373001 - Browser should give error instead of certificate warning dialog for bad certificates, dialog as user selectable option only

Status: RESOLVED DUPLICATE of bug 327181

(Firefox :: Security, defect)

Description

[B4ls4]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2

Hi,

If a user visits a website with an invalid certificate, that indicates a potentially serious security problem. Either negligence on the part of the webmasters (who didn't care to make sure the certificate is issued by a trusted CA, matches the hostname and is within the validity period) or worse, a deliberate attack. Most users won't be able to tell the difference.

In the real world, it may be compared to someone showing a passport to someone that is either expired (=certificate no longer valid), is a fake (=certificate not issued by a trusted CA), or is someone else's passport (=host name doesn't match subject DN name in certificate). Nobody in their right mind would accept such a document in the real world. Interestingly, when it comes to the Internet and SSL, most people will simply hit the button that will let them proceed, not even realizing the danger. More than that, they will get DRILLED and TRAINED to click on the "I don't care, I want to access the site anyway" button, thinking that this way they can simply get rid of the annoying dialog. Let's face it: most people consider the certificate warning dialog an annoyance - and NOT A WARNING.

For the above reason, it may be said that the certificate warning dialog has failed to fulfill its function as a warning, i.e. it will not deter people from doing what's bad, only make it more annoying.

In order to more effectively fight risks arising out of the use of invalid certificates, I recommend changing the way how the Mozilla browsers handle invalid certificates. In my opinion, the browser should display an error instead of a warning, and provide no easy way for the user to continue the session (much like a 404 error). The error message could contain something similar to the one below:

"Security Error:
The website you entered has failed to identify itself properly. This may be an indication of an attempt to steal confidential information from you. In order to protect the security of your data, Firefox has terminated the connection with the remote server.
If you believe the website is legitimate, please contact the appropriate administrator."

Of course, advanced users such as administrators and those who know what they are doing should be allowed the option to connect to such servers, but this should be a user configurable option that may be set in preferences, with the default setting being off (i.e. the browser should display an error by default which does not let the users proceed). If the user manually sets this option to "on", they should receive the certificate warning dialog as it is now.

Reproducible: Always

Steps to Reproduce:
1. Connect to a site with an invalid certificate (i.e. a certificate that is issued by a non-trusted CA, expired, or where the subject name in the certificate doesn't match the host name of the server).
Actual Results:  
A certificate warning dialog is presented, which gives the users the possibility to continue even though they can't verify the authenticity of the site.

Expected Results:  
The browser should present an error message instead of the warning dialog. The user should not be given the option to continue anyway (at least not by default). This condition should be treated as an error.

Comment 1

[Jesse Ruderman]

I think the change planned for bug 327181 is going to fix this by making certificate errors cause an error page rather than a warning dialog.