For exchanging data and info users like consumers and firms alike trust encryption and certificates,
but the way in which Firefox 3 is handling SSL-certificates is open to improvement.
In Firefox 3 Mozilla changed the way certificated were handles, which is not always profitable to the user of the browser.
Fortunately there are some ways to come to a considerable improvement, which will deliver more protection as an additional benefit.
Until and inside Firefox 2 the browser showed a golden lock inside the address bar when visiting a HTTPS site. Something that one could not easily be overlooked.
Since Firefox 3 was launched Mozilla’s was more concerned about “Extended Validation Certificates”,
enabling added security as such, as the identity behind the sites visited are thoroughly checked.
The certificates to do this do not differ much from normal certificates, and because they are rather costly, are not being used by many websites. Because the majority of the sites have plain SSL-certificates, Firefox 3 is not handling these normal certification properly.
The golden lock now has been changed with the site flavicon held inside a blue frame, this is not clear to everyone, and also open to abuse. To get things a bit more outstanding for Firefox 3 users you can go to “about:config” and change the value of key browser.identity.ssl_domain_display from 0 to 1.
This will make HTTPS sites more outstanding to the user’s eye.
Homemade certificates
Another problem that will cause misunderstanding are the warnings for HTTPS sites
that have a valid certificate, but did not pay additionally to Verisign.
That is why warnings like “this website does not supply identity information”, are being shown,
while the certificate as such is valid and checked
The problem is even bigger where self created certificated are concerned.
Firefox here sounds an alarm and provides the user with ways to get out of the website or
make an exception for this site. Those willing to check on the key’s fingerprint
are not given the possibility yo do so, because the certification screen is placed on the the browser window.
Furthermore the system Firefox used to recall certificates does not seem to function.
Three steps to shop safer online with Firefox: http://www.h-online.com/security/features/112797/0
Step one -users have to install an SSL Blacklist with with a local Blacklist database http://codefromthe70s.org/sslblacklist.aspx
followed by step two installing the Perspectives plug-in from http://www.cs.cmu.edu/~perspectives/firefox.html
together with disabling automatic ignoring of security warnings.
So the users can find additional certification error messages.
The final step is making that SSL sites will stand out better.
“All these measures should be combined with some sound feeling of distrust
when and where things seem too good to be true, then they often are too good to be true”
It is not forbidden “to dream” isn’t it? Whenever you take the situation as it stands for granted, well you have lost all aspiration to do any better. On the other hand, the people that use zero n00b security will not turn here to learn otherwise. The small community that uses Fx or Flock or SRWare;s Iron are the users that are better security oriented people, knowing what they do and why they acquired this knowledge.
If it was true what you say, and again I fear it is, we could better throw in the towel and let all computers be turned into malware spewing Zombie machines herded by botnet owners and being overgrown fully by malicious code like ill-weed until their nitwit owners buy a newer faster and more expensive model, being even better for the existing economy, and better for those on a low budget to be left with these machines that can be easily cleansed,
Since Firefox 3 was launched Mozilla's was more concerned about "Extended Validation Certificates", enabling added security as such, as the identity behind the sites visited are thoroughly checked. The certificates to do this do not differ much from normal certificates, and because they are rather costly, are not being used by many websites. Because the majority of the sites have plain SSL-certificates, Firefox 3 is not handling these normal certification properly. The golden lock now has been changed with the site flavicon held inside a blue frame, this is not clear to everyone, and also open to abuse.
Better than the golden lock, IMHO. I agree with the Firefox developers rationale for the change.
To get things a bit more outstanding for Firefox 3 users you can go to "about:config" and change the value of key browser.identity.ssl_domain_display from 0 to 1. This will make HTTPS sites more outstanding to the user's eye.
Homemade certificates
Another problem that will cause misunderstanding are the warnings for HTTPS sites
that have a valid certificate, but did not pay additionally to Verisign.
That is why warnings like "this website does not supply identity information", are being shown,
while the certificate as such is valid and checked
I don’t know how recently this was changed, but in the current version, Fx 3.0.7,
I see a much more informative message than “this website does not supply identity information”. Have you looked at it recently?
Edit: “This website does not supply identity information.” is the favicon tooltip for web pages that don’t use a certificate at all.
I’ve installed the Perspectives extension in Firefox. It provided me a valid alert once when I tried to force https on a site which didn’t have a valid certificate.
I mostly agree with David. In general, security which depends on educated, proactive users is indeed “of little worth”. The Firefox developers are working toward a UI which makes it much more obvious when something suspicious is afoot. Also, Firefox is incorporating a security model which relies less on the user making the security decisions. If a user is prompted for a decision at all, the prompt strongly advises denying the suspicious and potentially dangerous action. http://www.cs.auckland.ac.nz/~pgut001/pubs/usability.pdf
I agree with you, polonus, that there are things we educated, proactive users can do to enhance our security, and I appreciate your suggestions.