Closed Bug 493911 Opened 15 years ago Closed 15 years ago

SSL Dialog for invalid or self signed certificates is to complicated

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: c.mertins, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1b4) Gecko/20090423 Firefox (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1b4) Gecko/20090423 Firefox (.NET CLR 3.5.30729)

Hello,

looking from the IE perspective and being a longtime Firefox User the SSL certificate dialog is getting more and more complicated to use.

In IE you just have to confirm that you are sure that you want to go that page.

This started with FF 3.0, where you had to press multiple buttons to go to your page and now in FF 3.5 even expand areas of the page before you can do that.

For me it is particularly the problem as I am working with different self-signed sites.

Is there any chances to go back to at least the FF 3.0 behaviour?

Kind Regards,
Christoph Mertins

Reproducible: Always
This is by design and wanted.
A simple dialog like IE2 or FF2.0 is very bad because most users tend to ignore such warnings and they just click on "ok" without thinking about the issue.
On the opposite side self signed certificates gives you no additional security compared to simple http, only a false security feeling.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
WRONG!

SSL certificates give a false sense of security. There's nothing stopping someone from getting a SSL certificate for bachofamerika.com from a "trusted" CA. The only thing that encouraging people to not accept self-signed certificates does is forces web site owners to pay a CA $100+ for a little file that cost the CA pennies to create and maintain.
>There's nothing stopping someone from getting a SSL certificate for bachofamerika.com from a "trusted" CA.

Try to get such a certificate from a CA that Motilla.org thrusts. (your argument that anybofy can get such a cert is wrong)

Encryption gives you zero security if you don't know if encrypt between you<->website or you<->atacker.
The thrust chain is one of the key parts of SSL and without it, encryption is useless.

You should read a little bit more about SSL, MITM, security audits for the CAs and all the other stuff before you add a comment because your comment looks like a troll comment.

Ask cacert.org why they still have no security audit.(your penny argument is wrong)
I've got a valid SSL certificate without paying anything. (your $100 argument is wrong)
You need to log in before you can comment on or make changes to this bug.