Firstly: I am a Firefox user. I have been involved in the Mozilla community nearly since its early inception. (not greatly but slightly). So I am using Firefox nearly exclusively on each machine and OS.
Yes Opera, Google Chrome, Apple Safari are today very good as well, and even Internet Explorer have caught up. But I am happy to keep using Firefox.
But how secure is Firefox?
No, there is no need to lecture me the benefits of Open-Souce versus properietary. The huge number of users and developers involved with Firefox make the core browser very secure. Critical security bugs are frequently found, but with being open-source these are squashed swiftly. So the core browser is very secure in my mind.
But Firefox is shopped around as a very powerful browser due to its adaptability ability via extensions/add-ons [1]. They certainly make Firefox easy to use, and fit well with the varied usage that people require. The majority may not use add-ons, as they are happy with just a simple browser. However still a large number of people use one or two and many use several add-ons. Add-ons is the perhaps the main reason I am using Firefox over other browsers, as they make my day so much easier and pleasant.
But how secure are these add-ons?
The core browser is trusted due to its share number of peer reviewers and contributors, so trust it to be secure. But each tiny add-ons have few developers, and not too many reviews. Not sure how "open-source" their actual deployed code is either?
So do these add-ons basically make the Firefox browser brittle?
I think so, and other people are trying to warn us about the risks.
How big are these risks? What may have spared the add-ons is that they are so many and the install base is so varied, that targeting a specific add-on may not be worth it. (Similar to why Firefox itself was not targeted until more recently.) However this is a bit naïve, and some add-ons are now installed by hundreds of thousands, if not more.
So what can we or Mozilla do?
Simple solution is to not install any add-ons. Certainly safe. However that is being paranoid, and does not progress the world.
What I think is needed are ways to harden the code and increase trust in specific add-ons. Closed source extensions such as Flash, Silverlight and Java is out of scope (but Gnash, Moonlight and Open-JDK may not be?)
How we achieve this I don't know the answer to, but I hope there will be more and open discussions about it. Ways of increasing peer-reviews, ways of making it clearer to the add-ons website users how many and whom trust the relevant add-on, by some voting mechanism perhaps (and the opposite). Sharing code bases to minimise risk and increase peer reviews must be advantageous. Ways of Mozilla to scan code for common risks is perhaps already done? If not should definetly be implemented.
As it stand I will still use add-ons and a loads of them really. However I wish there was an easy status on the add-ons website that indicated how risky the add-on is? A simple chrome style change, may be completelt different risk than a powerfull GreaseMonkey script with a variety of code elements.
Showing posts with label firefox. Show all posts
Showing posts with label firefox. Show all posts
Friday, 1 May 2009
Friday, 22 August 2008
Firefox 3 ACHTUNG ACHTUNG self signed certificate
Lately as a techie geek, a very minor thing have annoyed me. (Non techies can switch off now).
Firefox 3 was launched a few months ago, and it is a great evolution in the subject of browsers. The progression in security and anti-phishing is very laudable. But one thing really annoys me (hence this post):
The huge ACHTUNG ACHTUNG process when encountering a site that uses a self-signed certificate for SSL. And the reasons and responses to why this is so.
A self-signed certificate is SSL certificate for encrypting and authenticate the site you are visiting. Self-signed means, that the certificate has not been signed by a 3rd party (at least not one you browser knows), thus the authenticated can not be guarantied. However the traffic is still fully encrypted.
Banks, web shops, medium to large businesses and high volume web sites do not have a reason for using self-signed certificates. They should afford the the costs and effort of setting up proper authenticated certificates. Expired and invalid certificates should not be accepted from them.
However for smaller organisation, charities, tiny business, personal sites and application, and small application, self-signed certificates is a great help. They are free and ensure encryption.
I have perhaps 50 odd tiny applications and web sites on a range of domains. I am not about to hand over $500-5000 a year to some 3rd party racketeering company to secure and authenticate all these sites. Especially as I probably make only about $100 a year on them, mostly from ads!
