Firefox Overzealous… Or Is It?

Man In The Middle is defeated by context. — Bruce Schneier

As has been widely discussed, Firefox 3.0 is a little over-zealous when it encounters an unknown certificate on an SSL website. Where previous versions would just warn the user about the observed irregularities, the new version requires that the user add an exception for every certificate that has an unknown certification chain, is expired or for which the hostname does not match the information in the certificate.

Adding an exception takes four clicks, most met with a stern warning that will deter anyone but the most determined user. Folks who use self-signed certificates as a matter of habit are howling, because they have to tediously make exceptions for all of them. This Firefox features seems over the top, but is it? It is not. The validity of the certificate at the other end of the connection plays a critical role in establishing the trust relationship between endpoints. An invalid or unverified certificate gives no assurance whatsoever about the identity with whom we’re handshaking: it could be the true endpoint or a Man-in-the-Middle entity that is passing themselves off as the endpoint.

The difference between running the Exception gauntlet and a trusted identity should not be taken lightly, and while public-key cryptography in the context of identifying endpoints is still too hard to use for the general public, Firefox’ reluctance to accept untrusted certificates is the right thing to do.

Folks who want to use self-signed certificates have a very attractive alternative: with a couple of clicks, they can add the certificate to the Firefox Certificate Store by either importing the server certificate, or pulling it right from the server by pro-actively adding an Exception. Just use Preferences -> Advanced -> Certificates. Beyond a certain number of certificates, though, it may be easier to set up your own CA, and import its certificate. That allows you to set up servers with certificates that are automatically trusted by your client(s).

Laments that certificates are expensive are out of place: $30 a year buys you a certificate that is trusted by a lot of browsers. Additionally, PKI is the ultimate do-it-yourself environment: you are perfectly welcome to set up your own and determine the level of trust you allot it.

Be Sociable, Share!