Closed Bug 433324 Opened 16 years ago Closed 8 years ago

The "add SSL exception" dialog implies certs not recognized by Firefox are never legitimate

Categories

(Firefox :: Security, defect)

defect
Not set
normal

Tracking

()

VERIFIED WONTFIX

People

(Reporter: hramrach, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5

When I encounter a site with invalid SSL certificate and choose to add an exception I get a dialog which says:

You are about to override how Firefox identifies this site.

Note that legitimate banks, stores, and other public sites will not ask you to do this.

This is very inaccurate - this does not really change site identification in my view. It might at most verify the identification, or accept that it is not verified.

Also it implies that sites which did not pay to Verisign are not legitimate. Or that sites which are signed by a new cert that is not yet in Firefox are not legitimate either. This is also very misleading.

Yes, there are multiple dubious pay-for certs in Firefox, not only Verisign. Still I do not see how sites signed by any of these is more legitimate than any other site or how site not signed by one of these is less legitimate than the ones signed. 

I would only trust a site signed by a local authority with known policy for issuing certs. 

Thanks

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Component: General → Security
QA Contact: general → firefox
(In reply to comment #0)
> This is very inaccurate - this does not really change site identification in my
> view. It might at most verify the identification, or accept that it is not
> verified.
> 
> Also it implies that sites which did not pay to Verisign are not legitimate. Or
> that sites which are signed by a new cert that is not yet in Firefox are not
> legitimate either. This is also very misleading.
> 
> Yes, there are multiple dubious pay-for certs in Firefox, not only Verisign.
> Still I do not see how sites signed by any of these is more legitimate than any
> other site or how site not signed by one of these is less legitimate than the
> ones signed. 

The way you characterize your concern here ("sites that did not pay Verisign..." &c.) is unhelpfully combative and I'm not sure what you intend to accomplish by it, but here goes anyhow:

Any CA in our trusted store that signs your certificate will verify ownership of the domain name.  That is not as thorough an identification as other products, like EV certs, but it is considerably more than nothing in that it eliminates an entire (and meaningful, and actively deployed) threat class: man in the middle attacks.

Without any trusted third party assurance that a given certificate is being presented by the site's rightful owner, we are unable to ascertain whether the content provided is coming from the actual site, or from an imposter running a rogue access point, or otherwise intercepting the traffic.  One of SSL's fundamental guarantees is that content cannot be altered, but obviously that guarantee means nothing without affirmative identification of the other endpoint.

Now, if you're saying to me, "My own webmail site is only used by my friends, they all know and trust me, what's the big deal" then certainly you should go ahead and use whatever cert you like, and tell your friends to add the exception as well.  But if you're a bank, or an online auction site, or a dealer in the finest antique badger hair shaving brushes, you are presumably concerned that your customers & clients find their way to you, and not to an imposter.  With a self-signed certificate, this is not a determination we can make, so we are forced to error out and ask the user whether they have good reason to believe the unproven claims of the site.

You mention money multiple times in your complaint, as though it somehow undermines the system of verification involved.  I don't see how it does, but if you find the idea loathsome, it should be noted that companies like startcom will issue free, signed SSL certs (after verifying your domain ownership) so you needn't feel compelled to spend money to acquire a verified certificate. 
 
I think I hear what you're saying - that you are not a bad person and that using a self-signed certificate shouldn't make you out to be one.  But we have almost 200 million users, almost all of whom know nothing about certificates or the complexities therein. It's important that they understand up front that a site which claims to be, e.g., bankofamerica.com, but presents a self-signed cert, is not legitimate, and should not be trusted unless they know exactly what they're doing.

Based on that, I'm marking this bug WONTFIX.  If for some reason you are minded to contest the point, I would humbly suggest 2 things first:

 - Read bug 387480, where the current wording was developed paying careful attention to the fact that everyone there is debating what is best for users, no one there gives a damn about what is best for Verisign.
 - Come back with an approach that reflects a basic understanding and respect for the idea that the people working on this browser are not idiots, and are not in the pocket of any global cabal bent on empire.  It's insulting for me to be told that I am doing things with avaricious motives, but even if you don't care about any of that, it's also much less likely to get you meaningful results.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
verified

This has been discussed over and over, just search for such discussions
Status: RESOLVED → VERIFIED
I'd like to reopen this to reconsider the wording. Although 90% of typical consumers will never see them, the minority who do use self-generated certs in a legitimate way take umbrage at the current wording.

It may be an impossible task, we do in fact want to scare away people who don't know what they're doing. One option is to shorten the text, dropping the ambiguous "public" sites.

  Legitimate banks and commercial sites will not ask you to do this.

I think that is equally scary and has exactly the same point to my mother-in-law without implying private sites are illegitimate.

Or we could get all wordy (always my first impulse) and add a section for private sites, but I think that's more what we had in some of the bug 387480 early attempts.

  Legitimate banks, stores, and other public sites will not ask you
  to do this. For private networks you will have to confirm this
  certificate independently with the administrator of that site.

