July 07, 2008

Firefox 3's Step Backwards For Self-Signed Certificates

Greetings. If you've switched over to Firefox 3 as your Web browser already -- and in general it's a fine upgrade -- you may at some point discover that rather than encourage (or at least not overly discourage) the use of self-signed security certificates, Firefox 3 makes it less likely that anyone other than an expert user will ever accept a self-signed certificate. This is particularly of concern to me since I've urged an expansion of self-signed certs deployment as a stopgap measure toward pervasive encryption.

Compared with Firefox 2, version 3 throws up so many barriers and scary-sounding warnings to click through to accept such certs, that it would be completely understandable if most persons immediately aborted.

What's going on is that Firefox is now putting so much emphasis on identity confirmation that it's making it even harder for people to use the basic encryption functionality of the browser, which works just fine with self-signed certificates (which admittedly are not good carriers for identity credentials).

But in many situations, we're not concerned about identity in particular, we just want to get the basic https: crypto stream up and running.

I am fully aware of the associated identity considerations, and I know that basic signed certificates that will work in Firefox and some other browsers (but last I heard not in Internet Explorer at this time) can be obtained for free. If browser acceptance of free signed certs broadens out (and especially if wildcard certificates also become freely available) the need for self-signed certificates could significantly diminish.

But for now, Firefox 3 is going overboard with its complicated and alarming warnings, which if nothing else could include improved explanatory text, so that users would be able to better judge whether or not they should accept any particular self-signed certificate. The current wording is unreasonably judgmental given the range of perfectly legitimate situations where self-signed certificates might be used.

I'm not saying to give self-signed certs the same invisible, automatic acceptance as signed certificates, but Firefox 3 has simply gone too far toward making self-signed certs unusable -- from a practical standpoint -- in many situations where they otherwise would be completely adequate and suitable.


Posted by Lauren at July 7, 2008 10:22 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein