Can we disable Firefox’s stupid self-signed encryption dialog?

A lot has been written about how Firefox’s stupid dialog is a big step backwards for the web.

But is there a way to disable it? Ideally I’d like it to work like ssh – give me a simple single-click warning and display the certificate the first time, and after that don’t say anything at all unless the certificate changes unexpectedly.

Update

This paper on phishing [PDF] is excellent.

11 Comments

Filed under Uncategorized

11 responses to “Can we disable Firefox’s stupid self-signed encryption dialog?

  1. Couldn’t agree more, drives me nuts.

    This addon makes it a bit simpler, i.e. reduced to two clicks

    https://addons.mozilla.org/en-US/firefox/addon/6843

    but still, vvv annoying.

  2. rich

    Luke, I didn’t want to go into detail about why it’s dumb, but it is definitely interesting to compare and contrast how ssh gets this right while Firefox gets it so very wrong.

    Plus – I don’t trust the likes of Verisign anyway. It’s highly likely that the NSA got access to the private keys when they were created, either via some secret “anti-terror” law, or via an inside job. The NSA could well be signing their own certificates in order to conduct MitM attacks against selected targets.

  3. DDD

    I think that it is important to remember that this UI is *not* designed for you. As a developer, you understand why the certificate is incorrect, and presumably, you understand PKICS and could choose to trust GNU.org’s root certificate (www.cacert.org).

    The real solution would be for Gnu.org to buy commercial certificates from Verisign or whoever, but I suspect that they have ideological reasons for going with cacert.org

    For “normal people”, I think that the level of warning is correct. Basically, don’t use this website…

    • rich

      OK, if that’s the case why don’t we have > 4 clicks for plain http sites? These are subject to eavesdropping and MitM attacks, and are completely unauthenticated. So therefore far more dangerous for mere users to see.

      • DDD

        Hmm… true, but this also asks the question: why does GNU use https:// to protect their bug database. Why do they choose not to use a “real” commercial certificate (or to be closer to home, why has Fedora chosen not to install cacert.org’s certificate by default)?

        Outside expert communities, the most you’ll manage to get through to people is: “When entering passwords and private data, check for “https://” and the padlock icon so that you know that you are secure”.

        That Firefox has a fit when it finds something is wrong with SSL is a good thing really. The alternative is the usual security dialog “Warning: you are about to screw up your security. Press the green tick button to display an error message, press the red exclamation button to make the computer work properly.”

        Ah well, maybe if we ever manage to get DNSSEC implemented, there’ll be a better place to get public keys from and all this stuff will go away… IIRC the DNS system is 0wn3d by a major SSL certificate company anyway.

        DDD

    • Just curious. Should “normal people” avoid Red Hat’s website, if they happen to type: https://redhat.com ?

    • I agree that the screen has some purpose for mere mortals. But there should be a (well hidden, difficult to reach) option or plugin that circumvents it for the people who know what they are doing. And why not just add a blinking red block to the address bar, jst like the green-is-safe one?

      Certificates are about trust. Mozilla should understand and provide for people who do not want to trust some predefined root authorities.

      But it is%^$#*& annoying to work with selfsigned certs. Apart from stuff like TamperData and Addblock, I would switch to Safari or Chrome.

      At least give an option.

  4. I hate this dialog. There are few things I wish should die in a fire, but this is one of them.

    It is NOT that it makes it very scary looking (this is good), it is that it is four clicks in a very bizarre fashion that I’ve memorized to the point of it really not being any more effective than just the big scary dialog.

    There should be at least an option. There’s a growing trend in all things Linux to /remove/ useful options and make things (especially GNOME) less configurable. I believe this trend sucks.

  5. Hub

    The worse part is when you connect to Linksys routers (and possibly other) over HTTPS. You are screwed totally. Reboot the router, you have to restart Firefox if you didn’t store the certificate permanently, and of you did store it you have to locate it (a needle in a haystack) to remove it and try again, because the router created a new self signed certificate.

    There is a bug for that.

    • rich

      I heard this too, which to be fair is (as you say) a bug in Linksys routers.

      If the self-signed certificate changes then I really want Firefox to tell me about that, although not necessarily make it hard to change it. ssh yet again gets this right with this famous message:

      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
      
  6. foo

    ssh only gets it right with the addition of monkeysphere to the mix:

    http://web.monkeysphere.info/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s