Yes, some of the sites are only used by me and a limited known user group, so the warning is shortlived. However for many of them they are for the general public, and needs volume to be make any money or to be of any interest. If any becomes a huge success, then I can get a decent certificate, but most of them will never be. Nor for the rest of the web with similar issues as mine.
So what is the problem with Firefox 3 ?
When encountering a self-signed, the new version of Firefox displays a full page alert. This ACHTUNG, ACHTUNG, alert in striking yellow and a policeman stopping you, is quite off-putting. To still view the site you have to go through 4 clicks of yes, really yes, accept etc.
Previous version, Firefox 2, displayed a pop-up box, where you could view the certificate, reject or accept it. Other browsers displays similar warnings, but not quite as rigorous as FF 3, which are not necessarily better.
With this new warning page, the majority of the casual web users will either be put by either the effort needed to enter the site, or scared off by the warning. The minority of the users which are technologically savvy will not be put off by the alerts, and will still be able to view the site. Also the users which are very specifically interested in the site, will perhaps ask for assistance first, but may still view the site. Depending whom your target users are, the majority may now never visit your site/app or will already be slightly peeved off.
So Firefox 3 is by its actions recommending web sites not to be encrypted.
Why the new warning?
The reasoning for a warning, is because the site can not be authenticated, thus perhaps a phishing attempt and/or it may be possible a Man in the Middle Attack has occurred. And the new extended process is so users are more aware of this than previous.
Valid points and I believe the users should be informed somehow. However I do not agree the scale of the warning is justified. And it does create a huge hindrance for many valid web sites.
Benefits and risks of using certificates
If the site has a 3rd party signed certificates, which all important sites should have, especially where money is changed hands, then only a a valid signed certificate is acceptable. Fair enough. But 3rd party authentication does not guarantee authentication, you may still have misstyped the url. The 3rd party may not have rigoursisly checked the authentisity of the site before singing the certificate. etc. But it is usually a safe bet that it is secure.
Expired or invalid certificates for important sites, is not acceptable either. But again for the less important, less resource rich people and organisation, it should be to a degree. At least it is authenticated. But for general web sites, these certicatesd is lax on behalftheir IT, and should be noted in some way.
Self signed certificates, are great in ensuring encryption. This prevents network snooping of passwords etc, which is very easy to do. Yes it can not authenticate the site. And Man in the Middle Attack is possible if it is the first time you visit this site. However Man in the Middle Attacks are extremely rare and difficult to do. Self-signed is not for banks etc.
Changed certificates. Sometimes for valid reasons a certificate is changed, e.g. when the old one expires. This should be warned of and yes, especially for self-signed certificates, a big alert warning should be prompted.
No certificate, as in plain http, unencrypted traffic. I believe we should use SSL/TLS as much as possible. When you need to log on in any way, the site should be encrypted. Any data specifically to/about you sent over the net should not be able to snooped on by casual listeners.
Developers responses and people comments
What really also annoyed me is the reasoning by developers and the advocacies by people comments in articles about this warning.
They say it is better to block people than to allow access to unauthenticated sites. Or people really need to be warned, and if they are not smart enough then too bad. Which is just bad business and ignorant.
Or no excuse not to cough up for certificates and that self-signed sites does not deserve any pity. Well that is okay for rich people, but not me, and not the millions of tiny sites that make up the majority of the web!
Or the typical techie replies that the warning is no problem, only a few clicks and they really like the information etc. Which is again ignorant of the huge portion of users which will be terrified with this unfriendly warning.
Or that Man in the Middle Attacks is really dangerous and should over prioritise any usability. No, MitMA are rare, very rare. Yes, important to protect about, but we should not stop people using the web by doing so.
Or that unauthenticated SSL is worse than plain http due to perhaps impression of authenticated. No, plain unencrypted http is terrible, as snooping is easy and common. It really is a problem with how the browsers show the distinction between unauthenticated and authenticated sites, not the sites.
The outcome and my suggestions
The current police warning by Firefox 3 is a very bad solution. It will cause:
* Many self-signed sites to convert to unencrypted.
