Closed
Bug 456986
Opened 16 years ago
Closed 16 years ago
Big Usability Issue: "this web site does not supply identity information" for legitimate websites with valid SSL certificate
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 429021
People
(Reporter: firefox, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1 "this web site does not supply identity information" message is displayed for legitimate websites that use valid paid-for SSL certificate. I understand that "which is run by" information is only available to the new certificates (which, by the way costs three or four times more than regular ones). However, I will argue that this is a major usability issue that could make legitimate website seem as some spammy phishing untrustworthy website... I will further argue that Mozilla Corp. supports manufacturers of the new EV SSL certificates thus forcing website owners to buy overprices certificates that cost 400 EUR instead of 90 EUR classic ones. Otherwise, Firefox will display the information "this web site does not supply identity information" that amkes legitimate website look as untrustworthy one. Reproducible: Always Steps to Reproduce: 1. Go to https://bugzilla.mozilla.org/ 2. Click on the website icon in Location bar 3. Actual Results: this web site does not supply identity information Expected Results: identity of the website owner is displayed even for classic (not ev SSL) certificates
|
||
Comment 1•16 years ago
|
||
You may want to read http://www.gerv.net/security/self-signed-certs/
Assignee: nobody → kaie
Component: General → Security: UI
Product: Firefox → Core
QA Contact: general → ui
Thanks for the link, interesting reading. However, the certificate I am talking about is not self-signed, it is a certificate from a well-known authority (e.g. Verisign, Comodo or whatever). And EV SSL does not change anything - for example we were required to send documents confirming organization foundation with the local state office even before any EV SSL existed! Same, when there was a change regarding address etc., we were asked to provide official documents. PS: Don't forget that even "official" documents can't be photoshoped on the way, since you are basically just sending scanned copies of whatever documents the certificate issuer wants... Discriminating against classic SSL brings just suspicion from the user as suddenly the former trustworthy certificate is marked as "run by Unknown"!
Maybe one more interesting question: Would Mozilla Corp. be eager to include new certificate authority that was based on the open (or low-cost, if you want) model, e.g. charging just few dollars as opposed to the horribly overpriced 400+ EUR certificates other commercial entities charge?
|
|
||
Comment 4•16 years ago
|
||
http://startssl.com is included and you can get a certificate for free. (it's listed in my link from comment #1) Any CA can be included and Mozilla.org doesn't want money for that. read the Policy for adding such a CA here : http://www.mozilla.org/projects/security/certs/policy/ The article from comment#1 is about self signed certificates but there is a section about EV certs and why they should be "more secure". >Discriminating against classic SSL brings just suspicion from the user as >suddenly the former trustworthy certificate is marked as "run by Unknown"! There is no information in the classic certificate itself about who runs a site. This information is only added in an EV Certificate. >And EV SSL does not change anything - for example we were required to send >documents confirming organization foundation with the local state office even >before any EV SSL existed! Same, when there was a change regarding address >etc., we were asked to provide official documents. Then there should be no problem to get a EV cert for the same price if you are doing that already for the same priece.
