Site menu:

Sponsored by

Bitcube Ltd.  Expert Linux Consultancy

Categories

Meta

Site search

 

March 2008
M T W T F S S
« Feb   Apr »
 12
3456789
10111213141516
17181920212223
24252627282930
31  

Archives

Links:

Firefox 3 – security madness

Dear firefox developers. Could you _please_ rethink the current braindead approach to security? Security is important, but the current design is diabolical. I realise that this sometime changes (the windows version seemed better last time I used it). The rant below applies to the latest version on Ubuntu Hardy. For example, I clicked on a link from slashdot earlier today and was presented with this popup:

www.newsdesk.umd.edu uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is not trusted.
(Error code: sec_error_untrusted_issuer) \[OK\]

Firstly the explanation, whilst not bad is still mumbo jumbo to 99% of web users. However the _main_ problem and the point of this rant is the “OK” button. Currently I have to:
1. take a note of the site name
2. edit -> preferences
3. privacy tab (nope), security (nope), ah, _advanced_ tab
4. hunt around a bit more, oh “encryption” sub-tab
5. verification tab?, ah, no, “view certificates” tab (we aren’t viewing then, we are adding an exception)
6. server tab
7. click add exception
8. type in the address of the website
9. click “get certificate”
10. untick “permanently store” if desired
11. confirm security exception
12. close all those windows
13. reclick link

No, it’s not “OK” – it’s dreadful. With this I think firefox will lost many, many users fairly rapidly.

What I want firefox to do is to make clear what the security problem is and give me the choice of whether I:
* trust firefox and proceed no further (e.g. banking)
* tell firefox to add an exception (e.g. for a site I know, or the 50% of sites with self-signed certificates)
* tell firefox to ignore it ATM (e.g. for most other sites where I’m not really fussed – probably also self-signed certificates)

I think the best way to implement this might be in two steps. Firstly, ask me what I want to do – I suggest something like “Do you wish to ignore this warning and continue (not advised):
* No (default)
* Yes

Then to make this _permanent_ either use one of those drop-down prompts (like the “remember password” one) or perhaps allow people to click on the padlock icon and add a permanent exception if they so wish.

Comments

Comment from Stephen O’Neill
Time: Wednesday 26 March, 2008, 08:22

Which beta is this – Windows Beta 4 has a link saying “Or you can add an exception…” which then has two buttons “Get me out of here” and “Add an exception”. Clicking the latter takes you to “step 8″ in your stuff above.

I’m surprised that Hardy is including FF3 – will FF3 be out of beta by then or are the Ubuntu guys going to be doing lots of custom work on stability?

Comment from adrian
Time: Wednesday 26 March, 2008, 20:20

It was a pretty recent one – after griping about it before (several months ago) I noticed that the windows one had been substantially improved – you could click the “add an exception” button as you say which takes 80% of the pain away (though you still have click “get certificate” and then add the exception IIRC). I’m very much a DWIM (do what I mean) person – personally I want _very_ few “are you sure?” checks.

Just really annoyed it’s still so dreadful on Hardy :-(

I think FF3 is supposed to be released RSN. To be honest it’s been pretty robust, a few problems with websites, but no crashes for ages. It’s not all doom and gloom – it’s certainly faster.

Comment from Rob Cain
Time: Friday 18 April, 2008, 01:16

Mac beta 5 has the “add exception”… but honestly, it was bad enough when FF2 popped up with that security warning. I don’t think that’s necessary; I think a warning at the top of the window should be sufficient (“The web site you are viewing has a faulty certificate(!), click for details, add exception, ignore”). Anyone not smart enough to check the thing at the top of the window deserves to have their money lost.

Nothing is fool-proof to the sufficiently talented fool; therefore, make the product better for smart people and let the morons continue bottom-feeding because they can’t handle technology.

Comment from Rohit Thomas
Time: Thursday 29 May, 2008, 11:19

Fully agree with the author of this post, security enhancements are cool and much needed but needs to be intuitive too at the same time. End user’s like me for e.g after installing FF3, need to be able to go to the company’s internal website – no matter what – and if the IT department does not use the latest secure technologies – it’s for the company’s IT department to check and upgrade – not the end user’s prerogative…Please FF developers’ – make the necessary changes or else FF3 will lose to competition -

Comment from Maxine
Time: Thursday 29 May, 2008, 21:50

More support from me too. “Get me out of here” and “Add an exception” buttons would probably be a good solution, but they’ve not made it into in rc1… This really does need resolving as it’s really not acceptable at the moment.

