Firefox 3 SSL certificate warnings [LWN.net]

By Jake Edge
August 27, 2008

Users of Firefox 3 have likely seen the new warnings for various "invalid" SSL certificates. Unlike earlier versions of Firefox, these new warnings are much scarier, as well as more difficult to ignore—clicking through to the web site is decidedly more time consuming. This is exactly as the Mozilla folks intend, but it has raised some eyebrows, and ire, amongst site owners and Firefox users.

SSL certificates are used to enable encrypted communication (i.e. https) between browsers and web sites. Web site owners generate a public and private key for use in the encryption. The public key gets wrapped up in an X.509 certificate and must be signed by someone. For larger sites, it is typically a certificate authority (CA) that signs the certificate, but that generally costs money. Many smaller sites will sign their own certificate creating what is known as a self-signed certificate

As part of the negotiation of an encrypted connection, a web site will present its certificate to the browser. In order to prevent man-in-the-middle attacks against the encrypted connection, the browser needs to verify that the certificate belongs to the web site it believes it is talking to. It does that by verifying the signature of the CA.

A signature can only be verified if the browser has the public key of the CA that has signed the certificate. Because there are a multitude of CAs, a "web of trust" is established whereby a number of root CAs sign the certificate of lesser CAs, who might in turn sign for other CAs. A browser developer, like Mozilla, chooses a set of root certificates that they trust. When verifying the certificate from some random website, the browser follows the signature chain; if it reaches one of their root certificates, the web site certificate is valid. A self-signed certificate will, of course, fail this test.

When a user comes across a site that has such a certificate, Firefox 3 puts up a nasty warning. The images that accompany this article are screenshots of the warning, along with two of the three steps one must take to accept the certificate. They were generated by visiting https://bugzilla.gnome.org. The days of a single pop-up message that could easily be clicked through are long gone.

There are a few different issues here. To start with, there are a large number of legitimate sites that have self-signed certificates. In order to access those sites, users are being trained to click through a series of dialogs and scary ("Legitimate banks, stores, and other public sites will not ask you to do this") warnings, just as they were trained to do with single pop-up message in earlier Firefox versions.

Mozilla's position is that self-signed certificates are untrustworthy, not invalid necessarily, but not something that the browser can trust without asking the user. Because most users are not very sophisticated, the warnings need to be detailed and somewhat frightening. The problem is that users of all kinds may get annoyed by the dialogs—then train themselves to essentially ignore them.

Because there are CAs, like StartSSL, that provide free certificate signing (as well as others that cost less than $20/year), Mozilla is clearly trying to push web sites into moving away from self signing. There is a risk of man-in-the-middle attacks from self-signed certificates because anyone can create certificate that purports to be for any other given web site. To some extent, though, the level of danger depends on what the encryption is trying to protect.

For sites that do e-commerce or transmit and receive sensitive information, there is no question that a CA signed certificate is required. There are other reasons to encrypt traffic, though, including evading deep packet inspection (DPI), where the risks of accepting a bogus certificate are relatively low. One might get ads injected into their web browser inappropriately—annoying, but hardly fatal.

There is no simple solution. Mozilla is erring on the side of caution by trying to protect its users while still allowing them to override its protections. Other techniques, possibly like the Perspectives Firefox extension, may help alleviate the problem in the long term. Until then, we may have to just grit our teeth and click our way past the multiple warnings.

Index entries for this article
Security	Firefox
Security	Secure Sockets Layer (SSL)/Certificates

to post comments

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 1:37 UTC (Thu) by joedrew (guest, #828) [Link]

There is a risk of man-in-the-middle attacks from self-signed certificates because anyone can create certificate that purports to be for any other given web site.

I can't emphasize this enough: if you are on the wrong network, all your (for example) amazon.com traffic can be redirected to someone else, and the only way you will know is because the certificate will be self-signed. This is enormously scary, and until Firefox has Key Continuity Management, the scary self-signed cert warnings will have to do.

UI design

Posted Aug 28, 2008 2:21 UTC (Thu) by ncm (guest, #165) [Link] (2 responses)

I saw what looked like a good solution posted on advogato.org. (By whom?) It suggested that instead of posting scary dialog boxes to click through, color the page and add a banner warning against entering any passwords.

UI design

Posted Aug 28, 2008 7:19 UTC (Thu) by deleteme (guest, #49633) [Link] (1 responses)

Like "you are entering information on an unencrypted page, are you sure you want to do this"? Never works.

