[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: [IP] Firefox 3's Step Backwards For Self-Signed Certificates
________________________________________
From: Lauren Weinstein [lauren@vortex.com]
Sent: Tuesday, July 08, 2008 11:09 AM
To: David Farber
Cc: lauren@vortex.com
Subject: Firefox 3's Step Backwards For Self-Signed Certificates
Firefox 3's Step Backwards For Self-Signed Certificates
http://lauren.vortex.com/archive/000402.html
Greetings. If you've switched over to Firefox 3 as your Web browser
already -- and in general it's a fine upgrade -- you may at some
point discover that rather than encourage (or at least not overly
discourage) the use of self-signed security certificates, Firefox 3
makes it *less* likely that anyone other than an expert user
will ever accept a self-signed certificate. This is particularly of
concern to me since I've urged an expansion of self-signed certs
deployment as a stopgap measure toward pervasive encryption
( http://lauren.vortex.com/archive/000339.html ).
Compared with Firefox 2, version 3 throws up so many barriers and
scary-sounding warnings to click through to accept such certs, that
it would be completely understandable if most persons immediately
aborted.
What's going on is that Firefox is now putting so much emphasis on
identity confirmation that it's making it even harder for people to
use the basic encryption functionality of the browser, which works
just fine with self-signed certificates (which admittedly are not
good carriers for identity credentials).
But in many situations, we're not concerned about identity in
particular, we just want to get the basic https: crypto stream up
and running.
I am fully aware of the associated identity considerations, and I
know that basic signed certificates that will work in Firefox and
some other browsers (but last I heard not in Internet Explorer at
this time) can be obtained for free. If browser acceptance of free
signed certs broadens out (and especially if wildcard certificates
also become freely available) the need for self-signed certificates
could significantly diminish.
But for now, Firefox 3 is going overboard with its complicated and
alarming warnings, which if nothing else could include improved
explanatory text, so that users would be able to better judge
whether or not they should accept any particular self-signed
certificate. The current wording is unreasonably judgmental given
the range of perfectly legitimate situations where self-signed
certificates might be used.
I'm not saying to give self-signed certs the same invisible,
automatic acceptance as signed certificates, but Firefox 3 has
simply gone too far toward making self-signed certs unusable -- from
a practical standpoint -- in many situations where they otherwise
would be completely adequate and suitable.
--Lauren--
Lauren Weinstein
lauren@vortex.com or lauren@pfir.org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
- People For Internet Responsibility - http://www.pfir.org
Co-Founder, NNSquad
- Network Neutrality Squad - http://www.nnsquad.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
-------------------------------------------
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC