May 26, 2008

Firefox 3 and the new "make a security exception" (+ 1 bug)

Firefox 3 has reworked the ability to manage your certificates. After some thought back at Mozo central, they've introduced a more clarified method for dealing with those sites that you know are good. E.g., for the people who are new to this; there are those sites that you know are good, and there are those sites where others tell you they are good. People have spent decades over deciding which of these spaces owns the term "trust" so I won't bore you with that sad and sorry tale today.

Meanwhile, I've worked my way through the process and added the FC blog as an Exception. The process is OK: The language is better than before, as it now says that the site is not trusted. Before it said "*you* don't trust this site!" which was so blatantly wrong as to be rude to me and confusing to everyone else. Now it just fudges the issue by saying the site is untrusted, but not indicating by whom. Most people will realise this is a meaningless statement, as trust comes from a person, it isn't something that you can get from an advert.

There are multiple clicks, possibly intended to indicate that you should really know what you are doing. I don't think that is so much going to help. What would help better is a colour. So far, it is white, indicating that ... well, nothing. So there is a confusion between sites you trust and those that have nothing, they are both cast into the nothing bucket.

However, this all in time. There is no doubt that KCM or Key Continuity Management is the way to go because users need to work with their sites, and when their communities install and use certs, that's it. KCM is needed to let the rest of the world outside Main Street, USA use the thing called SSL and secure browsing. So it will come in time, as the people at Firefox work out how to share the code with the two models.

One thing however: I did this around a week ago, carefully following the exception process. Now, just a moment before I started this post, Firefox suddenly lost its memory! As I was saving another blog post it decided to blow away the https site. Suddenly, we were back to the untrusted regime, and I had to do do the whole "I trust, I know I trust, I trust I know, I know I trust more than any blah blah trust blah!" thing, all over again. And then there was no post left ... luckily it was a minor change and the original was saved.

This could be an MITM. Oh, that I would be so important... oh, that someone would want to sneak into my editorial control over the influential Financial Cryptography blog and change the world-view of the thousands of faithful readers... well, fantasies aside, this isn't likely to be an MITM.

It could be a sysadm change, but the cert looks the same, although there is little info there to check (OK, this is the fault of the servers, because the only way to tell is to go to the server, and ... it doesn't give you any info worth talking about. SSH servers have the same problem.) And the sysadm would have told me.

So Occam's razor suggests this is a bug in Firefox. Well, we'll see. I cannot complain too loudly about that, as this is RC1. Release Candidates might have bugs. This is a big change to the way Firefox works, bugs are expected. One just bit me. As someone once said, the pioneers are the ones with the arrows in the back.

Posted by iang at May 26, 2008 07:21 AM | TrackBack

Hey Ian,

We're getting someone else reporting something similar, but it's hard to reliably reproduce it in order to track it down. If you can add anything to the conversation, the bug's here:

I, for instance, have had FC's cert trusted for some time without it disappearing on me.

I sort of suspect that a particular breed of bad cert is busting our exception adding code, and causing us to trash the exceptions file. It would be especially helpful to know whether the kaboom happened shortly after adding a particular cert, or after nothing in particular.

Posted by: Johnathan Nightingale at June 3, 2008 05:09 PM

My feed reader refuses to use your feed because of the certificate. It would be awesome if you could provide an alternate (non-HTTPS?) URL for the feed.

By the way, I ran into the same problem with Firefox when posting this comment.

Posted by: Brian Smith at June 4, 2008 08:46 AM

> My feed reader refuses to use your feed because of
> the certificate. It would be awesome if you could
> provide an alternate (non-HTTPS?) URL for the feed.

I think in theory the HTTP URLs should always work just as well as the HTTPS URLs. Have you tried that?

The problem is of course that various software switches dynamically from one to the other without reference. And, it is somewhat of a security failure to permit that ...

> By the way, I ran into the same problem with Firefox
> when posting this comment.

Um, you mean, while posting the comments, it switched across to HTTPS so that your Firefox started grumbling over the cert? Yes, there is a preference in some of the HTML to send future clicks across to the HTTPS. See above.

What to do? The only comprehensive answers that work always are to (a) abandon HTTPS completely or to (b) pay the browser tax and buy the verisign thing.

Given the amount of "security" the browser tax purchases, (a) is the only economically sane choice. Which damns HTTPS for security work....

Posted by: Iang at June 5, 2008 01:41 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.