Closed
Bug 443100
Opened 17 years ago
Closed 10 years ago
Don't say "identified itself correctly" for servers using invalid certs.
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
DUPLICATE
of bug 1201437
People
(Reporter: bugzilla, Unassigned)
Details
Attachments
(3 files)
The dialog saying "identified itself correctly"
When we connect to SSL enabled site, we'll see the dialog saying:
You have requested an encrypted page. The web site has identified itself correctly, and information you see or enter on this page can't easily be read by a third party.
or
You have requested a page that uses low-grade encryption. The web site has identified itself correctly, but information you see or enter on this page could be read by a third party.
In above message, Firefox say "identified itself correctly", which means SSL server certificate is VALID. But this same message is shown even when the server use INVALID certificates if users has been accepted the invalid certs.
Step to reproduce:
1. Set "I am about to view an encrypted page." setting on.
# this setting is in Option -> Security -> Warning Messages -> Settings...
2. Go to the site using invalid certs (self-singed certs etc) like:
https://www-firefox3.authstage.mozilla.com/en-US/firefox/
https://www.pref.saga.lg.jp/
3. You'll see Alert saying:
~~~~~ uses an invalid security certificate.
4. Add Exception
5. Go to the site again
6. You'll see Security Warning saying:
You have requested an encrypted page. The web site has identified itself correctly, ...
# same message for site using valid certs.
Expected Results:
Firefox should show different message for sites using valid/invalid certs even when user already accepted the invalid certs.
We should show message for sites with invalid (but accepted) certs:
You have requested an encrypted page. The web site has identified itself with invalid certificates but you already accepted it as a security exception, and information you see or enter on this page can't easily be read by a third party.
Note:
User have accepted the invalid certs as an valid one in the step 4 and this message is not logically wrong. But users cannot distinguish valid/invalid certs once they add an exception. Users may feel that the certs they accepted are valid and no need to care about danger of security exception.
Background:
Some websites are using invalid certs (self-signed certs, domain miss-match etc) and they say that their certs don't have problem and users should accept it.
They write documents about how to accept the invalid certs as an exception.
Some users will accept invalid certs as they need to access the site (but it's completely wrong for security).
We should keep warning about security exception to protect users and not to make users miss-understand about certs validity.
|
Reporter | |
Comment 1•17 years ago
|
||
I think current Firefox security policy is:
Once user accepted the invalid certs, Firefox will treat it same as other valid certs. So, same message saying "identified itself correctly" is used.
This bug is requesting:
Firefox should keep warning about security exection about invalid certs even when user have accepted it since some users, especially beginners cannot understand about security problem about accepting invalid certs. They may be going to suffered from phishing sites.
At least, we should not make users miss-understand about certs validity to make protect beginners from phishing sites.
|
||
Updated•17 years ago
|
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
|
||
Comment 2•17 years ago
|
||
The process of adding an exception is, by definition almost, an assertion like:
"This certificate can be used to identify this site. Even though no trusted CA has made that attestation, I trust this certificate to identify this site."
Once that decision has been made, my opinion is that there is little difference between the two in terms of "trustworthiness." Typical CA verification for a DV certificate is to just confirm ownership of the domain - that is, it establishes a trusted binding between a domain name and ownership of a given certificate (and associated private key). That is precisely what the security exception mechanism does as well. Either you trust that a given cert is being used by the intended site owner, or you do not.
I appreciate the distinction you are trying to make, but I think that making that distinction in the UI means code change (and associated risk) as well as potential for more user confusion. I'd like to hear Kai's reaction here, but my inclination is to leave things as-is.
|
|
Reporter | |
Comment 3•17 years ago
|
||
To make easy to understand about this bug:
This is the dialog you'll see in the step 6.
|
|
Reporter | |
Comment 4•17 years ago
|
||
|
|
Reporter | |
Comment 5•17 years ago
|
||
|
|
Reporter | |
Comment 6•17 years ago
|
||
Thanks considering about this.
There was a thing I didn't mentioned in the first post:
As you see the (2nd & 3rd) screenshots, page info for the site using invalid but accepted certs say:
"This web site provides a certificate to verify its identity."
And at the same time if user click the [View Certificate] button, certs info dialog say:
"Could not verify this certificate for unknown reasons." etc.
