Firefox 3 – Handling of unverified SSL certificates

Firefox 3 is now well and truly into it’s beta phase, and one of the headline features is the way that it handles invalid SSL certificates.

I first noticed this when building a test environment to trial a few different web-based CRM systems, and I’ve got to say that there are some big pluses to this.

SSL certificates are cheap now and really for any commercial site out there, there should be no excuses for not using a real certificate.  Windows Vista has proved that if you present users with a dialogue box enough times they will just habitually click through without second consideration, thus making them vulnerable to a plethora of security woes.  This is a big security step forward and will hopefully encourage businesses out there to pull their socks up when it comes to using valid certificates (the biggie is likely to be the ability to use self signed SSL certs in Exchange/OWA!)

There is a method of bypassing this (if needed for testing purposes).  For example, I am wanting to test a site in a lab environment, therefore my vulnerability to man-in-the-middle attacks is absolutely zero….

You can go to Preferences->Advanced Preferences->Encryption->View Certificates->Add Exception and then get and approve the certificate for your server…

Commentary with the Firefox developers is available here: https://bugzilla.mozilla.org/show_bug.cgi?id=431827

….and a good explaination of the reasoning behind the fix here:

http://blog.johnath.com/index.php/2007/10/11/todo-break-internet/

~ by Paul Roach on June 13, 2008.