Verify self signed certificates using fingerprint

RESOLVED DUPLICATE of bug 1012879

Status

()

Firefox
Untriaged
RESOLVED DUPLICATE of bug 1012879
3 years ago
3 years ago

People

(Reporter: Lorenzo Keller, Unassigned)

Tracking

36 Branch
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Created attachment 8582919 [details]
Screenshot from 2015-03-25 06:56:19.png

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150220131007

Steps to reproduce:

Navigate to a SSL website that is using a self-signed certificate.


Actual results:

Firefox displays an error message that suggest that something is wrong.


Expected results:

Firefox prompts the user to enter an "authentication code" for the website that the user should have received from the website owner. This can for instance be obtained by the user via snail mail, SMS, QR codes, over the phone.... 

Once the user confirms the input, Firefox checks that the code entered matches the fingerprint of the received certificate. If it is the case it adds the certificate to a local store of "manually authenticated" certificates until the certificate expires. Sites verified in this fashion gets are marked with a special badge (similar to what is done for EV certificates but with a different color to show the higher security level).

Certificates accepted in this way should always supersede CA validated certificates (and a warning should be displayed if a CA validated certificate is encountered).

The proposed approach has the following advantages:

 - It becomes easy for a normal user to properly validate a self signed certificate
 - It remains hard to convince a user to blindly accept a self signed certificate
 - It becomes possible to protect users from fraudulent certificates issued by accident by CAs

Comment 1

3 years ago
Hi Lorenzo,

Thanks for filing the bug. However, it looks like a similar idea was filed as Bug 1012879, so I'm marking this as a duplicate.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1012879
You need to log in before you can comment on or make changes to this bug.