Comments on: PRD1: Ability To Navigate To Web Pages

By: Alex

Alex — Sat, 27 Sep 2008 18:30:42 +0000

Even addons.mozilla.org throws sec_error_bad_signature at the moment (and that’s the one you can’t override).

Or half a dozen error boxes if you select “Get Add-ons” from the Add-ons window.

– Alex

By: Iang

Iang — Sat, 13 Oct 2007 16:37:46 +0000

Certainly a self-signed cert can be treated like a plain HTTP site, from the point of view of pure PKI security logic. But it is a very different beast if treated as it is designed to be treated: a “trusted-first-party” identified site, Key-continuity-management, SSH model, etc etc.

Perhaps the answer is to display the self-signed site as different. There are still plenty of colours left to use, and a security UI should anyway be a lot bigger than crammed into the URL box.

By: Dan Veditz

Dan Veditz — Thu, 11 Oct 2007 22:02:18 +0000

FF2 and 3 both support SNI (as does IE7 and Opera). FF1.5 will if you disable SSLv2 support (the SSLv2 hello conflicts with the TLS extensions).

Don’t patronize a hosting company that doesn’t support SNI, and tell them why you’re going elsewhere.

By: arno

arno — Thu, 11 Oct 2007 21:32:21 +0000

But if a webmaster (with few money) wants to use a certificate provided by another CA than startssl, users will not be able to access his site at all. Mozilla claims its goal is “choice and innovation”, but forcing to use startssl is far from providing some choice.

And what if another browser does the same but chooses to include another free ca certificate ? Will secure sites have to target one browser, and be unavailable with other ?

Is it technically possible in such a case to display something like: if you want visit that securely, you need to install certificate from xxx ?

By: Arthur

Arthur — Thu, 11 Oct 2007 20:22:26 +0000

Hi Gerv

“Under the current Firefox 3, if someone subverts his connection via DNS spoofing or the like, and redirects him, he’ll get certificate errors with no way to continue. So he’s safe from the attack.”

If that person is extremely task oriented he will with just one click on an icon change the browser and he’s no more secure than before. It’s probably still the correct thing to do but I wouldn’t be so quick to call the user “safe from the attack”.

“Cost is no longer a barrier.” Unfortunately it is. IP addresses don’t come for free. So you’re still forced to use the same certificate for several domains in regions where IPv4 addresses aren’t abundant. And tooling support for server name indication unfortunately isn’t yet there where it should be.

By: Gerv

Gerv — Thu, 11 Oct 2007 18:52:11 +0000

Do you think there’s a possibility we considered doing that before deciding on the current course of action? For those who can’t be bothered to read the bugs (and I admit, some are quite long) here’s the reason we can’t just treat self-signed certs as plain HTTP.

Imagine someone who is not very computer-literate. He (let’s say it’s a he) has a bookmark to his bank, https://www.mybank.com/, which his son told him to use to be safe from phishing.

Under the current Firefox 3, if someone subverts his connection via DNS spoofing or the like, and redirects him, he’ll get certificate errors with no way to continue. So he’s safe from the attack.

Under a “self-signed is HTTP” model, the attacker could serve their fake site with a self-signed cert for “www.mybank.com”, Firefox would see the error, switch to an HTTP-like UI and load the phishing site, and the user would be at risk. Yes, the padlock or other indicators would be missing, but that’s not going to help everyone – particularly as this person was told “your bookmark is what makes you safe”.

You can now get valid domain-validation SSL certs for free from http://www.startssl.com/ . Cost is no longer a barrier.