Monday, July 07, 2008

The Firefox 3 SSL scam

I wonder how much money the Mozilla foundation received from Verisign, Thawte and/or other certification authorities to design their new SSL warning.

This is obviously designed so as to completely kill the use of self-signed certificates, forcing anyone who wants to use encrypted communications to pay money to some huge private (usually foreign) corporation for the privilege of simple stuff like encrypting login passwords for webmail.

One more step in the over-taking of the Internet by big money. And this time thanks to an "open source" organization.

This is supposed to be to improve security. Well, let's see how the security is improved.

To access the site, you need to click a "Or you can add an exception…" link. This expands to an additional warning, with a helpful "Get me out of here" button. That button helpfully sends you to Google (which happens to be the corporation paying the Mozilla developers).

The other button is "Add Exception...". In Firefox 2 (or Opera or others), you came immediately to this stage, where you could examine the certificate's content (including it's fingerprint to verify it), and could accept the certificate for this one time only.

The "improved security" in Firefox 3 will only let you add the certificate permanently! And doesn't let you know anything about this certificate you are about to accept forever. No way to display it's fingerprint, let alone the full content and who claims to have signed it. All you can do is blindly accept some unknown "thing" forever without any possible verification. Or go back to your Big Brother Google to search for another site.

There is a View button and a "Permanently add" check box, but both are greyed out! To enable them, you need to change some obscure about:config setting(s).

When I set up my webmail with a self-signed certificate, I also sent the users the certificate's fingerprint so that they could check it when accepting the certificate. Now, with Firefox 3, they have no (easy) way to check it. They will get used to yet more clicking through endless incomprehesible security dialogs (as with Vista's ridiculous UAC), or I could disable encryption, making my users feel comfortable when accessing their webmail, even though they would broadcast their password to anyone who cares to listen on the (often wireless) LAN.

Firefox is otherwise a very good web browser, and has been my preferred browser since version 0.9 or something, when it was called Phoenix (that was before it was called Firebird). Too bad it now bends so low before big business.

(See also The new SSL error pages in Firefox 3 suck.)

Labels: , , ,


Blogger Unknown said...

I tottally agree! I found this by putting "firefox certifcate big money" to google and I am glad I am not the only one thinking this way.

Certificate vendors are so pointless. They are taking money for being now. It's so _totally_ dumb wicked unlogical and stuff :( I think that:
a) certificates shouldn't be paid and should be given only to trusted companies with proven big amount of customers
b) browser should inform that certificate is not trusted only if there is some "password" field being sent (and it should be yes/no alert ofc). And that should be possible to disable, too!
c) it's really irritating!

:) I found some way to disable it by editing about:config browser.ssl.something from 1 to 2, I'll see - if the errors will keep on popping then FF source code shall be edited!

03 July, 2009 22:53  

Post a Comment

<< Home