3 handles self-signed SSL certificates, and a certain amount of attempts to justify it. I disagree violently with the attempts to excuse the behavior, because what it comes down to for me is that Firefox 3 has made it more attractive to have no SSL certificate at all than to have a self-signed one. This is both insane and inane; it does nothing to further security on the Internet, and it has basically nothing to do with the sorts of real attacks that happen today (none of which require SSL man in the middle attacks, because people are not that suspicious).

(Sadly, Firefox 3 is far from alone in how it treats self-signed certificates.)

Now, man in the middle attacks are a real problem (or at least a potential real problem). But there are potential better ways right now of handling almost all of the problems that Firefox 3 is trying to confront, even if they are not as provably secure as forcing the user to jump through a succession of flaming hoops. And imperfect but usable security is much better than perfect but unusable security.

(I do sort of sympathize with Firefox 3, because there are hard questions. But ultimately I think that the hard questions are being used as excuses, unless people can show that there are significant active risks, not just theoretical ones. Real security always involves risk assessment and tradeoffs.)

Written on 16 October 2008.
« The corporate identity problem
How self-signed certificates are a problem for browsers »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Oct 16 01:19:51 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.