Closed Bug 442658 Opened 16 years ago Closed 16 years ago

Invalid certificates warning should be configurable

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: gaspard.alizan, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9) Gecko/2008052906 Firefox/3.0

When using many self signed certificates (more that 300 hundred) it is very annoying to clic so many times.
Security justifies the new way of warning but web developpers should be able to configure a very simple way to add exceptions(like FF 1.5) for self signed certificates.
"browser.xul.error_pages.expert_bad_cert=Tue" and "browser.ssl_override_behavior=2" are not a solution, it represents a regression for web devs.


Reproducible: Always

Steps to Reproduce:
1. Use a self signed certificate on a web site
2.
3.
Actual Results:  
3 or 4 clics to get access to web site

Expected Results:  
1 clic to access web site

adding an option like "browser.invalid_certificate_simple_warning" could be an idea.
I think it's better to make 2-3 clicks once per site than 1 click every time you visit each site.
My personnal use is that the servers are re-installed for test every 2 or 3 days. The certificate is regenerated everytime so it's more for a temporary user's agreement than for a permanent one (that some other users would maybe prefer).

But may I redefine the request by :
Since some users are aware of the risks and many forums speaks about it (it could be a very popular option), is it possible to add an option "Simple invalid certificate warning" (maybe only available in "about:config" to be sure user is a minimum aware of what he's doing) ?

Why are you using SSL at all, then?
Traffic has to be encrypted.

But this is only a detail. Other users have other arguments for a simple invalid cert warning.
Like : "Is firefox free enough to let users make their own choice or will they forever being threated like kids and forced to 'clic,clic,clic,clic,...,clic' ?" which is not very productive ;-)


What are you gaining by using encryption without authentication?
There IS authentication. It is a web frontend admin tool for Linux dedicated servers.


How is the web site authenticated to you?
(In reply to comment #4)
> Traffic has to be encrypted.
> 
> But this is only a detail. Other users have other arguments for a simple
> invalid cert warning.
> Like : "Is firefox free enough to let users make their own choice or will they
> forever being threated like kids and forced to 'clic,clic,clic,clic,...,clic'
> ?" which is not very productive ;-)
 
I think you would agree that this is a pretty silly argument.  We aren't talking about "freedom to choose" here, we're talking about the difference between one click and two clicks, given the preferences you cite.  I appreciate that you are making arguments based on a practical application, not based on using very big language to describe a very small thing.


(In reply to comment #6)
> There IS authentication. It is a web frontend admin tool for Linux dedicated
> servers.

Jesse's point is that in an environment where you accept that the cert will change every few days and are seeking a way to (ahem) "knowingly" click through the warnings, there is no authentication that you are in fact talking to the right server.  At any point, in such an environment, I could insert a man in the middle attack, begin masquerading as the server using my own self-signed certificate, and count on you to ignore it, given your willingness to click-through the warnings and, indeed, your desire to find a quicker way.

That was Jesse's point, but it isn't really the issue here - how you choose to deploy and maintain your own environments is up to you and you should do whatever you feel is appropriate.  The issue here is whether or not, in addition to the multiple preferences that already exist to manipulate the exception behaviour, we want to add another one, to remove another click.

I don't believe we do.  There are add-ons that will subvert the error pages if that's your intent, but putting this kind of thing into the browser itself would suggest that we consider this a valid and reasonably common use case.  The beauty of the extension system is that people whose needs fall outside the common path can have a mechanism for changing their browser to suit them, and that is the approach I recommend here.  Adding another pref to the core code (even in about:config) means extra maintenance, extra potential bug surface - it doesn't come without a price.  Given that we don't think this is a desirable outcome to be encouraging, we are unlikely to ever choose to pay that price. 

Resolving this bug WONTFIX.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
I understood that Jesse explained me the man in the middle attack. I notice also that you have very much tickets in you bugtracker (much more than what I see in my work).
I've searched about this and found many comments/complaints about so that was naturally that I came here to fill in what I thought to be a justified ticket (I wasn't the only one who needed it).
Actually you are completely right, add-on is my solution since the most common people won't need this.
I only missed it.
Thank you
You need to log in before you can comment on or make changes to this bug.