Closed Bug 431827 Opened 16 years ago Closed 16 years ago

Exceptions for invalid SSL certificates are too easy to add

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: ivanr, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5

When Firefox 3 encounters an invalid SSL certificate it displays an error page and refuses to proceed. This is of great help over the handling of invalid SSL certificates in Firefox 2, but I don't think the error page goes far enough.

The link at the bottom of the page allows the user to create an exception, and it will be used by those who don't know what they are doing create exceptions, just so that would visit the site they are intending to visit. Users can be a creative and stubborn bunch when it comes to having their way. I propose that the link is removed. There is no point of doing this (making MITM attacks easier to detect) half-way.

Reproducible: Always
And how often have the certificate errors that you've seen been actual bona fide errors and not false positives?  In my 13 years of WWW usage, I have NEVER encountered a "real" certificate error:  ALL have been false positives.  Webmasters sometimes forget to renew their cert (which doesn't automatically make the site any less secure).  One site used their "www.example.org" certificate on their "members.example.org" sub-site (non-profit, so they can't afford a wildcard cert) and even https://paypal.com (without the www) will give you an error.  And then there are people who use self-signed certs for personal use so they don't have to worry about sending stuff plaintext, especially when using WiFi (I added my server's self-signed cert to my browsers as a CA cert to avoid the error, but I sometimes want to access things from a public computer where I have not installed the cert).  And what about the IT community, where self-signed certs are commonly used for testing, internal use, and limited-audience use (see bug 431386)?

IMHO, what you propose would add too much undue burden for very little gain because there is only so much that could be done to stop users from stubbornly going to a site.  Should Firefox go and disable all other browsers on the system to prevent the users from trying it in IE?  At a certain point, the responsibility has to fall to the user.

Yes, I am aware of the various difficulties. I am accessing sites (mostly appliances, actually) with self-signed certificates on daily basis. My main concern is with the users, who will blindly click through any warnings in order to get to the intended web sites. We have the situation we have today exactly because treatment of this problem has been traditionally lax (in all browsers). The Internet is falling apart, security-wise, exactly because everyone keeps making the easy choices, instead of the right ones.
(In reply to comment #2)
> We have the situation we have today exactly
> because treatment of this problem has been traditionally lax (in all browsers).
Not so sure about that.  It may be a contributing factor, but certainly not the cause.  There are inherent difficulties in security and identity on the Internet, and as such, certificates have always been an imperfect and clunky way to solve the problem that really has no good technical solution to begin with.  Given how few people (even administrators) understand the infrastructure or even what the heck a certificate is, the problem extends far beyond browsers being lax.  If anything, causality runs the other way: browsers are forced to be lax *because of* the mess that is more or less inherent in the system, not vice-versa.

> The Internet is falling apart, security-wise
That's quite a strong statement, and not one that I agree with... and even if it is "falling apart", there is no evidence that SSL will do much to change that.  How many phishing sites even make use of SSL?  And how much of Internet security is even of the phishing variety?  And just how common are MitM attacks in the real world?

> exactly because everyone keeps
> making the easy choices, instead of the right ones.
The "right" choice depends on how you define "right".  From an absolutist point of view, "right" is the hard crackdown that you propose.  From a pragmatic point of view, "right" is the result of balancing the benefit of a hard crackdown with the harms arising from restricting end-user freedom.  Given the reality of the situation, that balance does not favor a hard crackdown, given the relative scarcity of SSL-based attacks.

Right now, the error is sufficiently onerous and ugly that it should be enough to prod administrators to clean up their certificate errors, and it's sufficiently difficult to bypass that only the most determined user will click through (make exception, see strange off-putting dialog, click get certificate, click confirm exception, which is far more complex than the previous one-click dismissal).  And frankly, if those users are that desperate to see their dancing bunnies, then they'll find another way around it (open another browser or follow instructions to install the certificate).
*chuckles at bug 432072*
Version: unspecified → Trunk
The current implementation is a compromise, and like all good compromises everyone goes home a little unhappy. The initial implementation of the SSL error pages did exactly what this bug is requesting. Read Johnath's saga on how that went:

http://blog.johnath.com/index.php/2007/10/11/todo-break-internet/

We're not going back to that for Firefox 3 (if anything we're still under pressure to make exception-granting easier for power users; see bug 427293, for example). The current UI makes users click a link to reveal some buttons, click the right button, read an exception dialog and click the "get certificate" button, and then click the grant-exception button (the cert-fetch click might be going away). It's not going to stop a user hell-bent on getting to the site, but it should be a sufficient speed bump that users realize this is not normal.
I'm sure this is a WONTFIX for Firefox 3. We're nervously waiting for feedback once we ship to see how we have to adjust this for future releases. Newsgroup and support-forum discussions are a better way to hash it out until we know what we want to change.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
Fair enough. Ultimately, I only care that the issue was considered. I can see how what I am proposing could work if we could get all browsers to change the behaviour at once. Back in the real world, the choice about whether to compromise for this one thing is the group's to make. It's easy for me to say one thing or another since I don't have to live with the consequences.

Thanks for the link. It's both interesting and entertaining.
I would rather support the other way around.
As you see, there is a lot of people who host their server with fake SSL.
By making things become complicated, it turns off a lot of people away from the site and give lots of support headache to it support of the fake SSL certificate enabled website.

The end result won't be pretty. Lots of people will disable their SSL and most of them will turn their side to "Plain HTTP" login. This thus, gives lots of opportunity for sniffer to steal their password along the way.

I would rather that firefox enable a key in their config to disable the SSL complication. I don't mind having default secure screen like the current one. But it would be better to allow technical support to teach user to disable the screens (back to firefox2 style of warning) for Fake SSL certificate.

Concerned person,

James
You need to log in before you can comment on or make changes to this bug.