Firefox really really does not want you to use self-signed certs

| Comments (1) | COMSEC
OK, so opinions differ about whether or not it's a good idea to encourage the use of self-signed certificates for SSL servers. As I read the situation, the basic arguments go like this:

For:
Active attacks are relatively uncommon but passive sniffing is a big problem, so the world would be better off if people used SSL, even if there is no real authentication of the server. Moreover, if you use SSH-style "leap-of-faith" authentication techniques where you memorize the server's certificate and get worried if it changes, you are fairly resistant to active attack.

Against:
Active attacks are a real threat, and people are already way too willing to ignore warnings from the browsers about invalid certificates. If we encourage self-signed certs, people will only get more lax.

This is a contentious issue in the security community, but few of us are in a position to do much other than rant. On the other hand, if you work for a major browser vendor, you do get to do something. It was big news (at least in the narrow security community) a while back when Firefox 3 took a much more aggressive line on invalid certificates. I was initially sort of sanguine about this turn of events, since many security types have long been worried about users ignoring error messages (see above), but (at minimum) the execution seems to be a little lacking.

Here's how things shake out when you use Firefox to connect to some site with an "invalid" cert. First, you get the following error screen:

So, first, this looks like a hard error to any sane person. In the past few weeks I've seen several people not really know what to do here, and even I've done a double take at least once before I realized it was just a certificate error I could override (note that the dialog doesn't in any way suggest that this could be intentional and/or safe in certain circumstances). Anyway, once you figure out what's going on, you click "Or you can add an exception..." which takes you to the following screen:

I'm not sure I entirely agree with Firefox's opinion about when you should add an exception. I get https: URLs fairly often in contexts when I'm not overworried about security. If you would have been willing to retrieve the page with HTTP, you should also be willing to retrieve it with HTTP over TLS. Maybe it's bad policy by the server but it's not unsafe as far as I can tell.

If you click "Add Exception..." you then get:

Note that you can't actually add the exception at this point. Every button is grayed out besides "Get Certificate" and "Cancel". When you click "Get Certificate", the browser fills in the information, giving us the following dialog:

Now you can confirm the exception and after four separate dialogs, you can finally get to the original page you were looking for.

Whatever one's position on self-signed certs, this all seems unnecessarily clumsy. I'm particularly struck by dialog 3, where they force you to download the certificate, despite the fact that Firefox absolutely has a copy, having obtained it when it first contacted the server. Why doesn't it just fill in the dialog instead of forcing you to click through? It's one thing to give you an alarming warning, but the rest of this feels a lot like editorializing via UI. You know what I'm talking about here: we don't think you should be doing, so despite the fact that you're insisting on it, we'll make it as inconvenient and irritating as possible. I don't know if that was what was in the programmer's heads or not, but it seems to me like one could produce a rather better UI even if your underlying objective was to discourage self-signed certs.

1 Comments

One reason for using self-signed certs is the abominable treatment consumers get from evil corporations like Verisign. Yes, I did have to talk directly to the supreme head of customer service a few years back, because nobody underneath had either common sense or a willingness to perform their job. So, I do use a self-signed cert for my wife's shopping cart because I didn't feel like funding an Axis of Evil.

Leave a comment