Mozilla SSL Policy Considered Bad For the Web
The issue of digital certificates for SSL and the policies surrounding them comes up repeatedly. I've written an article criticizing the behavior in Firefox 3, which includes a serious comparison of the current Mozilla policy — restricting encrypted HTTP to paying customers — to a violation of net neutrality.
I remember writing a few parody posts back when Firefox 3 first came out, comparing this feature of it to Windows Vista's implementation of least user access. Never in my wildest dreams did I that that the /. trolls would actually start bitching about it and recommending people stick with Firefox 2. I guess I forgot I'm dealing with the parts of the internet that embody all the worst parts of the entitlement generation. The morons obviously think that the world should be designed with their short-term in mind, with no regard for anyone else, or even their own long-term well-being. If someone does something that makes them unhappy, it shouldn't exist. Then when something happens later on that makes them a lot more unhappy that would have been stopped by the first thing, they blame the first thing for not existing, refusing to acknowledge their own culpability in it's non-existence.Mozilla Firefox 3 limits usable encrypted (SSL) web sites to those who are willing to pay money to one of their approved digital certificate vendors. This policy is bad for the web. Not only does it make users less secure overall by reducing the number of encrypted connections, it damages the basic principle of equality among web participants.
The problem is this: When a Firefox 3 user visits an encrypted web site with a self-signed certificate or a certificate signed by an unapproved (new or non-profit) provider, Firefox doesn’t show the page. Instead, it shows a scary "you are being hacked"-style warning that requires 4 clicks and an "add an exception" dialog box to bypass.
The warning looks like this:
This behavior means that a public web site basically can’t be encrypted unless they are willing to pay an approved vendor a yearly fee for a certificate. This has two effects: First, some sites are forced to pay for certificates that they otherwise wouldn’t have bought. Second, some sites are forced to go without encryption that they otherwise would have had.
SSL has two effects: First, it allows connections to be encrypted so they can’t be snooped. Second, it allows sites to be authenticated so they can’t be impersonated.
Proponents of Mozilla’s policy tend to ignore the first effect and focus on the second effect - correctly stating that a self-signed certificate has no value for authenticating a web site (unless the certificate is authenticated out-of-band by hand). This ignores the value of simple encryption. Snooping a connection (i.e. on a wireless link) is much easier than any of the impersonation attacks that SSL authentication prevents.
Now, it’s an interesting question as to exactly what the user interface should show for a self-signed website. Obviously it shouldn’t show a green address bar like the new (extra high price, major corporation only) EV certificates. But there is absolutely no excuse for it to be significanly less inviting to a normal user than an unencrypted site.
This is really an issue of the basic principles of internet openness. Everyone has equal access to the features of HTTP or SSH, there’s no reason why there should be artifical constraints on access to HTTPS. But that’s exactly what the Firefox SSL behavior does.
For bandwidth, the basic princple of internet equality is called Network Neutrality. When ISPs have threatened it, suggesting that Google (for example) should pay them for "fast lane" preferred treatment at the expense of smaller internet participants, there has been a massive uproar from those who value this principle of equality.
There should be an equally massive uproar about Mozilla’s SSL policy. Encrypted connections may not be as immediately visible as poor quality streaming video or VoIP sound quality, but it’s similarly important. Dividing the web into a "fast lane" of commercial entities willing to pay and a "slow lane" of hobbyists and non-profits who get unusable service is bad for the internet in either case.
Mozilla is Free/Open Source. Antifeatures like the SSL policy shouldn’t be a problem - users can simply remove them if they’re bothered that much. Unfortunately, that’s not good enough in this case. A webmaster doesn’t just need his web browser to work correctly, he needs the web browser of every site visitor to work correctly.
For this problem to be solved, the most popular F/OSS browser(s) must accept self-signed certificates. If Mozilla is unwilling to change their policies, it would be worth the effort of trying to create a *more popular* fork with full SSL functionality.
But enough ranting and back on topic: The reason Mozilla did that is as anti-phishing and anti-eavesdropping protection. Properly signed certs guarantee two things: that the website is what it says it is, and that the communication between yourself and the site is encrypted. If the certification is signed by someone Firefox 3 is not programmed to trust (e.g. self-signed), it's possible the website is trying to pretend to be something it's not, and doesn't want to leave out the "s" is the URL. In a world where someone stealing your identity can effectively ruin your life, I can't understand how anyone doesn't find it to be a necessary annoyance.
But then again, what do I know? I think Least User Access is the greatest invention since the GUI, so I'm obviously crazy. Of course I might be a little more mortified at the way Mozilla is forcing everyone to pay money to have encrypted traffic if I wasn't surfing a website right now that's encrypted by a certification that Firefox accepts perfectly and the owner didn't pay a nickle for.
