The
blog at Pingdom.com discusses the change Firefox made recently to how it reacts to invalid certificates. Actually, the post is more concerned about how the user will react to this change, because now when Firefox (version 3.01) comes across a page using SSL with an invalid certificate (expired, non-FQDM used, etc.) the user gets the very user-unfriendly error "Secure Connection Failed. [site address] uses an invalid security certificate." It isn't a warning in a small pop-up window or a bar at the top that is easily dismissed. No, this is an in-your-face, impossible to ignore, error. Which, I think, is great.
I have had personal experience with this recently. When, using Firefox, I try to log on to a blogging service that I recently started using, the site is redirected to https:// that appears to be using an invalid certificate, because instead of the log in page I get the "Secure Connection Failed" page. Digging deeper into the error and certificate, it's pretty plain to see that the certificate being used has some problems: it has CN=localhost.domain for both the Issued To and Issued By fields for starters.
At the bottom of the Firefox-generated error page are two buttons: "Get me out of here!" and "Add exception..." Clicking the latter allows you to see the details of the invalid certificate, and gives you the option of adding the certificate as an exception (you can later remove this exception by going to the Firefox preferences.) Again, other browsers do not inform the user in such an obvious way, meaning the user can be fooled into thinking that the current SSL session is secure.
It's a bold move on Firefox's part, but a good one, because in my opinion users have had it too easy when it comes to internet security. Hence the mind-boggling number of zombies and data theft incidents, for which everyone pays. Unless we start putting up loud notifications that the user actually has to read and consider, users will continue to dismiss these errors as annoyances, even though ignoring them they could have devastating consequences (MITM attacks, spoofing, etc.)
Lastly, the Firefox approach is also a win-win situation, because the companies whose sites are presented to the user as broken will be very motivated to get their own security house in order, fast.
More...
08-26-2008
