CIO
Firefox SSL-certificate debate gets gnarly
New security feature in Firefox 3.0 has critics crying foul
John Fontana (Network World)  22 August, 2008 08:23:00
Tags: ssl
Page:

Debate is reaching a fever pitch over a new security feature in Firefox 3.0 that throws out a warning page to users when a Web site's SSL certificate is expired or has not been issued by a trusted third party.

Critics say that Firefox 3.0 is putting undue fear and confusion into everyday Web surfers, makes it difficult to set exceptions for certain Web sites, and is forcing Web site operators to do business with specific vendors of SSL certificates or risk the appearance that their Web sites are broken.

Browsers require SSL certificates to initiate encrypted communications and to validate the authenticity of a site. The Mozilla.com Web site, where Firefox 3.0 can be freely downloaded, defends the new feature, saying SSL certificates not issued by a validated certificate authority -- so-called self-signed certificates (SSC) -- don't provide even basic validation; and expired certificates should not be viewed as "harmless" because they open avenues for hackers.

Mozilla officials say the new feature helps curb electronic eavesdropping or so-called "man in the middle" attacks.

The certificate issue is cropping up on such major sites as the U.S. Army's, which uses certificates issued by the Department of Defense. In the Army's case, Firefox does not recognize the DOD as an authorized certificate provider. Firefox, therefore, rejects the Army site's certificate and defaults to a Web page showing a traffic-cop icon and proclaiming "secure connection failed" and that the site's certificate can not be trusted.

The problem also has surfaced with expired SSL certificates on such sites as Google Checkout and LinkedIn. The issue also could crop up on intranet sites that use SSCs and force IT administrators to configure exceptions within the browser or other workarounds.

Some are saying that Firefox 3.0 is out of line.

The Pingdom.com blog this week took Mozilla to task, saying the issue could affect tens of thousands of sites. "People most in need of a clear and explicit warning regarding SSL certificates are inexperienced users, and those are not very likely to understand the error message that Firefox 3 is displaying. A large portion will simply be scared away, thinking that the Web site is broken," according to the blog.

Developer Nat Tuck called the Firefox feature bad for the Web in a blog post he wrote July 31: "Mozilla Firefox 3 limits usable encrypted (SSL) Web sites to those who are willing to pay money to one of their approved digital-certificate vendors. This policy is bad for the Web."

Tuck concedes that the SSCs provide no value for authenticating a Web site, but he says Firefox is ignoring the encryption capabilities of SSL certificates, which thwart snooping on Web traffic.He even goes so far as to suggest perhaps open source advocates should create a derivative of the open source Firefox code that includes full SSL functions.

Page:

Comments

Post new comment

Login or register to link comments to your user profile, or you may also post a comment without being logged in.
The content of this field is kept private and will not be shown publicly.
Enter the fully qualified URL, eg. http://www.example.com/
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Add to Google
Related Topics
Additional Resources
Executive Guides
Whitepapers
white paper Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Zones
Zone logoZones provide focussed content from CIO and leading technology partners.
Newsletter Subscription
Sign up for our CIO newsletters!
RSS Feeds
Syndicate content Syndicate content

HP Data Center Transformation solutions offer practical ways to overcome the energy and capacity limitations, operational vulnerabilities and technology constraints that can plague your data center. Choosing from a portfolio of solutions matched to your business needs, we can help you transform your data center into a business-driven, process-smart and future-ready asset.

Latest on Data Centre

  • +

    Inside Internode's data centre 05 June, 2009 14:39:00

    Computerworld gets an exclusive behind the scenes look inside Internode's Adelaide data centre with network guru Mark Newton
    Computerworld gets an exclusive behind the scenes look inside Internode's Adelaide data centre with network guru Mark Newton
  • +

    HP uses outside air, big fans, 12-foot raised floor to cool servers 03 June, 2009 07:44:00

    It's also cutting data center power use by painting server racks white
    Just off the North Sea coast in the United Kingdom, Hewlett-Packard Co.'s EDS unit has built a data center that largely relies on cold sea air to keep servers chilled and -- by doing so -- cut the center's cooling power needs in half.
  • +

