Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Accepting certificates

3 views
Skip to first unread message

Stefanos Harhalakis

unread,
Aug 30, 2007, 6:31:02 PM8/30/07
to dev-se...@lists.mozilla.org
Hello there,

As you already know (:-)) when firefox visits an SSL enabled site and gets a
certificate that cannot be verified, asks the user about the action it should
take. The current actions are: Accept Permanentely (#1), Accept for Session
(#2), Don't Accept (#3), having #2 as the preselected option.

I believe that this (option #2) is the most insecure of all. Let me explain
my thoughts:

* If the user reject the certificate then there can be no harm

* If the user accepts the certificate permanently:
* The certificate may be valid and thus he will be protected for all future
sessions, because a fake certificate will not match the already accepted one.
* The certificate may be fake (man in the middle). If it is fake, they user
most probably will find it out when he will try to visit the site at another
moment in the future, when there will be no mitm attack taking place. Firefox
will warn then about the wrong certificate and the user will be alerted.

* If the user accepts the certificate permanently is like drawing a lot. A
user that visits an https-powered webmail site 4-10 times a day just
increases the possibility of a mitm attack to succeed.

Of course you'd ask 'who visits a site so often and does not accept the
certificate permanently'. Well, my experience shows that there are many such
people (I work as a sysadmin in a University).

So I suggest (and kindly ask) you to:

a) Change the default option to #1 or #3
b) Discourage people from selecting #2 (even display a warning box)
c) Perhaps implement an aging (cache expiring) method to delete very old
certificate and possibly add an option 'remember for 1 year', where each new
visit will reset the countdown timer.

All of these could be accompanied with a more alerting dialog box to be
shown when there is a certificate mismatch.

Best regards,
Harhalakis Stefanos

p.s. I'm subscribed to the list but please CC me

Nelson Bolyard

unread,
Aug 31, 2007, 12:42:13 PM8/31/07
to Stefanos Harhalakis
Stefanos,

If you'[re really worried about students being MITM attacked, then you
might ask why the University has so many https sites using invalid certs
which necessitate the users getting this dialog in the first place.

Don't worry, in FF3, this dialog will go away completely.

Stefanos Harhalakis

unread,
Sep 2, 2007, 10:59:36 AM9/2/07
to dev-se...@lists.mozilla.org

It is not the University that has https sites with self signed certificates,
but the rest of the Internet. Apart from that, that was a generic
consideration.

Anyway, I didn't knew that about FF3. I searched a bit and show that there
was a lengthy discussion regarding this issue, so I'll just wait for you to
do the right thing (tm), or I'll send any thoughts as additional comments to
that "bug report"... :-)

0 new messages