Comment from Herman
Time: Monday 23 June, 2008, 12:17

I personally think this is pathetic, things should be made more user friendly, security is good but eventually it will be such a pain doing anything with the way they are doing things. I think IE and Opera are doing it the correct way by giving you options on the page . I just battled to get my own sites allowed. My servers are managed with Webmin using self signed certificates. The first time I tried to add the certificate firefox told me it was an invalid certificate because the reply string was to long, luckily worked the second time but what a pain.

Comment from adrian
Time: Thursday 26 June, 2008, 19:07

Thanks to http://blog.madism.org/index.php/2008/06/26/177-firefox3-and-ssl we can have a bit more control over this, but WTF aren’t they the defaults?

in about:config set:
browser.ssl_override_behavior = 2
This will fetch the cert (rather than asking to click to download it which is stupid – if you want it it means two clicks, if you don’t then cancel – besides, surely it’s downloaded the certificate already since it says it is insecure!)

browser.xul.error_pages.expert_bad_cert = true
display alert rather than staying on the previous page

Comment from katmai
Time: Sunday 29 June, 2008, 15:03

i am having the same issue with my ff3. i have all the links bookmarked for the company intranet, but for me the confirm sec exception does not work at ALL !!! this is plain stupid.

Comment from Stephen Williams
Time: Tuesday 29 July, 2008, 13:39

Thank-you for the guidance and the humour.

Comment from Petrus
Time: Wednesday 30 July, 2008, 03:58

We ran FF3 in various betas, RC1 and now we are on 3.0.1 – and the problem is still there and as nasty as ever. Really, truly, this needs to be fixed and, ought not to be too hard to fix.

Comment from George
Time: Thursday 28 August, 2008, 21:16

Well FF3 still hasn’t fixed this, but got where I needed w/IE8beta2 – in which someone must have read and has incorporated almost verbatim your suggestions for how to solve the problem.
Then Google Search (Firefox + “invalid security certificate”) found your step-by-step. Solved problem for FF. Thanks.
And who was the “unknown issuer” that FF didn’t like?
The DoD (Department of Defense)
Anyway, thanks for help. Leave your “rant” up as long as you can, to help the next poor lost soul.

Comment from adrian
Time: Thursday 28 August, 2008, 21:40

Oh well, shame that Mozilla seem to have developed such a superiority complex over their users :(

Like the latest stupidity:
http://www.smop.co.uk/blog/index.php/2008/08/25/congratulations-mozilla/

To think I was annoyed when they starting putting in delays before you could open a download because of “security” concerns…

Comment from rusty
Time: Sunday 31 August, 2008, 01:16

Helped me, I’ve been looking around FF3 for how to add an exception for a while now.
THANKS

Comment from Scotch
Time: Tuesday 2 September, 2008, 08:19

Thanks – followed your instructions and sorted the problem out. I was trying to access my domain’s cPanel but kept getting the “not trusted” message. The hosting provider’s knowledgebase says:

“To get rid of this error message, on the bottom of the screen you should see a button that says, “Add Exception…”. Click that and another box should pop up. On that box, you should see the words “Add Security Exception”.

Click on the “Get Certificate” button and then make sure the check mark box for “Permanently store this exception” is checked. On the bottom of the popup window click on Confirm Security Exception. Now it will ask you to confirm. A new box pops up telling you the information must be resent to try to login again – click the “Resend” button and you are done.”

Only problem there’s no button saying “Add Exception…” – I’m using FF 3.0.1. So don’t know how or what you do to get this button showing. Would still mean jumping some hoops, but fewer than the 13 steps above.

Comment from Russell
Time: Friday 5 September, 2008, 00:57

Thanks for this, even though I’m sure it’s not meant to be a “how to”, it acted as one for me. Thanks.

Comment from patrickdrd
Time: Monday 20 October, 2008, 07:37

actually after googling a lot,
found that the bank I work for,
puts her name on every certificate issuer!!!

i.e. when I enter ANY site,
I get the error “issuer certificate is not trusted”
and it’s logical,
since it shows that the issuer for that certificate is always the bank!

