435453 - Please add option to turn off certification on broken sites rather than display "add an exception" dialog

Status: RESOLVED WONTFIX

(Firefox :: Security, enhancement)

Description

[Luke Hutchison]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9pre) Gecko/2008051904 Minefield/3.0pre
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9pre) Gecko/2008051904 Minefield/3.0pre

A lot of sites have broken certificates (e.g. the cert is registered for "domain.com" rather than "www.domain.com"; expired; etc.).  The new "add an exception" dialog takes numerous additional clicks to display content on these sites.  However in most cases I have seen, when this dialog appears the site content certification turns out to not be that important for most users (it's just some bulletin board, not a banking site).  In fact high-security sites are much less likely to have a certificate problem, because they care about their certs more.

It would be great if Mozilla could have an option to just turn off certification if there is a problem with the cert.  Maybe this sounds like a very bad idea from a security point of view :) , but users that don't care about certification on most sites can "opt-in" to manually check that certs have been verified as valid on sites they care about, e.g. banking sites, rather than having the browser force a cert check on lots more sites where they don't care about.  (In that sense this would be a power user feature.)


Reproducible: Always

Steps to Reproduce:
1.
2.
3.

Comment 1

[Jesse Ruderman]

See bug 327181 comment 14 for why this is hard to get right and probably a bad idea, even for users who think they know what they're doing.

If you visit a lot of sites that use bad certs, there are some hidden prefs you can set to decrease the number of clicks to override from 4 to 2.

Comment 2

[Johnathan Nightingale [:johnath]]

Hi Luke,

I hear what you're saying - encountering sites configured with unverified or broken certificates is less than pleasant right now.  Ideally it should be a relatively infrequent thing for most users - add security exceptions for the sites you know and expect to have these breakages, and then they should continue to work.  If you are working in the web hosting industry, or otherwise encounter a surprising number of these though, you may be interested in the preferences that streamline the process, documented here: http://kb.mozillazine.org/Browser.xul.error_pages.expert_bad_cert

The idea of just letting the connections through is one that's often tossed around, but it creates some unfortunate attack vectors.  If you take your laptop to a coffee bar or hotel with wifi, an attacker could attempt to attack your connection using a tool like "ettercap."  The attacker can't forge proper site certificates though, only these invalid, self-generated ones.  We don't want users clicking on their web banking link, hitting this site which is now attacker-controlled, and just proceeding along.

You can see more about the decisions we made here: http://blog.johnath.com/index.php/2007/10/11/todo-break-internet/

If you're interested in a potential long-term fix to this behaviour, you may be interested in bug 398721.

Those various approaches are all options, but letting it through in the way you describe isn't really.  I hope the above helps explain why we do things the way we do, and how power users can streamline the process.

Comment 3

[Luke Hutchison]

Hey Jonathan -- thank you sincerely for your patient and thorough reply to my security-n00b question, especially because, after looking at those resources, I see this issue has already been beaten to death :-)  The arguments for the change make sense, and it looks like Key Continuity Management is already being looked at, which was going to be my next suggestion!

(You're probably already bracing for the tidal wave over this UI choice once FF3 is released ;) )

Thanks for the great work you guys have done, FF3 really rocks.