Closed Bug 438914 Opened 17 years ago Closed 17 years ago

Firefox only supports certificates from about twenty oligopoly vendors, pushes "extended validation" certificates instead of user security

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: karel.kohout, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008060909 Iceweasel/3.0 (Debian-3.0~rc2-1) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008060909 Iceweasel/3.0 (Debian-3.0~rc2-1) The new version of Firefox handles SSL certificates in a way that promotes monopoly certificate authorities and "extended validation" certificates. Contrary to older versions, yellow bar signalising encrypted connection is gone. It has been replaced by three options: 1) Green bar with "extended validation" (also significantly extended price and impossible to obtain for small business / non-profit organisations) certificates (produced by about twenty "oligopoly" vendors). 2) Slightly shaded favicon (almost invisible) for certificates without extended validation (or from "normal" certificate authorities, e.g. local university, local governmental CA,...) you already approved. 3) Error page, quite similar to "Server unreachable" (and mistakenly interchangeable), is presented to the user if the certificate is self-signed or signed by a CA not present in the browser. There is a small link to add an "exception", which several steps to get to the site. This clearly lowers security for the user, because very few sites use certificates with extended validation, and many more sites use self-signed certificates (that still prevent eavesdropping). However, with new Firefox behaviour, it is right now preferable to use no encryption (SSL) at all, because it does not present user with security warning (although everything is sent insecurely in plain text). Also, there is no way to establish whether any of the approved certificate authorities are really that secure (or whether the user should rather believe a a self-signed certificate produced by his local university or certificate verified by e.g. Starfield Technologies), yet Firefox forces "normal" users to accept only certificates from companies who (probably) very much support Mozilla foundation. Reproducible: Always Steps to Reproduce: 1. Visit https://www.cacert.org Actual Results: I was presented with an error screen, I believed the server is unreachable (familiar yellow triangle - or square). Expected Results: Dialogue saying that the certificate is signed by an untrusted CA, but the connection itself is secure from eavesdropping.
This isn't a bug report, it's a rant, and a relatively uninformed, insulting one at that. I have to assume that you felt some good could come of posting this, that you wouldn't just cavalierly waste your own time and ours by opening a bug report that was nothing but bile. But I am perplexed by the fact that, being an apparently smart and passionate person, it should have been obvious to you that adopting an abusive and accusatory attitude would undermine those goals. I confess I'm basically wholly uninterested in playing bugzilla-pong here, but I will correct a couple of the more egregious misconceptions below. I'm not sure why you find it so easy to jump to the conclusion that our decisions are motivated by malice or greed, I guess that part makes me sad, but mostly it just makes it very difficult to take your concerns seriously. Among the highlights: > 1) Green bar with "extended validation" (also significantly extended price and > impossible to obtain for small business / non-profit organisations) > certificates (produced by about twenty "oligopoly" vendors). The Extended Validation guidelines explicitly outline issuing procedures for small businesses and non-profit organizations. Bugzilla is not a place to take up pricing issues you have with other companies, but some level of price increase is to be expected given that actual identity verification is being performed. Membership in the group that defines these guidelines is open to any CA that wants to issue certificates meeting the verification requirements. FYI: http://www.cabforum.org/documents.html > This clearly lowers security for the user, because very few sites use > certificates with extended validation, and many more sites use self-signed > certificates (that still prevent eavesdropping). Not really. Because a self-signed certificate has (by definition) no pre-existing trust relationship, it is impossible to tell whether the certificate presented for a site is that which the site owner intended or one presented by an attacker, given that an attacker's cert can be identical outside of key material, making eavesdropping trivial. Of course, since Firefox 3 asks you to explicitly add an exception for a given self-signed cert, we *can* make that determination on future visits, since we know the precise key you have chosen to trust, and an attacker cannot spoof that. > However, with new Firefox > behaviour, it is right now preferable to use no encryption (SSL) at all, > because it does not present user with security warning (although everything is > sent insecurely in plain text). Unless you care at all for your users, sure. If you want to focus on sites that don't care about their users or their information, then I'm not sure how you think any crypto will help, but in the event that I grant the hypothetical, it's worth noting that various CAs in our root program (e.g. StartSSL) offer free certificates, so I'm not sure I understand the perceived burden here. > Also, there is no way to establish whether any of the approved certificate > authorities are really that secure (or whether the user should rather believe a > a self-signed certificate produced by his local university or certificate > verified by e.g. Starfield Technologies), One of the nice things about EV certificates is that they have specific third party audit requirements so that there is a clear way to establish that the certificate authorities are really that secure. And of course a user is welcome to extend trust to other CAs of their choosing, or remove trust from the CAs we ship by default. You can find these capabilities under advanced options->certificates. > yet Firefox forces "normal" users to > accept only certificates from companies who (probably) very much support > Mozilla foundation. That's pretty fucking offensive. The Mozilla project, foundation, and corporation do not, and will not, accept money or other considerations for inclusion into our root program. We are a public benefit organization chartered to make the internet a better place, and we try pretty hard to do that. It's okay for you to have different (informed, constructive) opinions about the best ways for us to direct our efforts, but it's NOT okay to use bugzilla as a place for temper tantrums and impugning the integrity of the people who work to make Firefox better. Resolving INVALID.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.