Friday, 22 August 2008

Firefox 3 ACHTUNG ACHTUNG self signed certificate

Lately as a techie geek, a very minor thing have annoyed me. (Non techies can switch off now).

Firefox 3 was launched a few months ago, and it is a great evolution in the subject of browsers. The progression in security and anti-phishing is very laudable. But one thing really annoys me (hence this post):

The huge ACHTUNG ACHTUNG process when encountering a site that uses a self-signed certificate for SSL. And the reasons and responses to why this is so.

A self-signed certificate is SSL certificate for encrypting and authenticate the site you are visiting. Self-signed means, that the certificate has not been signed by a 3rd party (at least not one you browser knows), thus the authenticated can not be guarantied. However the traffic is still fully encrypted.

Banks, web shops, medium to large businesses and high volume web sites do not have a reason for using self-signed certificates. They should afford the the costs and effort of setting up proper authenticated certificates. Expired and invalid certificates should not be accepted from them.

However for smaller organisation, charities, tiny business, personal sites and application, and small application, self-signed certificates is a great help. They are free and ensure encryption.

I have perhaps 50 odd tiny applications and web sites on a range of domains. I am not about to hand over $500-5000 a year to some 3rd party racketeering company to secure and authenticate all these sites. Especially as I probably make only about $100 a year on them, mostly from ads!

Yes, some of the sites are only used by me and a limited known user group, so the warning is shortlived. However for many of them they are for the general public, and needs volume to be make any money or to be of any interest. If any becomes a huge success, then I can get a decent certificate, but most of them will never be. Nor for the rest of the web with similar issues as mine.

So what is the problem with Firefox 3 ?

When encountering a self-signed, the new version of Firefox displays a full page alert. This ACHTUNG, ACHTUNG, alert in striking yellow and a policeman stopping you, is quite off-putting. To still view the site you have to go through 4 clicks of yes, really yes, accept etc.

Previous version, Firefox 2, displayed a pop-up box, where you could view the certificate, reject or accept it. Other browsers displays similar warnings, but not quite as rigorous as FF 3, which are not necessarily better.

With this new warning page, the majority of the casual web users will either be put by either the effort needed to enter the site, or scared off by the warning. The minority of the users which are technologically savvy will not be put off by the alerts, and will still be able to view the site. Also the users which are very specifically interested in the site, will perhaps ask for assistance first, but may still view the site. Depending whom your target users are, the majority may now never visit your site/app or will already be slightly peeved off.

So Firefox 3 is by its actions recommending web sites not to be encrypted.

Why the new warning?

The reasoning for a warning, is because the site can not be authenticated, thus perhaps a phishing attempt and/or it may be possible a Man in the Middle Attack has occurred. And the new extended process is so users are more aware of this than previous.

Valid points and I believe the users should be informed somehow. However I do not agree the scale of the warning is justified. And it does create a huge hindrance for many valid web sites.

Benefits and risks of using certificates

If the site has a 3rd party signed certificates, which all important sites should have, especially where money is changed hands, then only a a valid signed certificate is acceptable. Fair enough. But 3rd party authentication does not guarantee authentication, you may still have misstyped the url. The 3rd party may not have rigoursisly checked the authentisity of the site before singing the certificate. etc. But it is usually a safe bet that it is secure.

Expired or invalid certificates for important sites, is not acceptable either. But again for the less important, less resource rich people and organisation, it should be to a degree. At least it is authenticated. But for general web sites, these certicatesd is lax on behalftheir IT, and should be noted in some way.

Self signed certificates, are great in ensuring encryption. This prevents network snooping of passwords etc, which is very easy to do. Yes it can not authenticate the site. And Man in the Middle Attack is possible if it is the first time you visit this site. However Man in the Middle Attacks are extremely rare and difficult to do. Self-signed is not for banks etc.

Changed certificates. Sometimes for valid reasons a certificate is changed, e.g. when the old one expires. This should be warned of and yes, especially for self-signed certificates, a big alert warning should be prompted.

No certificate, as in plain http, unencrypted traffic. I believe we should use SSL/TLS as much as possible. When you need to log on in any way, the site should be encrypted. Any data specifically to/about you sent over the net should not be able to snooped on by casual listeners.

Developers responses and people comments

What really also annoyed me is the reasoning by developers and the advocacies by people comments in articles about this warning.

They say it is better to block people than to allow access to unauthenticated sites. Or people really need to be warned, and if they are not smart enough then too bad. Which is just bad business and ignorant.

Or no excuse not to cough up for certificates and that self-signed sites does not deserve any pity. Well that is okay for rich people, but not me, and not the millions of tiny sites that make up the majority of the web!

Or the typical techie replies that the warning is no problem, only a few clicks and they really like the information etc. Which is again ignorant of the huge portion of users which will be terrified with this unfriendly warning.

Or that Man in the Middle Attacks is really dangerous and should over prioritise any usability. No, MitMA are rare, very rare. Yes, important to protect about, but we should not stop people using the web by doing so.

Or that unauthenticated SSL is worse than plain http due to perhaps impression of authenticated. No, plain unencrypted http is terrible, as snooping is easy and common. It really is a problem with how the browsers show the distinction between unauthenticated and authenticated sites, not the sites.

The outcome and my suggestions

The current police warning by Firefox 3 is a very bad solution. It will cause:
* Many self-signed sites to convert to unencrypted.
* More easy snooping of peoples passwords as sites go unencrypted.
* Some self-signed to purchase certificates.
* Loss of information spread, ad revenue and business for small sites.
* Confidence in Firefox in progressing usability

What Firefox needs to do is to distinguish the different states of certificates (which it already does to a degree).

Signed 3rd party certificates.
Display the new signed favicon as it does. with lock in status bar etc. no problems with it.

Expired or invalid signed certificates.
Warn but allow access.

Changed signed certificates.
No warning.

Self-signed certificates on 1st encounter
Warn but allow access. But not the ACHTUNG ACHTUNG approach. A simple change of icon to a red broken lock as in previous netscape versions is enough information. A cleaner drop down bar like the new remember password bar, to allow import of cerficate, inspection and links for more information would be much better. Maybe colour location bar red, till the certificate is accepted. If not the certificate is not kept once the session is over.

Self-signed certificates on re encounter with previously accepted certificate
No warning. Just the red lock. Or with a question mark over the favicon.

Changed self-signed certificate.

No certificate, unencrypted.
Maybe this should be changed to show users that it is not secure in any way?!

enough ranting. no one will read this (not the whole post anyway ) :)

(Ps. Man in the Middle Attack is when some other machine between you and the site pretends to be the site and intercepts your traffic, and responds with its own fake certificate)

1 comment:

Morti said...

I read the whole thing and I agree wholeheartedly. I provide professional Internet services to small business clients (mail and web hosting and the like) and it's annoying that a solution which is secure enough for me and secure enough for them can't be used because it's not secure enough for the people who make the web browser.

Given the insecurities your browser will always naturally accept (including unencrypted HTTP) I don't think it should even flag up a warning about a self-signed certificate. Have the padlock icon, even, as it's secure enough for most purposes. Just throw up errors if the certificate changes and, at most, have a tooltip saying "this website is secured using a self-signed certificate that cannot be verified, click here for more information" which points out that the site *is* secured but there may be a reason to be wary around it and more information is available.

Anyway, yes, this angers me too. :P