New SSL policy in Firefox hurting tens of thousands of sites

Submitted by jajacobs on Sun, 2008-08-31 09:46.

"SSL" (Secure Sockets Layer) is a standard for establishing an encrypted link between a web server and a browser to ensure that all data passed between the web server and the browser remains private.

The "geeks at Pingdom" describe a problem with the way Firefox version 3 handles "SSL certificates" (which the casual user does not even see under normal conditions):

If you visit a website with either an expired or a self-signed SSL certificate, Firefox 3 will not show that page at all. Instead it will display an error message, similar to any other browser error (for example a “page not found” 404 message).

...[T]his is not something that only affects smaller websites. For example, the SSL certificate for the official US Army website [https://www.us.army.mil/] is declared invalid by Firefox 3.

See also:
What is SSL? (ssl.com)
SSL (Webopedia)
SSL (Wikipedia)

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Reddit
  • Furl
  • Facebook
  • Twitter
  • Google
  • Yahoo
  • LinkedIn
  • Technorati
Average: 5 (1 vote)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

One Darn Minute

Submitted by Ben (not verified) on Fri, 2008-09-12 07:14.

I think there's another side to this issue, that self signed SSL certificates can be a privacy threat to the non-savvy user. A site can pretend to be a bank, self sign a certificate and phish. How many people do you know who follow the trust path back to its source?

There's an excellent slashdot thread on it:

http://tech.slashdot.org/tech/08/08/22/1139236.shtml

I definitely think you need to outline the *other* side of this issue for your lest savvy users.

FAA Site for NOTAMS Affected As Well

Submitted by J (not verified) on Thu, 2008-12-18 08:15.

We have a "weather kiosk" at our local airport that pilots use to access various sites, government and other, prior to flight. This kiosk runs LiveKiosk, a Linux-based free kiosk originally developed to help Katrina victims with web access. It offers a locked-down version of Firefox.

In this situation, a self-signed certificate makes the sites inaccessible. For example, we can't use the kiosk to access FAA's Pilotweb site to check NOTAMS prior to flight.

Self-signed certificates should only be used for testing or internal use, not for public sites.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Every instance of "<!--tableofcontents-->" in the input text will be replaced with a collapsible mediawiki-style table of contents. Accepts options for title, list style, minimum heading level, and maximum heading level as follows: <!--tableofcontents list: ol; title: Table of Contents; minlevel: 1; maxlevel: 3;-->. All arguments are optional and defaults are shown.
  • Easily link to terms in various wikis. For help, see <a href="/interwiki/3">interwiki</a>.

More information about formatting options

Syndicate content