The only way to solve this is adding every https site under the bank issuer certificate,
but is there a more “elegant” way of doing this?

Thanks in advance!

Comment from Harald Z.
Time: Thursday 23 October, 2008, 18:29

That was a hard to find setting. I even had to use IE to visit a site, while wondering where the heck I can add an exception like in IE.
Thanks.

Comment from dqj
Time: Sunday 23 November, 2008, 23:51

In any case, your instructions were very helpful. I am now able to get on with my development because I was stymied by a certificate on a development server I didn’t care about. It would have taken me hours, if not days, to find that path through the preferences! Thank you!

Comment from Jerry Qian
Time: Saturday 3 January, 2009, 16:24

I wrote a FF3 extension RCE.xpi to get rid of such pain SSL exception.
https://addons.mozilla.org/en-US/firefox/addon/10246

It will auto-detect-complete all buttons.

Comment from Steve
Time: Saturday 24 January, 2009, 06:19

I find the “confirm security exception” when box is checked does nothing as far as saving the exception from one online visit to the next. Why was this expanded and so many steps added? Did someone have way to much time on their hands.

This happens every time I connect to my service provider. So I have learned to start the session with IE to get past this whole mess with just one click in IE then close it and open FF3. Wal-la, may be takes the same time, I doubt it, but I feel I got one over on FF3, LOL

Comment from E
Time: Thursday 29 January, 2009, 10:14

This wound me up BIG TIME! At work IE is awful because different sites here go through different proxies, which just makes IE slow (even on “just obey the pac” setting). Firefox, at least, is quick with this and you barely notice the transition.

However, the proxies tag the certificates in some way such that they look different each time – so firefox never adopts the exception! Which means I have to view that dialogue more often then I do web pages. I downgraded to firefox 2, but found it hardly any better (still too many clicks to get where I am going). I think I might just change browser now. Google’s no longer in beta, and Safari might be worth a go… it’s certainly better on my mac ;)

Comment from mark
Time: Tuesday 3 March, 2009, 07:36

Right now the 305 version kind of does what you asked them to do. Still there’s quite a lot of clicking to do.
I happened here because I am looking for a way to turn this madness off altogether.
I don’t want firefox to check for ANY certificate, I have about 6 computers and I can afford to have one that’s not secure for some MEGAFAST browsing.

Comment from Anna
Time: Tuesday 19 May, 2009, 20:50

you’re the greatest.. i’ve been messing with the clock, thinking it was the issue… but gee’ you solved my problem. :)

Comment from Slawomir L.
Time: Saturday 30 May, 2009, 20:03

As a developer, I fully agree with the author of the post. The procedure to “Add Exception” is most horrible and the explanation of the “certificate issue” is almost useless.

Nobody benefits, power users nor newbies.

Comment from Steve
Time: Wednesday 24 June, 2009, 03:16

So right. It sucks. But the killer for me is when using web interfaces on network devices & embedded management cards that have the same SSL serials. FF3 simply will not allow you to open 2 SSL sites with the same serial at the same time. There is no workaround, and the only thing you can do is use the sites one at a time and be *ultra* careful not to store the exemption.

Ok – it’s secure. But for crying out loud, it’s so darn inconvenient that I have switched to Chrome out of sheer exasperation.

I loved firefox before this situation. I’m a tech -savvy user – alright – I’m not I’m a freaking engineer and I *know* what the hell I’m doing – ok! I need to be able to work on customer devices regardless of how well or cleanly their SSL implementation has been done, and no I cannot wait for a hardware vendor to release an ssl patch to fix what firefox refuses to work with anymore, because my customer is paying me, and right now their world is falling apart and I need to get into their devices web gui and fix it *right now*. If firefox *won’t let me* because some jackass mozilla developer knows better than I do “what I really want” … then hey. Hello, chrome, goodbye firefox. It’s just that simple.

Please, please, please fix this crappy situation. Give me back my freedom. Give me back my choice. Treat me like the adult I am. Stop thinking like Microsoft that you know better than I do what I really want.

I really want to love, adore and advocate firefox wherever I go becuase it has been so good to me for so long. But I can’t because right now it sucks and I can’t defend or hide it.

