More on Firefox 3's handling of self-signed SSL certificates

October 18, 2008

One of my blogging flaws is that when I write up an entry, I can be so close to the issue that I leave important things out because they are 'obvious' to me. I did that with my recent entry about Firefox 3's handling of self-signed SSL certificates: I skipped describing exactly what makes Firefox 3's approach so wrong.

Firefox 3 is not wrong-headed for being cautious about self-signed SSL certificates, because there are real concerns with them in practice. Firefox 3 is so wrong because it makes it so inordinately difficult and obscure to actually accept them, especially for ordinary users.

(Doing so takes five clicks. At least one click is both inobvious and unnecessary, duplicating something that the browser has already done and should do automatically, and another one is one of those obnoxious 'are you really sure?' double-confirmation dialogs. On top of that, the entire process is wrapped in technical jargon. I know what is going on, but I doubt very many of our users would.)

This is especially striking because it was much less onerous to accept self-signed SSL certificates in prior versions of Firefox. A grumpy person could be left feeling that the Firefox 3 developers are basically passively doing everything they can to stop users from accepting self-signed SSL certificates, without being honest enough to outright forbid it (which I suspect wouldn't be politically acceptable).

Firefox 3 made these changes with the nominal goal of increasing the security of dealing with self-signed SSL certificate. What they have instead created is a process that is sufficiently complicated and opaque that in practice it will do one of two things, neither of them desirable. In the same way that users react to any other complicated multi-step dialog with too much text, either users will accept no such certificates at all because it is too complex, or they will blindly accept all of them because they don't actually read any of the dialog text, they just click on the buttons necessary to make things get out of their way.

The net result: frustrated users and no security. Double fail.

(If Firefox 3 really wanted to increase the security of dealing with self-signed SSL certificate, there are a number of things that it could do much better. On the top of my list would be clearly explaining to users in plain language what is wrong with the SSL certificate and how severe it is; a lot of users still won't read the text, but at least there might be a chance.)

Sidebar: in Firefox 3's defense

I don't actually think that the Firefox 3 SSL people have deliberately made the interface terrible (apart from the 'are you really sure?' double confirmation dialog sequence). What I think is happening is that they have not built a specific 'add exception' dialog for https connections that hit certificate problems. Instead they just start up some sort of generic 'add website certificate' dialog; because this dialog is generic, it forces extra steps and has a bad interface for this particular task.


Comments on this page:

From 99.236.189.77 at 2008-10-18 20:04:20:

I've played with Thunderbird 3's beta ("Shredder", just what I want to have handle my email) and it refuses self-signed certs altogether. Makes it really hard to continue using Tbird, honestly.

MikeP

Written on 18 October 2008.
« How self-signed certificates are a problem for browsers
Thesis: reputation based antispam systems are dead »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Oct 18 02:23:35 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.