* More easy snooping of peoples passwords as sites go unencrypted.
* Some self-signed to purchase certificates.
* Loss of information spread, ad revenue and business for small sites.
* Confidence in Firefox in progressing usability
What Firefox needs to do is to distinguish the different states of certificates (which it already does to a degree).
Signed 3rd party certificates.
Display the new signed favicon as it does. with lock in status bar etc. no problems with it.
Expired or invalid signed certificates.
Warn but allow access.
Changed signed certificates.
No warning.
Self-signed certificates on 1st encounter
Warn but allow access. But not the ACHTUNG ACHTUNG approach. A simple change of icon to a red broken lock as in previous netscape versions is enough information. A cleaner drop down bar like the new remember password bar, to allow import of cerficate, inspection and links for more information would be much better. Maybe colour location bar red, till the certificate is accepted. If not the certificate is not kept once the session is over.
Self-signed certificates on re encounter with previously accepted certificate
No warning. Just the red lock. Or with a question mark over the favicon.
Changed self-signed certificate.
ACHTUNG ACHTUNG warning.
No certificate, unencrypted.
Maybe this should be changed to show users that it is not secure in any way?!
enough ranting. no one will read this (not the whole post anyway ) :)
(Ps. Man in the Middle Attack is when some other machine between you and the site pretends to be the site and intercepts your traffic, and responds with its own fake certificate)
Firefox 3 was launched a few months ago, and it is a great evolution in the subject of browsers. The progression in security and anti-phishing is very laudable. But one thing really annoys me (hence this post):
The huge ACHTUNG ACHTUNG process when encountering a site that uses a self-signed certificate for SSL. And the reasons and responses to why this is so.
A self-signed certificate is SSL certificate for encrypting and authenticate the site you are visiting. Self-signed means, that the certificate has not been signed by a 3rd party (at least not one you browser knows), thus the authenticated can not be guarantied. However the traffic is still fully encrypted.
Banks, web shops, medium to large businesses and high volume web sites do not have a reason for using self-signed certificates. They should afford the the costs and effort of setting up proper authenticated certificates. Expired and invalid certificates should not be accepted from them.
However for smaller organisation, charities, tiny business, personal sites and application, and small application, self-signed certificates is a great help. They are free and ensure encryption.
I have perhaps 50 odd tiny applications and web sites on a range of domains. I am not about to hand over $500-5000 a year to some 3rd party racketeering company to secure and authenticate all these sites. Especially as I probably make only about $100 a year on them, mostly from ads!
Yes, some of the sites are only used by me and a limited known user group, so the warning is shortlived. However for many of them they are for the general public, and needs volume to be make any money or to be of any interest. If any becomes a huge success, then I can get a decent certificate, but most of them will never be. Nor for the rest of the web with similar issues as mine.
So what is the problem with Firefox 3 ?
When encountering a self-signed, the new version of Firefox displays a full page alert. This ACHTUNG, ACHTUNG, alert in striking yellow and a policeman stopping you, is quite off-putting. To still view the site you have to go through 4 clicks of yes, really yes, accept etc.
Previous version, Firefox 2, displayed a pop-up box, where you could view the certificate, reject or accept it. Other browsers displays similar warnings, but not quite as rigorous as FF 3, which are not necessarily better.
With this new warning page, the majority of the casual web users will either be put by either the effort needed to enter the site, or scared off by the warning. The minority of the users which are technologically savvy will not be put off by the alerts, and will still be able to view the site. Also the users which are very specifically interested in the site, will perhaps ask for assistance first, but may still view the site. Depending whom your target users are, the majority may now never visit your site/app or will already be slightly peeved off.
So Firefox 3 is by its actions recommending web sites not to be encrypted.
Why the new warning?
The reasoning for a warning, is because the site can not be authenticated, thus perhaps a phishing attempt and/or it may be possible a Man in the Middle Attack has occurred. And the new extended process is so users are more aware of this than previous.
