Firefox, Security
UserpicFirefox 3.0 SSL Certificate Error Pages
Posted by Moxietype

Firefox 3 limits usable encrypted (SSL) Web sites to those who are willing to pay money to one of their approved digital-certificate vendors. Self-signed certificates (SSC) get rejected. For example U.S. Army uses certificates are issued by the Department of Defense  and could not be trusted according to Firefox 3. Expired SSL certificates on Google and LinkedIn get affected as well.

The Mozilla.com Web site, where Firefox 3.0 can be freely downloaded, defends the new feature, saying SSL certificates not issued by a validated certificate authority -- so-called self-signed certificates (SSC) -- don't provide even basic validation; and expired certificates should not be viewed as "harmless" because they open avenues for hackers.

On the other hand expired SSL certificates are actually quite common.

According to Netcraft data, the number of SSL websites passed 600,000 in 2007. If we make a rough estimate and assume the same ratio as for the Fortune 1000 websites, that would mean that there are around 108,000 websites with expired SSL certificates. All these would get the “error page” in Firefox 3.

The lack of one industry standard when it comes to SSL and SSC creates both the security hazard and sub-prime usability issue. This is actually something that Mozilla itself seems aware of. Jonathan Nightingale, who works with usability and security at Mozilla, had this to say in his blog in regards to how Firefox 3 handles SSL certificates:

I don’t think the approach in Firefox 3 is perfect, I’m not sure any of us do. I have filed bugs, and talked about things I think we could do to continue to enhance our users’ security while at the same time reducing unnecessary annoyances.



Return to Home