About us
Contact us
RSS
Newsletters
Blogs
Video
Follow us on Twitter
EVENTS
TOPIC AREAS
RESOURCE CENTRE
Computer & Internet Security News
22 August 2008
Firefox accused over SSL-certificate warnings
Mozilla is being accused of creating undue fear and confusion for everyday web surfers, due to the new security feature in Firefox 3.0 that throws out a warning page when a website's SSL certificate is expired or has not been issued by a trusted third party.
Critics say that Firefox 3.0 makes it difficult to set exceptions for certain websites, and is forcing website operators to do business with specific vendors of SSL certificates or risk the appearance that their websites are broken.
Browsers require SSL certificates to initiate encrypted communications and to validate the authenticity of a site. The Mozilla.com website, where Firefox 3.0 can be freely downloaded, defends the new feature, saying SSL certificates not issued by a validated certificate authority - so-called self-signed certificates (SSC) - don't provide even basic validation; and expired certificates should not be viewed as "harmless" because they open avenues for hackers.
Mozilla officials say the new feature helps curb electronic eavesdropping or so-called "man in the middle" attacks.
The certificate issue is cropping up on such major sites as the US Army's, which uses certificates issued by the Department of Defense. In the Army's case, Firefox does not recognize the DOD as an authorised certificate provider. Firefox, therefore, rejects the Army site's certificate and defaults to a web page showing a traffic-cop icon and proclaiming "secure connection failed" and that the site's certificate cannot be trusted.
The problem also has surfaced with expired SSL certificates on such sites as Google Checkout and LinkedIn. The issue also could crop up on intranet sites that use SSCs and force IT administrators to configure exceptions within the browser or other workarounds.
Some are saying that Firefox 3.0 is out of line.
The Pingdom.com blog this week took Mozilla to task, saying the issue could affect tens of thousands of sites. "People most in need of a clear and explicit warning regarding SSL certificates are inexperienced users, and those are not very likely to understand the error message that Firefox 3 is displaying. A large portion will simply be scared away, thinking that the website is broken," according to the blog.
Developer Nat Tuck called the Firefox feature bad for the web in a blog post he wrote on 31 July. "Mozilla Firefox 3 limits usable encrypted (SSL) websites to those who are willing to pay money to one of their approved digital-certificate vendors. This policy is bad for the web."
Tuck concedes that the SSCs provide no value for authenticating a website, but he says Firefox is ignoring the encryption capabilities of SSL certificates, which thwart snooping on web traffic. He even goes so far as to suggest perhaps open source advocates should create a derivative of the open source Firefox code that includes full SSL functions.
Mozilla.com officials says SSCs have been treated as "disconcerting" for some time by the open source browser and what changed in Firefox 3.0 is an attempt to make users understand the potential consequences of accepting such certificates.
Jump to page : [ 1 ] [ 2 ]
Follow highlights from Techworld on Twitter
Stay Informed > Subscribe to our Newsletters
The UK IT News widget Get it for your site!
<<newer article | back to index | older article>>
close
close
Email this article to a friend or colleague:
PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.
close
- This article is now being printed.
close
What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.
close
What is this?
Click below to add 'Firefox accused over SSL-certificate warnings' to your blog.
If you do not have a ComputerworldUK Account and would like to use this feature, please Register.
If you are a registered, logged-in user, this will post the title and first paragraph of this story to your blog to share with your readers.
WHITE PAPERS
Seven Ways ITIL Can Help You in an Economic Downturn
- Learn more about how ITIL can help your business weather the economic storm, and how it can leave you better positioned for growth when the economy begins to rebound.
Make Compliance Work For You
-
Learn how to make compliance work for you, rather than the other way around, with this whitepaper form Oracle.