|
||
Comment 5•16 years ago
|
||
Hi Dan, Some of the points Matti makes are correct, but I don't want to confuse the issue, so let me try to clear up a couple things. You sound like you know what you're talking about technically, so I apologize if this is review, but I want to make it clear. First off - you're certainly right that your CA may have requested extra information from you before issuing your certificate, and indeed information about your organization's identity might have been included in the certificate. What is unfortunate is that, prior to EV, there was no standard for comparison, no way for us to say "Yes, adequate care was taken in this case to verify the information presented" versus "No, this certificate includes a business name, but the procedures for verifying that information are flawed." In the pre-EV world, these high-quality, Organizationally Validated (OV) certificates were substantially, if not entirely, indistinguishable from basic, Domain-only Validated (DV) certificates. Historically, of course, Firefox didn't include a site button with identity information about the site - just a little padlock icon that didn't tell you who you were dealing with, or what level of quality that information had, just that you had an encrypted connection, and again, it did that regardless of whether the certificate was DV or OV. It's clear that you see the value in having that information in the certificate, so I hope you can understand why we were keen to expose known-good information to the user. When we helped write the EV guidelines, it was so that we could get out of this ridiculous situation of having you provide information to a CA in order to get a high-quality certificate, but us being unable to distinguish it from low-validation certs. Now that EV is out though, people like yourself are understandably annoyed that your old cert doesn't pass the test. This is the legacy we have for 15 years of undifferentiated market, and it will take a couple years to get past it. What I would suggest to you is that the work you have done should get you most of the way to EV-level verification, and that it's worth taking it up with your CA as to what kind of consideration they can offer to the work already done, towards upgrading your cert to one that we *can* recognize as being of a distinctly higher grade. I know that's not exactly a solution to your problem, but I hope it at least explains the current situation a little better? There are a couple of other points I wanted to address though: - As Matti says, the Foundation's policies for CA entry into our root are public and we don't take any money or anything for entry. The requirements do include the need for auditing issuing practices, and for a CA that wants to issue EV certificates, obviously that audit will need to be quite comprehensive. It would surprise me if a CA was able to perform the necessary verification work for EV certificates economically, selling them for only a couple dollars, but in any event, our concern is with the quality of the certs and the verification process, not with the business model. - You suggest that you are seeing "this web site does not supply identity information" for https://bugzilla.mozilla.org. That is not what should be displayed there. The correct display (and what I currently see) is the blue-backgrounded button, with the text: "You are connected to: mozilla.org which is run by (unknown) Verified by: Equifax" If you are seeing the gray button and the "does not supply identity information" message on bugzilla, there may be an unrelated bug here. If you are seeing this on other sites, your own perhaps, but not on bugzilla, then it is possible that the situation is one of mixed content. If a site is served over SSL, but includes other content (scripts, images, etc) from http, the integrity of the link is compromised, and we can no longer be confident that you're seeing the page you should be. In those circumstances, we return to the "does not supply identity information" message, since there is no identity information we can be confident of, in the case where a vulnerable script may have defaced or altered the page.
|
|
||
Updated•16 years ago
|
Assignee: kaie → nobody
Component: Security: UI → Security
Product: Core → Firefox
QA Contact: ui → firefox
Hi Jonathan, I really appreciate your thorough post that cleared things a bit. I probably mixed few things up a bit - I now only see "which is run by Unknown", but I am sure I have seen the message in the bug description as well here somewhere. What I meant by starting this thread/bug was to create discussion regarding the issue of wording used. I understand that the basic difference between EV and classic cert is that EV requires registration documents (or such) officially and that confirms the identity. However, I would be glad to see different wording used for "which is run by Unknown" since that could lead user to think that the legitimate site could be untrustworthy. I understand that time is needed to get over the classic certificates and get widespread use of EV SSL. But until the last classic SSL cert is changed to EV SSL, there should be a different wording used. Maybe the "Unknown" could be changed to WHOIS admin info or some other word could be used to describe that the site is probably legitimate (for example Comodo assures identity of our organization up to $10.000 and displays our identity via some small Javascript block on mouseover). Nonetheless, I am sure you had been discussing the wording used before the Firefox 3 release, however I would like to see further discussion regarding the issue. I am certainly not the only one, who is concerned about the users not trusting the site with the blue passport icon instead of the green one. Please, feel free to comment on my proposal or bring more light into why it was decided to use "Unknown" even for (quite) expensive certificates issued by companies such as Verisign, Comodo, Thawte etc. PS: I quite like the new concept of self-signed certificate exceptions (add or go away) introduced in Firefox 3, so this is not an issue here.
OK, I have found where the "This web site does not supply identity information." text comes from. It is shown when you click on the website icon, then click on "More information" and then see "Owner:" field.
|
||
Comment 8•16 years ago
|
||
As for the Bugzilla thing, that was occurring a few days ago, and had been for about a week. I was seeing the warning icon where the padlock was on the lower right corner. Now, I am just seeing a clear padlock, so that should be resolved (though maybe worth looking into). It does belong with a different bug if it was anything though.
|
||
Updated•16 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•