Comments on: Yahoo Unsafe? Or Firefox Wrong?

By: epicanis

epicanis — Tue, 19 Aug 2008 19:59:01 +0000

The attitude seems to be that if there is even one Man-in-the-Middle attack attempt that happens somewhere which Mozilla can scare a “consumer” away from, then all of the people who end up using no security at all because it’s too much hassle are simply acceptable collateral damage. (Self-signed certificates seem to be by far the most convenient way to make basic encryption available on one’s servers. If everyone can be convinced that this is “invalid” then only the tiny fraction of people willing to jump through the extra hoops of setting up their own CA will handle their own encryption, and only they and those willing to go through the hassle of obtaining authorization from a “trusted” authority will bother to offer encryption at all).

Since “MITM” attacks seem to be far more difficult to set up in practice than simple sniffing of unencrypted traffic, I think the Mozilla’s emphasis (and stubbornness on the matter) is out of place.

By: B/.RT

B/.RT — Sun, 17 Aug 2008 12:33:56 +0000

I have to agree with you, Yuval. Six clicks and a mouse arm just to continue using some site is just too much, however it *does* make you aware of security issues.

Today I encountered a similar experience, however, this time there was no way to continue. And actually, FF3 was completely right. It seems some sites (in this case, a big company like Vodafone) use certificates which have been revoked, which should be avoided of course. While most other browsers don’t even make you aware of this, FF3 just refused to continue, with the following error message:

—
Secure Connection Failed
An error occurred during a connection to login.vodafone.nl.
Peer’s Certificate has been revoked.
(Error code: sec_error_revoked_certificate)
The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
* Please contact the web site owners to inform them of this problem.
—

I think what FF3 tries to do is bringing us a safer web, which is, of course, a noble goal. However situations like this should be circumventable.

By the way of course I *did* inform the web site owners (Vodafone NL…).

By: Yuval Levy

Yuval Levy — Thu, 14 Aug 2008 13:33:41 +0000

@NM: I am not complaining about the warning which I agree with you is justified (even for the self-signed certificates). What disturbs me is the series of roadblock clicks that "leads to pavlovlian conditioning" indeed. And to RSI.

By: NM

NM — Tue, 12 Aug 2008 16:37:02 +0000

You point to a lot of very useful informations, in particular that PDF of the pres is full of win; however I have to take issue with your rant in that FF is absolutely correct to complain about verify.yahoo.com presents a cert for edit.yahoo.com.
This has nothing to do with segregating self-signing bums.
IMO, wrt self-signing, I think there should be no warning at all presented to the user. It should work a bit like SSH StrictHostKeyChecking set to no, adding host keys automatically to the known hosts DB, but complaining loudly (w/o a link to remove it, you have to use the menu) and disallowing connection completely should the cert change to prevent MITM.
Anything else leads to pavlovian conditionning.