I think shorter is better. Means exactly the same to our target audience and appears less judgemental to expert users.
Status: VERIFIED → UNCONFIRMED
OS: Mac OS X → All
Hardware: PC → All
Resolution: WONTFIX → ---
Summary: The "add SSL exception" dialog wording implies sites that did not pay to Verisign are not legitimate → The "add SSL exception" dialog implies self-signed certs are never legitimate
Version: unspecified → Trunk
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: wanted-firefox3.1?
In reply to comment #1:

I do not have much trust in Verisign & co not because they usually want money but because there is another discussion about adding new certs to Firefox where it is mentioned that Verisign in fact did issue bogus certificates, and I do not see how that's going to be prevented in the future.

The fact that they ask money for this dubious identification service makes the issue slightly insulting, and the Mozilla policy for including these certs (IE has them so we have to include them, but anybody else who wants a cert in Firefox must provide audit report) is not helping.

Still that was a code signing certificate, not a site certificate so there might be some hope for site certs.

Technically if I wanted to prevent man in the middle attacks I would require the institution to provide the cert or cert fingerprint in a way that does not rely on the internet - such as presenting it at their physical offices or snail-mailing it.

The wording also does not take into account that your copy of Firefox might have outdated list of certs so the site in question might be using completely Verisigned certificate that an outdated Firefox installation won't recognize (which you failed to address at all in your reply dwelling on how my distrust to Verisign insults you).

So in general I am fine with wording that includes a single sentence in bold for the general user and fineprint that explains the details.

Perhaps something like this:

You are about to override ho Firefox verifies the identity of this site!

Commercial sites, banks, and other institutions will not ask you to do this.

If Firefox is unable to verify the identity of the site somebody else could impersonate the site to present false information or obtain your password or other data you enter on the site. You should contact the site owner to verify the identity of the site - you might need to obtain a verified certificate that is not present in your copy of Firefox.
I agree with Comment #3 From  Daniel Veditz.

"Note that legitimate banks, stores, and other public sites will not ask you to
do this."

This is an untrue statement. We _are_ a legitimate public site and we _do_ ask users to to this. We have to, because of https://bugzilla.mozilla.org/show_bug.cgi?id=378882

In my opinion it's not acceptable that Firefox is denouncing our site not to be legitimate.
Stop me if I’m wrong but, isn’t there another way to handle self-signed certificate?
My opinion is simple, "legitimate" site or servers that use self-signed don’t want to identify themselves (and to be honest I think adding them as exception should not even be possible),

Well these sites just want to use the encryption functionalities (for a simple example IRC servers or personal site, they want to protect discussion and surfing from sniffing, but such public server don’t have the money to pay for a valid certificate)

So better than asking to add self-signed certificate as exception why not just use them as encrypt only certificate?

I mean accept them without notice and don’t show the site as green as a normal https site. By just adding an icon to show the communication is encrypted, but that the site is just a normal and not legitimate site (no https, no green URL, no surrounding blue favicon, but only in the site information that the connection is encrypted)

In addition, even revise the padlock icon, for me a padlock is not equal to an authenticate site but as an encrypted communication, and therefore an authenticate site should have a more “coherent icon”, but well forget that last line, because people are now used to that padlock.

Thank you for reading
You should have read Johnathan's comment 1 a bit better before posting, in particular:

(In reply to comment #1)
> Without any trusted third party assurance that a given certificate is being
> presented by the site's rightful owner, we are unable to ascertain whether the
> content provided is coming from the actual site, or from an imposter running a
> rogue access point, or otherwise intercepting the traffic.

It boils down simply to the technicality of third party confirmation, without it there is no encryption and no protection. But how would you notice that your connection is being intercepted when no warning would appear? 

Also today one doesn't have to pay for "trusted" certificates either which is still news for some...
Well I have some problem to really understand that, so in my own word;

Does it means that connecting on a site proposing a self-signed cert means that encryption is useless because no third party organization is available?
Therefore, there is no way to furnish a site with “no long browser configuration” encryption without having a trusted third party.

I’m saying that from a personal thought, I want to have my communication between me and a server encrypted (irc, ftp, or a online chat between 2 persons) all I need is that the server I connect to has an encryption between me and him, but I just don’t care who the server is, it’s not because it have a valid cert that he won’t sniff and record the discussion.

And truly I have to admit it’s totally new to me that it’s possible to have valid certificate for free an easily (which give me some drought of the reliability of such certificate, and logically on the all system)

Anyway thank you for the answer, I know there have been a lot (not enough strong) of discussion about managing cert, sorry to bother again on it.
(In reply to comment #9)
> Does it means that connecting on a site proposing a self-signed cert means that
> encryption is useless because no third party organization is available?

Correct.

> I’m saying that from a personal thought, I want to have my communication
> between me and a server encrypted (irc, ftp, or a online chat between 2
> persons) all I need is that the server I connect to has an encryption between
> me and him, but I just don’t care who the server is, it’s not because it have a
> valid cert that he won’t sniff and record the discussion.

