Those who have upgraded to Firefox 3 have found it a mostly pleasant experience. It loads pages fast, crashes less and overall gives the user a good browsing experience, from site, to site to site. Like travel in the European Union. Until you hit the border. There, it seems that the developers have decided to replicate post-9/11 U.S. Department of Homeland Security worst practices.
Entering the United States has become a complex nightmare. A simple passport is no longer enough – it must be biometrically enhanced (read: expensive). Border agents can search the laptops of any traveler (read: guilty until proven innocent). Foreigners without biometrically enhanced passports must go through fingerprinting. All of this in the name of security. Has it prevented or even reduced illegal border crossing? It has made legitimate travel much less appealing.
Similarly, entering an SSL-secured website with Firefox has become a complex nightmare. The website’s certificate must be signed by an officially recognized Certification Authority (CA) that charges a yearly fee for the process. Every time the user tries to display such an SSL-secured website with a certificate that has not been rubber-stamped by an officially recognized CA or is otherwise not in perfect standing, the border agent appears on screen. In the past, the user could simply dismiss the warning and connect at his own risk. With Firefox 3, a new degrading, time consuming, repetitive, annoying clicking procedure has been introduced.
What for? Where are the benefits? Are the developers aware of the consequences? Gnome developer Federico Mena-Quintero is right when he qualifies this as *** and points to a presentation that clearly show how the certification scheme is broken as designed. And Dave Neary hits the nail when he points right at the consequences: previously it was just “Add exception” or whatever. Now it’s “Next, Next, Add exception, Get certificate, Next”.
The only winner? the doctors that see more RSI patients.
Today I was trying to display a Yahoo website and I got the above screenshot. Despite the Netcraft Anti-Phishing Toolbar clearly showing that the connection is legitimate, I had to go through border security again. Is this new procedure preventing phishing and other SSL-abuse? I doubt it. Is it preventing me from using SSL as intended, to encrypt transmission between the two points? Yes, it does. Add your comments to Mozilla’s bug report and vote for it to get the attention of those who can change this for the better.