    HP targets the cloud with new hardware 12 June, 2009 08:27:00

    HP offers complete cloud computing package for businesses
    HP has designed a new portfolio of hardware, software, and services, aimed at reducing costs and saving resource, particularly for businesses involved in Web 2.0, cloud and high-performance computing.
  • +

    Defence to spend $700m on ICT reform 05 June, 2009 11:13:00

    Strategic Reform Program report reveals only half of defence IT budget visible to CIO
    Less than half of the annual $1.2 billion spent by Defence on its ICT is visible to its chief information officer, Greg Farr, a new report has revealed.
  • +

    Inside Telstra's Virtualisation Strategy 11 May, 2009 14:12:00

    Need to cut infrastructure costs driving the strategy
    Telstra is increasingly turning to virtualisation as its core strategy to both manage the rising costs of, and growth in, its data centres, according the company’s CIO, John McInerney.
  • +

    Defence to Initiate ICT Reform Program, Expand CIO Role 05 May, 2009 11:56:00

    ERP rollout, data centre consolidation, single architecture all on the cards, according to the Department of Defence’s strategic policy white paper
    The Defence department has signaled a raft of changes to its approach to information technology under a new ICT reform program.

Free Resource Library

Data Centre Assessments

The First step to Optimising

Speeding business innovation

Removing barriers to growth, increasing agility and driving out costs

Assessments: Ammunition for Facts-Based Decision Making
by Richard L. Sawyer, Senior Principal, HP Critical Facilities Services
Download Podcast Download Transcript
 

CIO Summit The New World Order Opportunities and Challenges for CIOs

23rd July 2009
The Westin Sydney


A content-rich networking event where CIOs and senior executives collaborate on business and technology issues ranging from the impact of the economic downturn to the most pressing trends affecting IT in the enterprise.

Register Now

  • +

    New scam email uses Australian Federal Police to gain victims' trust 03 July, 2009 10:49:00

    Fake offers of free AFP monitoring service to stop "cybernetic attacks"
    Cyber criminals have changed tack in their ongoing scam campaign against banks, moving to the use of government agencies to gain the trust of unsuspecting email recipients.
  • +

    AFP hits $6 million identity fraud syndicate 03 July, 2009 08:25:00

    $500,000 of goods per week purchased with fake credit cards
    The Australian Federal Police (AFP) claims to have struck a major blow to a multi-million identity fraud syndicate.
  • +

    5 steps to secure a new PC 30 June, 2009 00:19:00

    Just unwrapped a brand-new PC? Security pros share their secrets for making your system Internet-safe.
    A common misconception is that a shiny new computer is more or less secure because it hasn't yet been exposed to the Internet's sinister underbelly. But the truth is, these machines come out of the box needing scores of patches, some basic security software downloads and the disabling or replacing of items security pros don't typically trust.
  • +

    Facebook simplifies privacy settings, calls them too complex 02 July, 2009 05:48:00

    The social-networking site is also getting ready to let members share content with anyone on the Internet
    Facebook will simplify the way in which it offers privacy options to its users, as it gets ready to give its members for the first time the option to make the content they post on their profiles available to anyone on the Internet.
  • +

    DR a growing concern for A/NZ CIOs: Symantec 02 July, 2009 09:16:00

    Mission critical apps and cost of down-time major drivers
    CIOs in Australia and New Zealand are increasingly getting involved in the disaster recovery planning of their organisations, according to a new survey from Symantec.
Most Popular
Media Releases
Most Popular Whitepapers
Upcoming Industry Events
  • No upcoming events available
more
Whitepaper


Read Whitepaper

State of Internet Security

Spyware, viruses and other malware transported via Web sites represent the most serious data threat to companies today. Read on find out how you can appropriately leverage technology and appropriate business technologies to protect your business.


CIO Industry Insight Podcast #4: Kerry Stratton, Managing Director of Healthcare, InterSystems
Listen to the latest edition of CIO Live which is now available for download.
Listen to the podcast
Sign up to the CIO Live email
Videos
Get a job Careerone