I installed Firefox 3 the other week, and have to say I’m quite impressed. The memory leak issues are not fully resolved, but big steps have been made. (With certain programs like Flash and Adobe Acrobat Reader it’s still churning the memory for me. I compared with Opera 9.5, and that’s still more conservative.) Like this image… no browser should do this:
Anyway, the topic it hand is Firefox’s freaky warnings when reaching a site with an untrusted certificate. Internet Explorer 7 has a similar screen, which requires you to click on the non-default option to proceed to the secure page. Many people are used to seeing https in their browser address bar, and possibly a lock symbol somewhere, to indicate their connection is secure (when you’re logging in somewhere, paying for something online, etc.) To secure the connection, a certificate is used. This certificate must be provided by a certification authority (a “CA”, for short). Companies such as Verisign have made a big business out of doing this, but you can also create certificates yourself (with the appropriate tools), and self made certificates are JUST as secure as those from a major company. The difference is that the end user who receives your certificate cannot trust that your certificate is legit. This warning message is thrown because Firefox doesn’t recognize the authority that has authorized the certificate. It’s a bit like your bank saying the cash you’re trying to deposit is forged. Except that the cash is not forged, it’s just been made by a mint that your bank hasn’t been told to recognize. That mint could be valid, or invalid… but the bank doesn’t know either way.
Slashdot has an article up on the problem highlighted in Firefox 3. The thing is, it’s fundamentally better to use an encrypted connection than a non-encrypted one. If we were all securing our websites will self-signed certificates, the web would be a much safer place. The problem arises when phishers and other scammers use secure certificates with the names of major banks and other companies on them, tricking you into thinking you are at your bank’s website, when really you are providing your details to a thief.
Mozilla have decided it is better to warn someone of the possibility of this, by a nasty warning, than by embracing a more secure web overall. I especially liked this comment, from the article:
The principle espoused by most web browser makers seems to be “Trust anybody if your connection is unencrypted, but if you wish to encrypt your traffic, trust no-one unless they’ve given a wad of cash to a CA.”
It seems to me that a user using an unencrypted connection to an unidentifiable web site (that is to say, all http web sites) should receive even more warnings than a user using an encrypted connection to an unidentifiable web site. But somehow, that’s not the case.
This Firefox scaremongering isn’t just driving people into the arms of Verisign, it’s also driving webmasters away from using encryption, even where web forms might be involved. Too bad - encryption is a good thing.
That’s exactly right. Encryption is a good thing. But Verisign, McAfee, Network Solutions and others hold website security ransom from the rest of us. Remember, their certificates are no more secure than those made yourself, the issue is pure marketing, as Firefox and Internet Explorer and other browsers have been paid by the major corps to trust their certificate authorities. And don’t forget, these companies have been authenticating spammers and phishers certificates for a long time.
By these tactics, if a company cannot afford to pay the high fees for secure certificates from a major CA, it is in their best interest to NOT secure their sites at all, so that customers aren’t alarmed by the warnings that will appear when using a self-signed certificate.
I don’t know about the whole encryption issue, but you might want to dump Adobe Reader and get Foxit PDF Reader. I am not seeing the “memory leak” issues, and I think I have traced it somewhat to that and to Flash (which is why I use Flashblock).
Thing is, I don’t want to have to augment my browser to make it more usable. Right now I’ve got no flash tabs or PDF tabs, and are running at 233mb (which admittedly, isn’t too bad in this case)… but still. I don’t think the issue is fully resolved, and I’d rather complain about it to hopefully get more attention from Mozilla…
“Remember, their certificates are no more secure than those made yourself, the issue is pure marketing…”
This is simply incorrect. Certificates do not just offer encryption over the connection, they also offer identity verification. The whole point of a CA (Certificate Authority) is that you can trust it to verify the identity of the owner of any issued certificates (though this system is not perfect either). Self signed certificates do offer encryption of the data, but what is the point of encrypting the data if you don’t know who you are sending it to?
Because at least only the person you’re sending it to can see it. Granted, with self-signed certificates you’re not provided a guarantee of the signer, but even if you’ve fallen pray to an attack and you’re sending your precious details to a malicious individual, the fact remains that only the malicious individual can see your information. Clearly that’s a problem, so identification is important, but if Verisign and the other CAs ever make mistakes, which they clearly do, then we’re lulled into a false sense of security.
The point I’m making is, the internet would be far more secure if everyone used certificates, self signed or CA signed. If there were open CAs (there are couple now) that were free or reasonably priced, then we can do away with the monopoly help by the big CAs, who aren’t doing a better job than anyone else.
It seems to me that if Firefox and IE really cared about security, they should throw an ugly warning on EVERY page that isn’t HTTPS. Because there you’re truly unprotected.
I can’t agree with some replies.
If you want to send some sensitive data to example.com, you want to be sure, you’re sending the data ONLY to example.com.
If you’re not using CA, you might be sending data to hacker_a.com, which is forwarding all data to example.com (so called “man in the middle attack”) and you won’t see any difference.
CA only makes sure, you’re really sending the data directly and only to example.com.
And it’s up to you, to choose which sensitive data example.com should have possession of (that is usually the main concern in real life).