web mail

Unbreaking FireFox SSL Behavior

Sunday, January 24, 2010 

I used to love firefox, but then somebody decided that users were way too stupid to make it through web browsing without an endless parade of  warnings about SSL certs.  The premise seems to be that:

  • Valid certs are meaningful.
  • Self-Signed or expired certs are indicative of a problem.

Neither is true.

(To a statistical certainty.  Some user somewhere will be validly warned away from a phishing site someday.)

Valid certs mean next to nothing since the users that these warnings are targeted to (and me too) will never ever notice if they’re going to bankofamerica.com (or whatever BofA’s legitimate URL is) or bankomerica.com (assuming bankomerica isn’t a valid bank of america domain).  Thus bankomerica can dupe bankofamerica’s website and get a perfectly valid cert and if users were dumb enough to believe that a lack of warnings indicated validity as the huge scary warnings effectively convey, then they’d be easy prey.

The only valid purpose of SSL is to secure communication between a server and a client so you can check your web mail at a cafe without worrying about being snooped and a self-signed cert does that just as well as one issued by the cert mafia.  Sure, sure the giant cert authorities would love to take your $1,000 a year to give a your user’s some sort of guarantee that you’re really who you say you are, but that doesn’t make any difference at all in practice.

As for DNS hijacking so amazon.com goes to a spoof site where the transaction security is compromised (and in theory the self-signed cert would be a give-away) just mod-rewrite to http then redirect to amazoncheck0utservices.com and get a valid cert for it.

Besides, after users have been forced to dismiss a zillion intra-net “invalid” certs, they’ve learned to completely ignore the warnings and so automatically click through the scary and almost always pointless warnings FireFox generates. Or, like many people, users stop abandon the scary, irritating browser and go back to IE.  Win.  Oh wait… FAIL.

Secure DNSSEC is smart, but forget warning people into oblivion over self-signed certs, the net effect is to make the web less secure because site admins have to choose between absurd fees for certs or turning certs off.  Until FireFox fixes this counterproductive behavior, there are two things that help.  First, browse to about:config and set browser.ssl_override_behavior to “2”.

FIX SSL config in FireFox

I’ve also found the Persepectives Plugin useful to reduce the number of pointless and irritating error warnings Firefox generates when it sees a cert that hasn’t fully paid up the protection racket extortion fees by using a polling mechanism, effectively saying (to a collection of referee sites) “ya’ll think this cert is ok?” and if they say “yeah…” then you get no error.

Perspectives_plugin

There fixes are helpful for those of us sufficiently skilled to use them, but unfortunately they won’t prevent users abandoning the endlessly “WOLF!” crying FireFox for IE.

Posted at 19:18:52 GMT-0700

Category: Technology