UI design

Posted Aug 28, 2008 16:25 UTC (Thu) by epa (subscriber, #39769) [Link]

That unencrypted page warning is well-intentioned but badly implemented. The way it appears makes it absolutely certain that users will ignore it and turn it off. But there are better ways to get users to think about who can see the information they submit. For example, when you start entering information in an HTTP form (not waiting until you hit submit) a kind of Clippit could appear next to the form. While not requiring you to click 'OK' or 'Go away', it could show a smiley face with the company name from the EV certificate, or else a frowny face / question mark with a link 'who will be able to see this data?'. It wouldn't get in your way so you would not need to turn it off.

There are all sorts of other UIs that could be tried to make users perceive how safe or how dangerous it is to submit information; the important thing is to make it simple, obvious, and not meaningless technobabble that you just 'OK' without reading.

Self-published certificates can _not_ stop DPI

Posted Aug 28, 2008 2:49 UTC (Thu) by darwish07 (guest, #49520) [Link] (4 responses)

There are other reasons to encrypt traffic, though, including evading deep packet inspection (DPI), where the risks of accepting a bogus certificate are relatively low. One might get ads injected into their web browser inappropriatelyannoying, but hardly fatal.

Deep Packet Inspection/Modification can be done easily on a self-published-certificate website traffic by making the router in the middle acts as a HTTPS proxy, where that proxy makes the SSL connection between itself and the far-away server (the website server) then maintain a sockets pipe (using select()) between the browser, itself and the real destination server.

This of-course needs routing the traffic not by destination as normal IP implementations does, but by content using new routing table entries format like 'tcp port http and https go to localhost proxy port 8000' in the compromised or government monitored gateway. And yes, I've personally seen it done using the Linux networking stack.

Self-published certificates can _not_ stop DPI

Posted Aug 28, 2008 5:29 UTC (Thu) by gmaxwell (guest, #30048) [Link] (3 responses)

Right, but it's even EASIER (less cpu expensive, less complex software, less clearly illegal, etc) on plain HTTP traffic. Not to mention that plain HTTP leaves you completely vulnerable to passive eavesdropping, which is completely prevented with a simple unauthenticated https.

We have this weird situation where many sites avoid using self-signed encryption in favor of *plain-text*. Thats broken. The preference should be authenticated certs from trusted cert vendors > authenticated certs from minor cert vendors > self-signed >>>> plain-text.

From the users perspective plain-text mode and self-signed should look exactly equal: Both are not authenticated both could be forgeries.

There is no need to single out self-signed HTTPS:, and doing so reduces user security rather than increasing it.

Self-published certificates can _not_ stop DPI

Posted Aug 28, 2008 13:07 UTC (Thu) by alankila (guest, #47141) [Link] (2 responses)

While it is better in privacy sense to use SSL than not use SSL, there is still the issue that as man-in-the-middle attacks are just as possible as before.

The most serious objection I can see for any scheme that accepts untrusted certs without bothering user with it, is that it can be thwarted by constructing a proxy that impersonates remote SSL sites with lookalike certificates of its own. So the browser damn well can't just decide silently to proceed when it sees a self-signed cert.

And now comes the problem: Does the user really know if the site is supposed to have a real certificate instead of self-signed one? So you get back the UI question that says something like "This site has a self-signed certificate for privacy protection only. Proceed to connect? [N/y]" and most users will answer "y".

This, in effect, reintroduces the simple warning we just get rid of, and undermines the security of the real certificates by making it easier to substitute them with self-signed ones. In effect, the whole value of this new scheme is in the fact that it is actually annoying and scary. We could, I guess, introduce http/1.2 or something that encrypted ordinarily plaintext traffic, though. Just don't call it https, and don't tell user about it.

Self-published certificates can _not_ stop DPI

Posted Aug 28, 2008 13:55 UTC (Thu) by gmaxwell (guest, #30048) [Link] (1 responses)

So the browser damn well can't just decide silently to proceed when it sees a self-signed cert.

So why then does the browser connect to plain HTTP sites without a warning? At *best* plain HTTP is equally vulnerable, and realistically it's a heck of a lot more practical to exploit plain HTTP.

"This site has a self-signed certificate for privacy protection only. Proceed to connect? [N/y]" and most users will answer "y".

Why the heck would it do that? Non-https sites don't cause the browser to say "This site is not protected by SSL at all. Proceed to connect?" today, so why should it do that?

