Closed Bug 410240 Opened 17 years ago Closed 16 years ago

Invalid certificate error exceptions should not be permanent by default.

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: nnkx00, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b2) Gecko/2007121014 Firefox/3.0b2
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b2) Gecko/2007121014 Firefox/3.0b2

When going to a site with an invalid SSL certificate, and selecting to make an exception, the make-exception-permanent checkbox should not be selected by default as a matter of security.

Making the default a temporary exception reminds the user/gives the user a better opportunity to check the certificate and ensure there isn't any mitm or other issues.

Furthermore, I think most people would expect exceptions to be temporary, not permanent...

Reproducible: Always

Steps to Reproduce:
1. Go to site with an invalid SSL certificate.
2. Get error page.
3. Select make an exception.
Actual Results:  
By default, the exception is a permanent exception.

Expected Results:  
The exception should just be a temporary bypass to the error page, and thus not permanent by default.
I think I prefer defaulting to permanent exceptions, too, because:

1) On the ninth visit, you're not likely to notice the "Make this exception permanent" checkbox.

2) If you're MITM'd on the tenth visit, you're not likely to notice that the certificate information is different, because you're so used to clicking through.

So given a non-malicious site that has an invalid certificate, it's safer if you add a permanent exception for that site-certificate or hostname mismatch pair.
Well, on your third visit, when it becomes clear you'll be there frequently (or earlier, if you know ahead of time), hit the "Make Exception Permanent" checkbox.

But I don't think we should default to accepting bad security practices.

One question that might make a difference is: if the cert is given a permanent exception, are the details saved and then if the cert for the site changes to another invalid cert at a later date, will Firefox throw up another error?
I agree with Neil, "make exception permanent" shouldn't be checked by default.

It's likely people will not understand they're adding a permanent exception to an invalid certificate. Checking the button make sure they understand it.
Like things are most people will click on confirm exception thinking : "well whatever, all I want is to see this website why it is all that complicated... ha there it is the ok button !". (My mom will think like that... at least if she understands she has to click on "or you can add exception" link and "add exception" button)
(In reply to comment #3)
> One question that might make a difference is: if the cert is given a permanent
> exception, are the details saved and then if the cert for the site changes to
> another invalid cert at a later date, will Firefox throw up another error?

Yes, it will. The exception is for that specific certificate on that specific host. If the site changes to a different cert you will have to add another exception for the new cert, but generally that should be a rare occurrence and you will want to inspect the new cert in detail. Having the default be temporary simply conditions people to add the exception every time.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.