• Subscribe

    Subscribe to This Week In Panospace by eMail.
    Subscribe in a reader
  • License

    Creative Commons License
    This work is © 2008-2012
    by Yuval Levy
    and licensed under a
    Creative Commons License.
  • Entries

    August 2008
    M T W T F S S
    « Jul   Sep »
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • Archives

Yahoo Unsafe? Or Firefox Wrong?


Those who have upgraded to Firefox 3 have found it a mostly pleasant experience. It loads pages fast, crashes less and overall gives the user a good browsing experience, from site, to site to site. Like travel in the European Union. Until you hit the border. There, it seems that the developers have decided to replicate post-9/11 U.S. Department of Homeland Security worst practices.

Entering the United States has become a complex nightmare. A simple passport is no longer enough – it must be biometrically enhanced (read: expensive). Border agents can search the laptops of any traveler (read: guilty until proven innocent). Foreigners without biometrically enhanced passports must go through fingerprinting. All of this in the name of security. Has it prevented or even reduced illegal border crossing? It has made legitimate travel much less appealing.

Similarly, entering an SSL-secured website with Firefox has become a complex nightmare. The website’s certificate must be signed by an officially recognized Certification Authority (CA) that charges a yearly fee for the process. Every time the user tries to display such an SSL-secured website with a certificate that has not been rubber-stamped by an officially recognized CA or is otherwise not in perfect standing, the border agent appears on screen. In the past, the user could simply dismiss the warning and connect at his own risk. With Firefox 3, a new degrading, time consuming, repetitive, annoying clicking procedure has been introduced.

What for? Where are the benefits? Are the developers aware of the consequences? Gnome developer Federico Mena-Quintero is right when he qualifies this as *** and points to a presentation that clearly show how the certification scheme is broken as designed. And Dave Neary hits the nail when he points right at the consequences: previously it was just “Add exception” or whatever. Now it’s “Next, Next, Add exception, Get certificate, Next”.

The only winner? the doctors that see more RSI patients.

Today I was trying to display a Yahoo website and I got the above screenshot. Despite the Netcraft Anti-Phishing Toolbar clearly showing that the connection is legitimate, I had to go through border security again. Is this new procedure preventing phishing and other SSL-abuse? I doubt it. Is it preventing me from using SSL as intended, to encrypt transmission between the two points? Yes, it does. Add your comments to Mozilla’s bug report and vote for it to get the attention of those who can change this for the better.

4 Responses

  1. You point to a lot of very useful informations, in particular that PDF of the pres is full of win; however I have to take issue with your rant in that FF is absolutely correct to complain about verify.yahoo.com presents a cert for edit.yahoo.com.
    This has nothing to do with segregating self-signing bums.
    IMO, wrt self-signing, I think there should be no warning at all presented to the user. It should work a bit like SSH StrictHostKeyChecking set to no, adding host keys automatically to the known hosts DB, but complaining loudly (w/o a link to remove it, you have to use the menu) and disallowing connection completely should the cert change to prevent MITM.
    Anything else leads to pavlovian conditionning.

  2. @NM: I am not complaining about the warning which I agree with you is justified (even for the self-signed certificates). What disturbs me is the series of roadblock clicks that “leads to pavlovlian conditioning” indeed. And to RSI.

  3. I have to agree with you, Yuval. Six clicks and a mouse arm just to continue using some site is just too much, however it *does* make you aware of security issues.

    Today I encountered a similar experience, however, this time there was no way to continue. And actually, FF3 was completely right. It seems some sites (in this case, a big company like Vodafone) use certificates which have been revoked, which should be avoided of course. While most other browsers don’t even make you aware of this, FF3 just refused to continue, with the following error message:


    Secure Connection Failed
    An error occurred during a connection to login.vodafone.nl.
    Peer’s Certificate has been revoked.
    (Error code: sec_error_revoked_certificate)
    The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
    * Please contact the web site owners to inform them of this problem.

    I think what FF3 tries to do is bringing us a safer web, which is, of course, a noble goal. However situations like this should be circumventable.

    By the way of course I *did* inform the web site owners (Vodafone NL…).

  4. The attitude seems to be that if there is even one Man-in-the-Middle attack attempt that happens somewhere which Mozilla can scare a “consumer” away from, then all of the people who end up using no security at all because it’s too much hassle are simply acceptable collateral damage. (Self-signed certificates seem to be by far the most convenient way to make basic encryption available on one’s servers. If everyone can be convinced that this is “invalid” then only the tiny fraction of people willing to jump through the extra hoops of setting up their own CA will handle their own encryption, and only they and those willing to go through the hassle of obtaining authorization from a “trusted” authority will bother to offer encryption at all).

    Since “MITM” attacks seem to be far more difficult to set up in practice than simple sniffing of unencrypted traffic, I think the Mozilla’s emphasis (and stubbornness on the matter) is out of place.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s