For some reason the Firefox developers seem to have taken protecting end users to a rather inane level, as the errors displayed for self signed certificates are extremely confusing.
See below for an example:
Of course if the site you are connecting to is a public ecommerce site then maybe you should consider your options very carefully, but when it’s something like a hosting control panel for Virtuozzo you need to be able to access it.
If you look at the bottom of the screen you’ll see a little link: “Or you can add an exception”
If you click on that and then follow the steps you will be able to access the site / control panel without any issues.
With older versions of Firefox this wasn’t as much of an issue, as the warning message was a nice big popup.
The new version of Firefox handles this situation very badly.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=1f6dbbb2-0813-4620-803b-70ae7f5c47fb)
About the Author: Michele Neylon
7 Comments
Comments are closed.
I gotta say I disagree here. Most people get taught that if the little padlock is locked then the site is secure and you put in CC details etc.
BUT alot of places still use self-signed/poorly for all this stuff and it’s therefore easy, esp with DNS and BGP issues around to spoof the page and get interesting info.
IMHO someone needs to fess up to this and start the debate on this, I say good good for Mozilla on this..
I have to disagree.
The way that Firefox 2 warned users was clear and didn’t mislead them while also offering them the option to “trust” the cert if they chose. The new setting throws an error page that is not clear and will confuse end users.
Full disclosure: I work for Mozilla but not in the area in question.
Johnathan Nightingale, from Mozilla Corporation, writes about the reasons why Mozilla made this change in Firefox.
http://blog.johnath.com/2008/08/05/ssl-question-corner/
Frank Hecker, from the Mozilla Foundation, also writes about this topic, focusing more on the fact that certificates can be had for free (which some people don’t know.)
http://blog.hecker.org/2008/08/20/mozilla-and-certification-authorities/
Gen
Thanks for your comment.
The problem I have is not with the concept of an error, but the way that the error is displayed.
As it is not a popup, which users are probably used to, a lot of users won’t even read the error message, as they’ll just see that the site / page they were trying to access is not loading.
The popup error message was more likely to have been read, as you had to do something with the popup to continue browsing. The argument that the user could dismiss the error is weak – surely the user has a right to dismiss an error after all?
Michele
Confusing I say …. !!!
i think firefox could have come up with a better system ….. saying that the site has an invalid security certificate just because it is self signed is inacurate and bound to create more problems down the line
A poster mentioned that people were taught that “if the little padlock was there then it was safe to center cc details etc”. …. this was always in error … myself i always taught my customers to open the padlock and examine the cert if there was any doubt ….. yes it’s an issue that needs to be dealt with but this is the wrong end of the chainsaw !!
Byron
Not all new “features” are really improvements 🙂
Michele
Inane? More like insane from my point of view. I use (on a daily basis probably 20 times or so a day) locahost / test network / training websites that all use self-signed certificates. Now that I know I can’t use these websites with firefox I shall treat it with the same respect they have done their users. In other words: Hey mozilla – welcome to uninstallvile population; you.