Valid points and I believe the users should be informed somehow. However I do not agree the scale of the warning is justified. And it does create a huge hindrance for many valid web sites.
Benefits and risks of using certificates
If the site has a 3rd party signed certificates, which all important sites should have, especially where money is changed hands, then only a a valid signed certificate is acceptable. Fair enough. But 3rd party authentication does not guarantee authentication, you may still have misstyped the url. The 3rd party may not have rigoursisly checked the authentisity of the site before singing the certificate. etc. But it is usually a safe bet that it is secure.
Expired or invalid certificates for important sites, is not acceptable either. But again for the less important, less resource rich people and organisation, it should be to a degree. At least it is authenticated. But for general web sites, these certicatesd is lax on behalftheir IT, and should be noted in some way.
Self signed certificates, are great in ensuring encryption. This prevents network snooping of passwords etc, which is very easy to do. Yes it can not authenticate the site. And Man in the Middle Attack is possible if it is the first time you visit this site. However Man in the Middle Attacks are extremely rare and difficult to do. Self-signed is not for banks etc.
Changed certificates. Sometimes for valid reasons a certificate is changed, e.g. when the old one expires. This should be warned of and yes, especially for self-signed certificates, a big alert warning should be prompted.
No certificate, as in plain http, unencrypted traffic. I believe we should use SSL/TLS as much as possible. When you need to log on in any way, the site should be encrypted. Any data specifically to/about you sent over the net should not be able to snooped on by casual listeners.
Developers responses and people comments
What really also annoyed me is the reasoning by developers and the advocacies by people comments in articles about this warning.
They say it is better to block people than to allow access to unauthenticated sites. Or people really need to be warned, and if they are not smart enough then too bad. Which is just bad business and ignorant.
Or no excuse not to cough up for certificates and that self-signed sites does not deserve any pity. Well that is okay for rich people, but not me, and not the millions of tiny sites that make up the majority of the web!
Or the typical techie replies that the warning is no problem, only a few clicks and they really like the information etc. Which is again ignorant of the huge portion of users which will be terrified with this unfriendly warning.
Or that Man in the Middle Attacks is really dangerous and should over prioritise any usability. No, MitMA are rare, very rare. Yes, important to protect about, but we should not stop people using the web by doing so.
Or that unauthenticated SSL is worse than plain http due to perhaps impression of authenticated. No, plain unencrypted http is terrible, as snooping is easy and common. It really is a problem with how the browsers show the distinction between unauthenticated and authenticated sites, not the sites.
The outcome and my suggestions
The current police warning by Firefox 3 is a very bad solution. It will cause:
* Many self-signed sites to convert to unencrypted.
* More easy snooping of peoples passwords as sites go unencrypted.
* Some self-signed to purchase certificates.
* Loss of information spread, ad revenue and business for small sites.
* Confidence in Firefox in progressing usability
What Firefox needs to do is to distinguish the different states of certificates (which it already does to a degree).
Signed 3rd party certificates.
Display the new signed favicon as it does. with lock in status bar etc. no problems with it.
Expired or invalid signed certificates.
Warn but allow access.
Changed signed certificates.
No warning.
Self-signed certificates on 1st encounter
Warn but allow access. But not the ACHTUNG ACHTUNG approach. A simple change of icon to a red broken lock as in previous netscape versions is enough information. A cleaner drop down bar like the new remember password bar, to allow import of cerficate, inspection and links for more information would be much better. Maybe colour location bar red, till the certificate is accepted. If not the certificate is not kept once the session is over.
Self-signed certificates on re encounter with previously accepted certificate
No warning. Just the red lock. Or with a question mark over the favicon.
Changed self-signed certificate.
ACHTUNG ACHTUNG warning.
No certificate, unencrypted.
Maybe this should be changed to show users that it is not secure in any way?!
enough ranting. no one will read this (not the whole post anyway ) :)
(Ps. Man in the Middle Attack is when some other machine between you and the site pretends to be the site and intercepts your traffic, and responds with its own fake certificate)
Subscribe to:
Posts (Atom)