These two messages looks incoherence and confusing for general users.
Yes I know they are not logically wrong and why they looks incoherence:
Page info dialog is talking about whether the certs is *trusted by user* or not.
Cert info dialog is talking about whether the certs is valid as a PKI system or not.
But users cannot understand about this and will confuse. If uses see confusing (or difficult to understand) message too many time, at last they may be going to ignore (or stop caring about) security warning.
IMHO we should take care about this problem at once as a whole UI re-check relating invalid security certs.
|
|
Reporter | |
Comment 7•17 years ago
|
||
(In reply to comment #2)
> The process of adding an exception is, by definition almost, an assertion like:
>
> "This certificate can be used to identify this site. Even though no trusted CA
> has made that attestation, I trust this certificate to identify this site."
Yes, I agree and understand it. Current Firefox policy is to treat accepted cert same as valid one since that's the user decision.
But concern about this is:
Was the user decision really made with enough understanding about what they do? Users may just be required or followed the procedure written in the site without understanding about the risk to accept the invalid certs.
Firefox 3 will show clear message when user add a security exception. But actually even if we make clear alerts for users some of them (beginners) will not understand and just follow as they required by the site.
For example, there are already sites with very careful guide to add their certs as an exception.
http://www.aka-hoshi.net/goriyou/index02.html
# sorry, this site is in Japanese. I don't know English example.
It's clear that the site is wrong but actually not a few sites including some government relating sites are using invalid certs. It's quite pity but that's the fact and as a most secure, ease to use browser IMHO we should care about users who accepted certs without enough understanding.
(In reply to comment #2)
> I appreciate the distinction you are trying to make, but I think that making
> that distinction in the UI means code change (and associated risk) as well as
> potential for more user confusion. I'd like to hear Kai's reaction here, but
> my inclination is to leave things as-is.
I can understand that it's very difficult to make consistent, easy to understand, not make uses miss-understand as a whole product UI.
I agree we must be very careful about UI change for security region.
# I'm working for whole product l10n from Fx/Tb1.0 and I'm one of the person
# who know enough about difficulty to make consistent UI
But I believe security especially for beginners is one of the top priority thing of the Firefox and re-check/consider about security policy/message/UI certs validity is worth to be done for the future.
If only the reason to keep this as-is is the risk to change security thing, we should reconsider. Firefox's current UI for security is much better than Fx2 one but still not best/perfect one. We should keep trying to make better and better aren't we?
I can understand this work will cost a lot and of course this is not order or requirement but if you agree with me about the worth to re-check whole UI, let's do it.
Whether include about this or not, we have to re-check security relating UI since current UI have some problems (not critical but confusing). I believe there are more UI messages we should make clearer I think it's better to review whole security relating UI.
# see also bug 424182
Note:
This bug is an escalation from Japanese l10n community. At least 4 active l10n contributers are requesting to change the message in Japanese L10N. But I rejected the request since we must not change security policy by Japanese only L10N and this must be handled as a global problem.
I'm writing in behalf of our contributers and that's why I write long comments. Sorry for my long post.
Thanks.
|
||
Comment 8•17 years ago
|
||
In my opinion it can be helpful to remind the user that a shown certificate was explicitly trusted by the user.
|
|
||
Comment 9•17 years ago
|
||
I don't agree with the thought:
"the user added on override but didn't understand"
We don't know whether the user understood (or not) at time of creating the exception.
Having said that, there might be mechanisms, especially when using extensions, that might have configured an security exception without a user's explicit/interactive approval (although that's frowned upon).
Therefore I think it would be helpful to be more descriptive when showing certificate validation status.
If someone choose to implement a patch, this should be done at the PSM security code level, so that all applications benefit.
|
|
||
Comment 10•17 years ago
|
||
Regarding the subject of this bug, which is currently:
"Don't say "identified itself correctly" for servers using invalid certs."
I disagree in this detail.
After a user has added an override, the site IS identified correctly.
It is debatable whether to say something like "verified by Verisign".
If an exception is in place, it might make sense to say who really approved this certificate, and in the override case, it's the user.
If you want to work towards such a solution (naming the user as the approving entity) the subject of this bug should be adjusted accordingly.
|
||
Comment 12•10 years ago
|
||
Thanks for filing the bug. It looks like this was addressed in Bug 1201437.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•