1147287 - Verify self signed certificates using fingerprint

Status: RESOLVED DUPLICATE of bug 1012879

(Firefox :: Untriaged, defect)

Description

[Lorenzo Keller]

Attachment: Screenshot from 2015-03-25 06:56:19.png

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150220131007

Steps to reproduce:

Navigate to a SSL website that is using a self-signed certificate.


Actual results:

Firefox displays an error message that suggest that something is wrong.


Expected results:

Firefox prompts the user to enter an "authentication code" for the website that the user should have received from the website owner. This can for instance be obtained by the user via snail mail, SMS, QR codes, over the phone.... 

Once the user confirms the input, Firefox checks that the code entered matches the fingerprint of the received certificate. If it is the case it adds the certificate to a local store of "manually authenticated" certificates until the certificate expires. Sites verified in this fashion gets are marked with a special badge (similar to what is done for EV certificates but with a different color to show the higher security level).

Certificates accepted in this way should always supersede CA validated certificates (and a warning should be displayed if a CA validated certificate is encountered).

The proposed approach has the following advantages:

 - It becomes easy for a normal user to properly validate a self signed certificate
 - It remains hard to convince a user to blindly accept a self signed certificate
 - It becomes possible to protect users from fraudulent certificates issued by accident by CAs

Comment 1

[:Cykesiopka]

Hi Lorenzo,

Thanks for filing the bug. However, it looks like a similar idea was filed as Bug 1012879, so I'm marking this as a duplicate.