Cheers

Comment from kelly
Time: Tuesday 21 July, 2009, 02:34

OMG…you know what’s more dangerous than a website with a self-signed certificate or otherwise invalid certificate? Users that have to search websites because of a broken link thanks to FF. really now…they’d rather us go into the config (warnings of dragons be damned!) than just fix this oooone little problem? Seriously?

Comment from AndyH
Time: Friday 8 January, 2010, 03:29

So, here we are in 2010 and Firefox still has the same problem. I can’t look at a site I know, trust, and have bought things from in the past, because Firefox says it’s got an invalid security certificate.

I also still can’t use the right-scroll on my touchpad. I’ve only had that problem for about two years though, so there’s still hope.

Do the Firefox developers ever actually listen to anyone telling them there’s a problem?

Comment from mayon
Time: Monday 22 February, 2010, 13:36

I’ve complained about it at several mozilla sites, with no success or even a slight suggestions how to overcome this SSL stupidity. The real problem – I use to visit a lot of sites where my development software is being installed – every day, new build, you know. And then I’m stuck with clicking, like 20 minutes for the whole day. I used to have the RCE addon, but it doesn’t work anymore under Linux, as in 3.6 Mozilla managed to change the screen once again !!! I loved FF before the expansion they did with 3.5 and messed it up with no backwards compatibility like : about:config – disable.ssl.freaking.check=1. I’d soon be forced to leave FF in favor of Chrome, though I have some useful addons, but this is really wasting my time. Some users have convincing me to contact my IT department to use real SSL certificate ? ! Can you imagine that ? Please, give me a chance to shoot myself in the leg, I know what I’m doing. Hellish feature.

Comment from adrian
Time: Monday 22 February, 2010, 16:11

Absolutely. I’m in the same place – awaiting a few plugins before moving to chrome which has nailed the SSL issue _first_ time – a clear, simple message which you can bypass easily.

Comment from blab
Time: Wednesday 5 May, 2010, 11:35

Most of the time I do NOT CARE AT ALL about what firefox & co judges as secure or not. Let firefox stick its fatherly nose into its own business. Turn this nonsense off please.

Comment from Charlie Obert
Time: Wednesday 29 December, 2010, 14:01

On my machine (current Firefox with Windows 7) – the option to permanently store the exception has been greyed out. Which means, I have to go through that d…ned 4 step process EVERY time I reference one internal company site.

Which also means, I switch browsers.

Comment from j
Time: Friday 14 January, 2011, 02:37

I cannot permanently store the exception, if that box is ticked I can’t continue. Some kind of bug. But I can’t find info on the bug because there are so many people talking about this problem in general.

Why not educate with:

`The CONNECTION between your computer and this website is encrypted, but the IDENTITY of the server is not verified.`

Part of the problem is no distinction between encryption and identity.

Incidentally, what else can one use for encryption only without identity?

Comment from DJ
Time: Tuesday 25 January, 2011, 05:04

I also have Firefox on Windows 7 and the option to permanently store an exception is greyed out. It is not acceptable to go through a four step process every time I go to an internal company site, so I will have to switch browsers too. Too bad, I liked Firefox until this happened.

Comment from Lance
Time: Wednesday 16 March, 2011, 19:06

The “Permanently store this exception” checkbox seems to be grayed out whenever the browser is operating in private browsing mode.

In my case the menu option for turning off private browsing was also disabled. I fixed this by going to Tools -> Options -> Privacy and setting history to “Remember history”, after which the “permanently store exception” checkbox also was enabled.

Pshew, I hated to consider switching browsers. ;)

Comment from nzUser
Time: Thursday 23 June, 2011, 23:41

3+ years on and still getting comments.
I didn’t read all the way to the privacy thing so added it manually per original post.
7th link in search “firefox confirm security exception grayed out”
I wonder if this has been resolved in FF5 , [rolleyes]

Comment from Gael
Time: Monday 26 September, 2011, 12:45

I work with FF5.0 and the issue still exist.
Thanks to Lance who give me the solution to my problem “how enable the “Permanently store this exception” checkbox ?
I wish FF alert the incompatibility between Privacy Mode Navigation and Permanently exception storage. It will save a lot of time.
Should it possible to add a fonctionality of “exception storage” independant of “navigation storage” ?