I could see an argument that that "https" in the URL bar has some significance to the user, though I suspect any study of user behavior would show otherwise. But this could easily be addressed: Adjust the URL bar so the protocol is not displayed normally, have it be off to the left where you can reach it while editing the URL but not where it's normally displayed. Denote properly authenticated https with the traditional padlock icon, and the new and fancy colored URL bar. Users on the more clueless end of the spectrum will think that non-authenticated HTTPS == Plain HTTP, which is true in the worst case. No surprises.

Self-published certificates can _not_ stop DPI

Posted Aug 28, 2008 14:53 UTC (Thu) by johnkarp (guest, #39285) [Link]

I think the point is that an illusion of security can be worse than no security at all.

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 9:21 UTC (Thu) by epa (subscriber, #39769) [Link] (7 responses)

Surely the key issue is this: why do you present pages of frightening warnings for a self-signed certificate, but no warning at all if your browsing is entirely in the clear? A self-signed certificate is not less safe than unencrypted http. It may not be any more safe; it shouldn't get the padlock icon or glowing green bar; but to treat it as highly dangerous while not even raising an eyebrow for unencrypted browsing will just encourage people to not set up https sites (unless they are willing to pay the protection money) and stick with plain http. Which is surely not improving anyone's security.

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 9:58 UTC (Thu) by BenHutchings (subscriber, #37955) [Link] (6 responses)

Suppose I bookmark my bank's login page at https://bank.example.com. Shouldn't I get a big fat warning if I use that bookmark and the remote server presents a self-signed certificate?

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 11:29 UTC (Thu) by epa (subscriber, #39769) [Link] (5 responses)

I think you have a point. Clearly if the site used to have a certain certificate and the cert has changed since your previous visit, then the new cert had better be signed by a recognized authority.

But equally, suppose I type in http://bank.example.com. Shouldn't I get a big fat warning that there is no way of preventing MITM attacks?

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 13:18 UTC (Thu) by Tjebbe (guest, #34055) [Link] (1 responses)

why? who says that there is any important information being handled there?

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 16:19 UTC (Thu) by epa (subscriber, #39769) [Link]

why? who says that there is any important information being handled there?

And who says there is any important information on an https site just because it uses https? Why shouldn't LWN or Slashdot or some random blog use https for getting my username and password when I post comments? Or indeed just for normal web browsing?

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 14:14 UTC (Thu) by Tar (guest, #2456) [Link] (2 responses)

But most SSH servers present a self signed certificate too.

If at one time you choose to trust this server cert you wont be bothered about it again unless the certificate changes/expires or whatnot.

Why can't the selfsigned certs with HTTPS behave the same way?

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 15:15 UTC (Thu) by johnkarp (guest, #39285) [Link] (1 responses)

One big difference I can think of: A user of a secure shell is more likely to understand the security implications of their decisions than a random human with a web browser.

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 15:48 UTC (Thu) by IkeTo (subscriber, #2122) [Link]

A bigger reason might be that a successful MITM attack is much more likely to empty the bank account of the victim if the connection being attacked is a web browser connection than if it is a secure shell connection.

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 16:06 UTC (Thu) by docwhat (guest, #40373) [Link] (5 responses)

From the user point of view, isn't a self-signed certificate equal to unencrytped? So why point out the certificate at all?

Just have the UI make no change to the status (don't add the padlock icon, etc.); have the UI pretend it's an http site.

Ciao!

Firefox 3 SSL certificate warnings

Posted Aug 29, 2008 16:11 UTC (Fri) by giraffedata (guest, #1954) [Link] (4 responses)

From the user point of view, isn't a self-signed certificate equal to unencrypted?

Self-signed is better than unencrypted because with unencrypted, an eavesdropper can get your password. With self-signed, he can't.

But with respect to impostors and men in the middle, they're equivalent.

Simply not displaying any claim of security, as you suggest, for the self-signed certificate is probably better than the dire warning. But it would also be nice to see some icon that tells me that, while I might be talking to an impostor, at least no one can eavesdrop on me. Since it's significantly harder for someone to intercept my traffic than just look at it, there are things I would risk in that case that I wouldn't risk on a totally unencrypted connection.

However, I don't know that there's any practical way to make the average user understand this mid-level security. So by default, it would be better to make no claim at all.

Firefox 3 SSL certificate warnings

Posted Aug 29, 2008 18:03 UTC (Fri) by docwhat (guest, #40373) [Link]

As you say, though, you don't know about impostors or men-in-the-middle. You know at least part of the traffic is encrypted, but you don't what part and if it matters or not.

That's why I would consider them equivalent.

Ciao!

