Re: Firefox 3's Step Backwards For Self-Signed Certificates

[David Farber <dave () farber net>]

________________________________________
From: Serge Egelman [egelman () cs cmu edu]
Sent: Wednesday, July 09, 2008 12:35 PM
To: David Farber
Cc: cups () cups cs cmu edu
Subject: Re: [IP] Firefox 3's Step Backwards For Self-Signed Certificates

For IP if you wish:

I am in no way affiliated with the Mozilla project, but I am part of the
W3C Web Security Context WG (which includes some Mozilla people), where
some of these design decisions have been debated.

The main issue before the group was what indicators or warnings to
display when a self-signed certificate is encountered.  There have been
many heated debates over the public mailing list on this:

http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jul/thread.html#msg280
http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jul/thread.html#msg22

Personally, I think they made an absolutely terrible decision in Firefox
3.  Their argument seems to be centered around the belief that only the
bad guys will use self-signed certificates because blocking them will
cause legitimate websites to spring for CA-signed certificates.  This is
a poor assumption for several reasons:

1) Several academic studies have shown that users do not notice SSL
indicators in any form (i.e. the lock icon is not noticed and is
misunderstood, and the new EV indicators are easily spoofed by
picture-in-picture attacks).  Thus, the bad guys have little incentive
to use any SSL certificate (CA-signed or not).

2) If a user is really trying to get to a known website with a
self-signed certificate in Firefox and is blocked (and is not savvy
enough to get around the warning), it's likely he or she will just
switch to Internet Explorer or Safari.

3) Assuming every browser starts blocking self-signed certificates and
users radically change their behavior such that they seek out SSL icons
(fat chance), the bad guys will simply start buying CA-signed
certificates.  A low-grade SSL certificate costs around $20.  Studies
have shown that most phishers make an average of $500/victim.  At that
rate, being forced to drop $20 won't be a deal-breaker---it's simply a
cost of doing business.  Low grade SSL certificates are issued
automatically to anyone who legitimately owns a domain name (and most
phishing attacks no longer use homonym attacks, so it's very difficult
for the CAs to filter out the malicious requests).

Based on the above, I'm not convinced that self-signed certificates
should be treated any differently than low-grade ones.

serge


David Farber wrote:
> ________________________________________
> From: Lauren Weinstein [lauren () vortex com]
> Sent: Tuesday, July 08, 2008 11:09 AM
> To: David Farber
> Cc: lauren () vortex com
> Subject: Firefox 3's Step Backwards For Self-Signed Certificates
>
>             Firefox 3's Step Backwards For Self-Signed Certificates
>
>                  http://lauren.vortex.com/archive/000402.html
>
>
> Greetings.  If you've switched over to Firefox 3 as your Web browser
> already -- and in general it's a fine upgrade -- you may at some
> point discover that rather than encourage (or at least not overly
> discourage) the use of self-signed security certificates, Firefox 3
> makes it *less* likely that anyone other than an expert user
> will ever accept a self-signed certificate.  This is particularly of
> concern to me since I've urged an expansion of self-signed certs
> deployment as a stopgap measure toward pervasive encryption
> ( http://lauren.vortex.com/archive/000339.html ).
>
> Compared with Firefox 2, version 3 throws up so many barriers and
> scary-sounding warnings to click through to accept such certs, that
> it would be completely understandable if most persons immediately
> aborted.
>
> What's going on is that Firefox is now putting so much emphasis on
> identity confirmation that it's making it even harder for people to
> use the basic encryption functionality of the browser, which works
> just fine with self-signed certificates (which admittedly are not
> good carriers for identity credentials).
>
> But in many situations, we're not concerned about identity in
> particular, we just want to get the basic https: crypto stream up
> and running.
>
> I am fully aware of the associated identity considerations, and I
> know that basic signed certificates that will work in Firefox and
> some other browsers (but last I heard not in Internet Explorer at
> this time) can be obtained for free.  If browser acceptance of free
> signed certs broadens out (and especially if wildcard certificates
> also become freely available) the need for self-signed certificates
> could significantly diminish.
>
> But for now, Firefox 3 is going overboard with its complicated and
> alarming warnings, which if nothing else could include improved
> explanatory text, so that users would be able to better judge
> whether or not they should accept any particular self-signed
> certificate.  The current wording is unreasonably judgmental given
> the range of perfectly legitimate situations where self-signed
> certificates might be used.
>
> I'm not saying to give self-signed certs the same invisible,
> automatic acceptance as signed certificates, but Firefox 3 has
> simply gone too far toward making self-signed certs unusable -- from
> a practical standpoint -- in many situations where they otherwise
> would be completely adequate and suitable.
>
> --Lauren--
> Lauren Weinstein
> lauren () vortex com or lauren () pfir org
> Tel: +1 (818) 225-2800
> http://www.pfir.org/lauren
> Co-Founder, PFIR
>    - People For Internet Responsibility - http://www.pfir.org
> Co-Founder, NNSquad
>    - Network Neutrality Squad - http://www.nnsquad.org
> Founder, PRIVACY Forum - http://www.vortex.com
> Member, ACM Committee on Computers and Public Policy
> Lauren's Blog: http://lauren.vortex.com
>
>
>
> -------------------------------------------
> Archives: http://www.listbox.com/member/archive/247/=now
> RSS Feed: http://www.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com

--
/*
PhD Candidate
Carnegie Mellon University

"Whoever said there's no such thing as a free lunch was never a grad
student."

All views contained in this message, either expressed or implied, are
the views of my employer, and not my own.
*/



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com