Subscribe to the Computer & Internet Security newsletter
Recent Computer & Internet Security news
- Twitter chops accounts infected by malware
- We knew about bug months ago, says Microsoft
- OpenSSH flaw is a hoax warn researchers
- IBM boffins develop software to mask confidential info
- Experts disagree on Google Chrome security claims
Subscribe to the Computer & Internet Security news RSS feed 
Other recent Techworld news
- Microsoft gets dynamic with Twitter
- Compellent ships speedy disks in SAN
- Emulex rejects Broadcom's final buyout bid
- IT spending to fall by 6 percent in 2009
- Strong enterprise investment predicted for Windows 7
Recent Computer & Internet Security features
- How to buy UTM products
- Getting to grips with PCI Security Standard
- How to assess laptop encryption products
- Securing servers in the cloud
- Admin tips for securing Vista
Recent Computer & Internet Security reviews
- AutoSave Encrypt
- Passpack privacy manager 6.2
- PicturePIN-XP password manager
- SanDisk Cruzer Enterprise
- Memeo Backup Premium 3.5
Latest PC Advisor news
- By Royal appointment: the Queen joins Twitter
- Twitter blocks users infected by Koobface
- Mobile phone directory site breaks down
- Datawind launches £159 UbiSurfer netbook
- NHS affected by more than 8,000 viruses
Computer & Internet Security topics
Authentication,
Email security,
Firewall protection,
Internet security,
Internet security system,
Intrusion,
Intrusion prevention,
Intrusion prevention system,
Personal firewall,
Security software,
Spyware software,
User authentication,
Virus program,
Virus software,
Windows firewall,
Wireless LAN security,
Wireless security
All topics »
WHITE PAPERS
- Seven Ways ITIL Can Help You in an Economic Downturn
Learn more about how ITIL can help your business weather the economic storm, and how it can leave you better positioned for growth when the economy begins to rebound. - Make Compliance Work For You
Learn how to make compliance work for you, rather than the other way around, with this whitepaper form Oracle. - Modernizing IT: Strategies for Improving Service Quality and Reducing IT Costs
Working harder simply won’t get you there. No matter how many people you allocate, sinking more labour into old IT practices cannot concurrently meet rising demands on IT and cut costs. Read about cost-effective, automated ways to meet this challenge head-on in this whitepaper. - Security and Trust: The Backbone of Doing Business over the Internet
When shopping online, consumers are concerned about identity theft and are therefore wary of providing untrusted sources with their personal information, especially their credit card details. Find out how to gain the trust of online customers. - Business Continuity - Are you always open for business?
Business continuity is not an end in itself, but the key to improving performance. Oracle solutions for midsize organisations contribute by providing a secure, easily accessible, and always available information infrastructure thats's also simple and cost-effective to manage. This Oracle Business Brief explains how.
Techworld topic pages
|
|
- About Techworld | Contact | Privacy Policy | About IDG | All contents © IDG 2009 | webmaster@techworld.com
- Infoworld | Networkworld | Tecchannel | Techworld Netherlands | IT World Canada
Comments received
stine said on Friday, 22 August 2008
I'm all for the warning, but the fact that it takes three move-the-pointer clicks to get through is a pain. it does show how many sites have expired certs...
maxsec said on Friday, 22 August 2008
another vote for..easy to add the exception and proves how broken the SSL certificate is on many many sites. We tell people to look for the security padlock before giving passwords, but this shows the SSL cert protecting this padlock can't be trusted.
Ralph W said on Friday, 22 August 2008
(to stine and others)
I used to consult with early Web commerce companies (in 1996). The whole enterprise depends on end-to-end security. If you can do a one-click bypass of certificate checks, then that means human nature will win out every time, and DEFEATS the whole security model.
It SHOULD be difficult to accept a certificate signed by an 'uncertified' authority. There should be a separate mechanism for accepting these CAs (at minimum, checking your e-mail should be required). The recent DNS vulnerability, combined with many, many server compromises, make life difficult enough without having to accept self-signed certificates.
So we all must make some sacrifices to ensure that our web accesses are secure. And yes, that means the DOD can pay a few thousand per year for a Verisign certificate.
I'll go further, and say Firefox should make it EASY to complain to the webmaster by sending a message to the technical point of contact for the domain with an expired cert.
Catch 22... said on Friday, 22 August 2008
On the other hand, how lax should the treatment be? I personally liked the way version 2 handled certificates.
Getting a CA published costs WAY TOO MUCH. Sites that use self signed certificates get screwed with the current rules. Certificates are just another way for the IT industry to milk it's users out of their hard earned money.
Microsoft should allow anyone wanting to use a self signed cert to get their CA published whe MS does an update.
George said on Friday, 22 August 2008
So many "false alarms" on sites that I know well and trust leads me to ignore the warnings totally, making then worse than useless.
jdubs said on Friday, 22 August 2008
How come the article makes no mention of the similar error pages in IE7? It also presents an annoying screen when visiting a site with an SSC.
Norman Morris said on Friday, 22 August 2008
If website operators can pander to Microsoft using "Microsoft" standards to build their websites rather than using "Industry" standards, then Mozilla can make sure sites adhere to web security standards.
Glynn Reynolds said on Sunday, 24 August 2008
I may have misread the response from Mozilla.com official's. Are they offering a solution to fix the problem?
I did not read anything resulting to fixing the problem.
Glen B said on Wednesday, 27 August 2008
Firefox 3 insists that some self signed Cisco Access Point certificates are bad and refuses to accept them even if you tell firefox to create an exception. I cannot get Cisco to change the certificate on one access point so I have to use IE to access some and can use Firefox to access others.
Barbara said on Saturday, 31 January 2009
I can't get to my local humane society site, it is not clear how to click through and get to it, Firefox needs to fix this and explain it.