Interesting People mailing list archives
Re: Firefox 3's Step Backwards For Self-Signed Certificates
From: David Farber <dave () farber net>
Date: Wed, 9 Jul 2008 10:08:09 -0700
________________________________________ From: Serge Egelman [egelman () cs cmu edu] Sent: Wednesday, July 09, 2008 12:35 PM To: David Farber Cc: cups () cups cs cmu edu Subject: Re: [IP] Firefox 3's Step Backwards For Self-Signed Certificates For IP if you wish: I am in no way affiliated with the Mozilla project, but I am part of the W3C Web Security Context WG (which includes some Mozilla people), where some of these design decisions have been debated. The main issue before the group was what indicators or warnings to display when a self-signed certificate is encountered. There have been many heated debates over the public mailing list on this: http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jul/thread.html#msg280 http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jul/thread.html#msg22 Personally, I think they made an absolutely terrible decision in Firefox 3. Their argument seems to be centered around the belief that only the bad guys will use self-signed certificates because blocking them will cause legitimate websites to spring for CA-signed certificates. This is a poor assumption for several reasons: 1) Several academic studies have shown that users do not notice SSL indicators in any form (i.e. the lock icon is not noticed and is misunderstood, and the new EV indicators are easily spoofed by picture-in-picture attacks). Thus, the bad guys have little incentive to use any SSL certificate (CA-signed or not). 2) If a user is really trying to get to a known website with a self-signed certificate in Firefox and is blocked (and is not savvy enough to get around the warning), it's likely he or she will just switch to Internet Explorer or Safari. 3) Assuming every browser starts blocking self-signed certificates and users radically change their behavior such that they seek out SSL icons (fat chance), the bad guys will simply start buying CA-signed certificates. A low-grade SSL certificate costs around $20. Studies have shown that most phishers make an average of $500/victim. At that rate, being forced to drop $20 won't be a deal-breaker---it's simply a cost of doing business. Low grade SSL certificates are issued automatically to anyone who legitimately owns a domain name (and most phishing attacks no longer use homonym attacks, so it's very difficult for the CAs to filter out the malicious requests). Based on the above, I'm not convinced that self-signed certificates should be treated any differently than low-grade ones. serge David Farber wrote:
________________________________________ From: Lauren Weinstein [lauren () vortex com] Sent: Tuesday, July 08, 2008 11:09 AM To: David Farber Cc: lauren () vortex com Subject: Firefox 3's Step Backwards For Self-Signed Certificates Firefox 3's Step Backwards For Self-Signed Certificates http://lauren.vortex.com/archive/000402.html Greetings. If you've switched over to Firefox 3 as your Web browser already -- and in general it's a fine upgrade -- you may at some point discover that rather than encourage (or at least not overly discourage) the use of self-signed security certificates, Firefox 3 makes it *less* likely that anyone other than an expert user will ever accept a self-signed certificate. This is particularly of concern to me since I've urged an expansion of self-signed certs deployment as a stopgap measure toward pervasive encryption ( http://lauren.vortex.com/archive/000339.html ). Compared with Firefox 2, version 3 throws up so many barriers and scary-sounding warnings to click through to accept such certs, that it would be completely understandable if most persons immediately aborted. What's going on is that Firefox is now putting so much emphasis on identity confirmation that it's making it even harder for people to use the basic encryption functionality of the browser, which works just fine with self-signed certificates (which admittedly are not good carriers for identity credentials). But in many situations, we're not concerned about identity in particular, we just want to get the basic https: crypto stream up and running. I am fully aware of the associated identity considerations, and I know that basic signed certificates that will work in Firefox and some other browsers (but last I heard not in Internet Explorer at this time) can be obtained for free. If browser acceptance of free signed certs broadens out (and especially if wildcard certificates also become freely available) the need for self-signed certificates could significantly diminish. But for now, Firefox 3 is going overboard with its complicated and alarming warnings, which if nothing else could include improved explanatory text, so that users would be able to better judge whether or not they should accept any particular self-signed certificate. The current wording is unreasonably judgmental given the range of perfectly legitimate situations where self-signed certificates might be used. I'm not saying to give self-signed certs the same invisible, automatic acceptance as signed certificates, but Firefox 3 has simply gone too far toward making self-signed certs unusable -- from a practical standpoint -- in many situations where they otherwise would be completely adequate and suitable. --Lauren-- Lauren Weinstein lauren () vortex com or lauren () pfir org Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, NNSquad - Network Neutrality Squad - http://www.nnsquad.org Founder, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com ------------------------------------------- Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
-- /* PhD Candidate Carnegie Mellon University "Whoever said there's no such thing as a free lunch was never a grad student." All views contained in this message, either expressed or implied, are the views of my employer, and not my own. */ ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Firefox 3's Step Backwards For Self-Signed Certificates David Farber (Jul 08)
- <Possible follow-ups>
- Re: Firefox 3's Step Backwards For Self-Signed Certificates David Farber (Jul 09)