You do care that the server is really the server you intended to talk to in first place. Consider this:

You <-> Man-in-the-middle <-> Server

Where the MITM presents you with a self-signed certificate which you are ready to accept. Now Mr. MITM is listening to your "encrypted" content by passing everything from you to the server and back. There are various ways for an MITM to get in-between yourself and the server, being it by DNS poising, WiFi access points, proxies and even more nasty things. But once it does happen you really want to know about it (and take appropriate actions).

> And truly I have to admit it’s totally new to me that it’s possible to have
> valid certificate for free an easily (which give me some drought of the
> reliability of such certificate, and logically on the all system)

It's the domain control which is validated by the third party - the same technicality mentioned above. The free ones don't confirm identity like any other domain control validated certificate: http://www.startssl.com/

Hope this helps.
It's help and is totally clear know, and therefore I understand why validating the server is required, And for the last one
>The free ones don't confirm identity
Look like things already exist but are not fully known by admin, I will note this in my head for the future, thanks a lot.
A specific "I know what I'm doing, allow all self-signed certs" option for the sake of testing (I'm thinking an about:config setting) would save enormous amounts of time, and would prevent many of the (often inflamatory) complaints that people have been making.

Yes, it would also be nice if the main dialog didn't imply malice, or required less hoop-jumping, but I'd gladly settle for a "just let me do this" under-the-hood setting, and I bet I'm not the only one.
The wording has been changed to some extent.

There is quite good explanation in the "I Understand the Risks" part of the error page and the error page is generally helpful (although it still talks about identification, not identity verification).

However, the Add Exception dialog still includes only the sentence "Legitimate banks, stores and other public sites will not ask you to do this." which is very insulting to sites which use a certificate which is not recognized by Firefox for legitimate reasons (such as having their own certification authority with their own policy) or use a cert which firefox does not have yet.
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Iceweasel/3.6.13 (like Firefox/3.6.13)
Summary: The "add SSL exception" dialog implies self-signed certs are never legitimate → The "add SSL exception" dialog implies certs not recognized by Firefox are never legitimate
Flags: wanted-firefox3.5?
Hello,

I agree. I never understand why it is so complicated to visit a site with a expired/self-signed certificate.

Why even a message? This is still more secure than a site with no SSL at all! There is not 5 clicks needed to visit a site with no SSL.

This stupid message is too annoying. A single "Are you sure? yes / yes forever / no" should be enough.


5 clicks to visit a site once, and we even don't know what is the problem with the certificate!
Part of the trouble is that identity verification and secure transport are two different problems but are wrapped up in one solution.

If I point my browser to https://192.168.0.100 for example, I am 100% not interested in whether the identity of the host can be confirmed by some trusted party.  I know the identity.  I used an IP address.  I'm still interested in having the communications be encrypted, which is why I'm using https.

I suppose there's the philosophical question of whether a browser should do things differently when pointed to an IP versus a hostname that has to be resolved, but I would sure love the practical result of not jumping through any flaming hoops when connecting to a known machine.
These warnings have been discussed ad-nausium over the years, and the general industry trend is to expect a properly signed certificate, full-stop. It's nearly impossible to try and improve edge-case uses without exposing normal users to security issues they don't understand.
Status: NEW → RESOLVED
Closed: 16 years ago8 years ago
Resolution: --- → WONTFIX
Status: RESOLVED → VERIFIED
> the general industry trend is to expect a properly signed certificate, full-stop.


Hahaha! No.

- In Opera (so I guess in Chrome),
- in Opera Mobile,
- in IE,
- in Qupzilla,
- and in Vivaldi

there is a SINGLE CLICK confirm to go on a site with a bad certificate. Firefox is ridiculous and your answer is ridiculous. WE ARE users of Firefox. Are we abnormal because we don't want a 5 clicks confirmation?

Normal users can't even understand how to add an exception, it's not clear enough anyway and it should be improved.
These warnings HAVE been discussed a lot over the years.  Why?  Because this behaviour interferes with users -- lots of us -- whether we're "normal" or not.

Bugs are reported here for a Free, open, allegedly community-centric project.  This is not a "general industry".  This is our browser.  Isn't it?

"Nearly impossible"?  To even consider any improvement at all?  Even the single click confirmation DJiK mentioned so many other browsers have?

Is accessing a host via its IP an "edge case"?  Do web developers use web browsers as daily tools?  It sure seems like we do.  There are even built-in firebug-like features now.  There's that awesome bar which can take all kinds of different input and figure out what the user intends.  But acknowledging an IP address as a host's identity, what, that's going too far?

Justin Dolske, I thank you for your work, and I understand why this is frustrating, but your comment reads like a big string of cop-outs.  I don't think any of us, "normal" or "edge case", feel like this is "resolved".
You need to log in before you can comment on or make changes to this bug.