Corey, I saw your post about the Firefox 3 SSL error:
Well, I have tried Firefox 3 and I really like a lot of the things that I saw. The “awesome” bar really isn’t that awesome for an Epiphany user, but hey, it is a first cut. The GTK integration really makes me happy. Mozilla has been working on Linux support. Then I hit this dialogue:
Now I am very angry. Not only did Firefox prevent me from going to site I know is safe, there is no easy to way to say “I trust this page”. And yes, that defeats the point of this dialogue, but the reality for the Web consumer is that I have no control over these kind of websites. Now what do I do?
Corey, I actually support this redesign. Part of the reason the web is so broken at the moment (poor adoption standards, lack of alternative browser support, crappy accessibility) is because web browsers have historically been tolerant of bad coding. In the same way, the main reason viruses plague the Windows world because people are trained in bad practices like Googling for a program, downloading a .exe, and then running it.
Clicking through self-signed SSL warning dialogs is much the same as the aforementioned situations. Make self-signed certificates not seem so insecure, and being able to just clicking through dialogs mindlessly in order to get to the site, is bad from a user trust point of view. The user is being trained to just trust every certificate that they come across, regardless of how reliable the certification authority is.
If you make users aware that these sort of certificates are not good at validating identity, and make it difficult for users to force open these sites (in the same way, I believe browsers should refuse to display pages with invalid HTML in the case of the broken web), then website owners will actually bother shelling out a few dollars for a proper certificate from a reputable certification authority.
Or, even better, you can lobby the Mozilla Foundation for the inclusion of the CAcert root certificate in Mozilla browsers. CAcert is an organisation that offers free signed SSL certificates.
If you think you’re having a hard time, I work at a datacenter, and we have to setup many servers with control panels every day. Just about every cp being made today comes with a self signed certificate. So, any time we have to setup a control panel, or work on an older system which is using a self-signed certificate, we have to go through the process of granting that ‘invalid’ ssl exception.
I wonder how much verisign donated to the mozilla foundation.
Ah yes, I can imagine it becoming quite tedious.
You know, when I first saw your name, I thought of this guy at first.
This error is annoying the hell out of me, it has destroyed our site on many computers now including this laptop I have, only thing I don’t understand is why it works on some computers and not others. Our site is using a Positive SSL cert and even gmail I can’t access gmail because of this?………..
This is being retarded any solutions to overriding this or going back the old method of accepting certs without downgrading firefox?
Sounds like your SSL certificate database is screwed, man. Might have been Firefox’s fault, but definitely not a Firefox UI problem.
I must disagree with the developers of FireFox for very good reasons as follows:
#1 web users have a right to not be controlled in their web browsing. DO NOT FORCE US. ALLWAYS give us freedom to choose! Anything less is abusive to us.
#2 It does not matter who’s certificate it is as long as it is encrypted. Read on: No matter who wants to know for sure whos web site they are connecting to the main threat is NOT who we are connecting to but IS that non encrypted connections can be recorded and ‘sniffed’ as they pass through the internet. Encrypted connections cannot be read under normal circumstances.
#3 Self signed certificates are in wide use so support them! Even if they ever become rare they should be supported 100% even if you warn the user. There should ALWAYS be an option.
#4 From a business stand point recognize that restricting web users makes them VERY ANGRY at the companies that develop the software such as FireFox. So why not stop trying to control your customers and try to just help them.
#5 RESPECT: Web users are not one type of customer and cannot healthfully be treated the same. There are those who don’t have the comprehension to use computers safely. Those are often the old or those who show strong characteristics of low intelligence but still buy computers. It is ok to support them. BUT most of us need treated respectfully as adults. So be open about your design and be helpful but not controlling.
If it would help I would yell at you who choose to design the web browsers and other software. You certainly deserve it now.
PLEASE take this seriously and do what is right and good.
Sincerely,
Anonymous
Regarding #1, the fact is, people don’t want to choose. They just want it to “work”. It’s our job to make these people secure without them putting in any effort. Unfortunately. (And you seem to imply that Firefox completely blocks the site. That is false. You need better glasses.)
Regarding #2, that is complete bollocks. You need to learn the definition of “trust”. If you just blindly used any certificate “as long as it is encrypted”, then you are exposing every single verified SSL website in the world (including your bank, which might otherwise use an EV certificate) to man-in-the-middle attacks.
#3 self-signed certificates are supported. If you are competent enough to verify that the certificate is indeed legitimate, then tick the “permanently accept this certificate” button. Done and dusted.
#4 From a business standpoint, if you don’t want to get yourself properly verified, you don’t deserve your customers. They should be angry at you, not the browser, which is doing the right thing.
#5 If you are a power user, building a site for power users, then go on. Use self-signed certificates. But #5 cannot be implemented if you consider what I wrote for #1. Users will not make themselves secure. And I mean most. Unfortunately not enough people that don’t understand security receive Darwin Awards, so we have no choice but to make them secure ourselves.