Home » post » New SSL policy in Firefox hurting tens of thousands of sites

New SSL policy in Firefox hurting tens of thousands of sites

“SSL” (Secure Sockets Layer) is a standard for establishing an encrypted link between a web server and a browser to ensure that all data passed between the web server and the browser remains private.

The “geeks at Pingdom” describe a problem with the way Firefox version 3 handles “SSL certificates” (which the casual user does not even see under normal conditions):

If you visit a website with either an expired or a self-signed SSL certificate, Firefox 3 will not show that page at all. Instead it will display an error message, similar to any other browser error (for example a “page not found” 404 message).

…[T]his is not something that only affects smaller websites. For example, the SSL certificate for the official US Army website [https://www.us.army.mil/] is declared invalid by Firefox 3.

See also:
What is SSL? (ssl.com)
SSL (Webopedia)
SSL (Wikipedia)

Print Friendly

Creative Commons License
This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States License.


2 Comments

  1. Ben says:

    I think there’s another side to this issue, that self signed SSL certificates can be a privacy threat to the non-savvy user. A site can pretend to be a bank, self sign a certificate and phish. How many people do you know who follow the trust path back to its source?

    There’s an excellent slashdot thread on it:

    http://tech.slashdot.org/tech/08/08/22/1139236.shtml

    I definitely think you need to outline the *other* side of this issue for your lest savvy users.

  2. J says:

    We have a “weather kiosk” at our local airport that pilots use to access various sites, government and other, prior to flight. This kiosk runs LiveKiosk, a Linux-based free kiosk originally developed to help Katrina victims with web access. It offers a locked-down version of Firefox.

    In this situation, a self-signed certificate makes the sites inaccessible. For example, we can’t use the kiosk to access FAA’s Pilotweb site to check NOTAMS prior to flight.

    Self-signed certificates should only be used for testing or internal use, not for public sites.

Post a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Archives

%d bloggers like this: