michaelkirkland.org/blog


Slashdot on Firefox's SSL mess

Slashdot has picked up on Firefox 3's terrible certificate management system, pointing to this article. While I'm rather critical of Mozilla's handling of this, they're in the right in this case.

The article in question points out several sites with expired certificates getting terrible error messages. This is the right thing to do, those sites should trip a giant "OMGWTF" flag in browsers. They're broken, and the lax treatment they've gotten from browsers in the past has not prompted their admins to fix them.

The problem isn't with legitimate security issues like lapsed certificates, it's the fact that Firefox has effectively banned self-signed certificates for technical illiterates. There are many use cases where commercially available Certificate Authorities are not practical or even outright impossible.

Hardware firewalls, for example, cannot use CA signed certificates. For one, their final sale price is often at or below that of a CA signed certificate for a single year, and for another they won't have a permanent, externally accessible DNS name to certify. It's fine to say that users of commercial grade equipment should be able to add exceptions, but your average Mom & Pop with a $50 Linksys firewall probably won't manage.

This change won't result in better security. It can only result in either people deciding Firefox doesn't work, or that configuring their routers is just too hard. Hundreds of thousands of identical systems running with default passwords open to the wider internet will not make the world a better place.

0 Comments >> Bookmark and Share