Closed Bug 528764 Opened 16 years ago Closed 16 years ago

Self signed certificates dialog

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 433422

People

(Reporter: aragorn, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.14) Gecko/2009090216 Ubuntu/8.04 (hardy) Firefox/3.0.14 Build Identifier: There is a conceptual flaw regarding SSL certificates that is being exasperated by Firefox's warning regarding self signed certificates. If the certificate is self signed, and is for that domain, then a very different warning should appear stating the following: 1. This website is using a self-singed certificate, which means that the entity in control of this website has created an SSL certificate for it, rather than using one of the popular CA. 2. Your connection will still be encrypted if you continue, and those snooping on your internet connection won't be able to decode it (unless your computer has been infected by virus). 3. 4. Many large companies used self singed certificates for years (microsoft.com). This site probably poses no security risk to you, however, double-check the domain name is really the site you expected to be visiting before continuing. 5. Even with a trusted CA, there is little stopping someone from registering and obtaining a SSL certificate for domains like chase-loans.com, banchofamerica.com, or even boa-cardsrv.com. Self-signed certificates that change every month are far more secure than a static certificate that remains unchanged for years. Given enough data (especially if part of the content of the clear-text data is known), and time, it is possible to determine the private key which was being used to encrypt that data. These dialogs for SSL certificates do not improve security of users. In fact, it lulls people into a false sense of security. Phishing, and attack site notices are fine enough. So, fine, keep the dialog, but don't make it look so hostile, and have it actually explain what's REALLY going on. Self-signed != Invalid. The chances are, those idots who need these types of warnings to protect their information have already installed some software or toolbar that compromises their security. Reproducible: Always
1) you can not be sure that an attacker (MITM) created the self signed certificate and there is an example where an attacker did exactly this 2) security != encrypted. Why do you need encryption if you get not security from this encryption ? 4) double check doesn't help (MITM) 5) is wrong, the CA would stop it and if not it wouldf be removed from the root CA store in mozilla marking as dupe of bug 433422
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.