Archive for July, 2008

I installed Firefox 3 the other week, and have to say I’m quite impressed. The memory leak issues are not fully resolved, but big steps have been made. (With certain programs like Flash and Adobe Acrobat Reader it’s still churning the memory for me. I compared with Opera 9.5, and that’s still more conservative.) Like this image… no browser should do this:

Anyway, the topic it hand is Firefox’s freaky warnings when reaching a site with an untrusted certificate. Internet Explorer 7 has a similar screen, which requires you to click on the non-default option to proceed to the secure page. Many people are used to seeing https in their browser address bar, and possibly a lock symbol somewhere, to indicate their connection is secure (when you’re logging in somewhere, paying for something online, etc.) To secure the connection, a certificate is used. This certificate must be provided by a certification authority (a “CA”, for short). Companies such as Verisign have made a big business out of doing this, but you can also create certificates yourself (with the appropriate tools), and self made certificates are JUST as secure as those from a major company. The difference is that the end user who receives your certificate cannot trust that your certificate is legit. This warning message is thrown because Firefox doesn’t recognize the authority that has authorized the certificate. It’s a bit like your bank saying the cash you’re trying to deposit is forged. Except that the cash is not forged, it’s just been made by a mint that your bank hasn’t been told to recognize. That mint could be valid, or invalid… but the bank doesn’t know either way.

Slashdot has an article up on the problem highlighted in Firefox 3. The thing is, it’s fundamentally better to use an encrypted connection than a non-encrypted one. If we were all securing our websites will self-signed certificates, the web would be a much safer place. The problem arises when phishers and other scammers use secure certificates with the names of major banks and other companies on them, tricking you into thinking you are at your bank’s website, when really you are providing your details to a thief.

Mozilla have decided it is better to warn someone of the possibility of this, by a nasty warning, than by embracing a more secure web overall. I especially liked this comment, from the article:

The principle espoused by most web browser makers seems to be “Trust anybody if your connection is unencrypted, but if you wish to encrypt your traffic, trust no-one unless they’ve given a wad of cash to a CA.”

It seems to me that a user using an unencrypted connection to an unidentifiable web site (that is to say, all http web sites) should receive even more warnings than a user using an encrypted connection to an unidentifiable web site. But somehow, that’s not the case.

This Firefox scaremongering isn’t just driving people into the arms of Verisign, it’s also driving webmasters away from using encryption, even where web forms might be involved. Too bad – encryption is a good thing.

That’s exactly right. Encryption is a good thing. But Verisign, McAfee, Network Solutions and others hold website security ransom from the rest of us. Remember, their certificates are no more secure than those made yourself, the issue is pure marketing, as Firefox and Internet Explorer and other browsers have been paid by the major corps to trust their certificate authorities. And don’t forget, these companies have been authenticating spammers and phishers certificates for a long time.

By these tactics, if a company cannot afford to pay the high fees for secure certificates from a major CA, it is in their best interest to NOT secure their sites at all, so that customers aren’t alarmed by the warnings that will appear when using a self-signed certificate.