Firefox 3 SSL certificate warnings

Posted Aug 30, 2008 1:57 UTC (Sat) by njs (subscriber, #40338) [Link] (2 responses)

> But with respect to impostors and men in the middle, they're equivalent.

Sometimes. But usually not... The most valuable thing about a self-signed certificate from my point of view is that you can detect when the cert changes -- so if someone hijacks your connection to a site you've used before, you *know*. This describes the vast majority of sites that I trust with sensitive information -- I have a relationship with them! And even if your first visit to some site gets hijacked, whenever you visit that site again later you will at least discover that it happened (because the real non-hijacked connection will use a different cert than you're expecting).

Firefox 3 SSL certificate warnings

Posted Aug 30, 2008 2:11 UTC (Sat) by giraffedata (guest, #1954) [Link] (1 responses)

The most valuable thing about a self-signed certificate from my point of view is that you can detect when the cert changes

Good point.

But as a practical matter, is there any web browser that detects that? I appreciate that the two SSH clients I use do, but I thought web browsers didn't. I assume that the fact that one visits a lot more web sites than shell sites has a lot to do with it.

Firefox 3 SSL certificate warnings

Posted Aug 30, 2008 9:04 UTC (Sat) by njs (subscriber, #40338) [Link]

> But as a practical matter, is there any web browser that detects that?

No, sigh.

Well, you'll get the "it's self-signed, make an exception or run and hide?" dialogs again when the cert changes, but there's no notification that you *already* made an exception, so you'll probably treat it the same way you treat all the other dialogs like that, i.e. curse and click through.

Firefox 3 SSL certificate warnings

Posted Aug 29, 2008 14:14 UTC (Fri) by jarto (guest, #3268) [Link]

How often do these man in the middle-attacks really happen? Is there any point to take drastic measures against self signed certificates if the problem is relatively rare?

Tens of millions of computers worldwide are infected by spyware. On an infected computer FF3 may proudly tell how the traffic between a valid site and the browser are completely safe. However security is already compromised as anything you do on that computer may be logged.

Firefox 3 SSL certificate warnings

Posted Aug 30, 2008 22:45 UTC (Sat) by evanp (guest, #50543) [Link]

I've been using FF3 and hearing about these warnings for a while now.

Just yesterday, I was resurrecting a seldom-used internal server at work and realized that its self-signed SSL certificate had expired, and I'd have first-hand experience with the new, dire warnings.

Frankly, I don't understand what all the fuss is about.

It's a few more clicks, but not that many. And you can make the exceptions permanent, just as before. So it's probably fifteen seconds of work once every year for every self-signed website you visit. I think we can manage.

Firefox 3 SSL certificate warnings

Posted Sep 4, 2008 15:28 UTC (Thu) by obi (guest, #5784) [Link]

The value of a self-signed cert is that
1) your traffic is still encrypted
2) you can detect if the cert has changed

So, I would just do what other people have suggested, which is, make no UI changes (no padlock, yellow or green bar, etc) for self-signed https, pretty much like with plain http; but store the cert the first time you connect. If the cert changed on a later visit, raise the alarm bells.

While it still wouldn't provide perfect security (especially if it's the first time you connect) - the point is to:
1) not give the illusion of security (same as plain http)
2) provide some protection against casual sniffing
3) provide some detection of MITM attacks (providing it's not the first visit)

Firefox 3 SSL certificate warnings

Posted Sep 4, 2008 17:46 UTC (Thu) by endecotp (guest, #36428) [Link]

> there are CAs, like StartSSL, that provide free certificate

My understanding is that these certificates are accepted out-of-the-box by only Firefox 3 and perhaps Safari. Some of the other very cheap certs have similar problems.

Firefox 3 SSL certificate warnings

Posted Sep 6, 2008 15:55 UTC (Sat) by apollock (guest, #14629) [Link]

I've never bothered with self-signed server certificates, because they seemed kind of half-baked. I went to the extra effort of setting up my own CA (with granted, a self-signed CA certificate, but you can only go so far up the food chain without spending money) and use that to issue server certificates for my servers.

Then it becomes an issue of clients installing my CA certificate into their browser as a trusted CA, and all my certificates are trusted.

I consider self-signed (or private CAs) as a cost-avoidance mechanism. If you want the real experience, you have to pay for it...

The list of expired SSL Certificates in use is growing.

Posted Oct 20, 2008 11:42 UTC (Mon) by PlanBForOpenOffice (guest, #54799) [Link]

BBBOline Seal a program of the Better Business Bureau to instill consumer trust in Online merchants can't manage its SSL Certificate expiration.