MozillaZine

disable "This Connection is Untrusted" messages

User Help for Mozilla Firefox
Bluefang

User avatar
 
Posts: 7846
Joined: August 10th, 2005, 2:55 pm
Location: Vermont

Post Posted February 2nd, 2010, 10:43 am

People, remember that FF users are also a programmers, system administrators and generally computer-savvy people, that actually know what they are doing, and these are not the regular type of users.

That is becoming less and less true. In fact, I'd be willing to wager that, currently, the majority of Firefox users are not.

Mozilla, please read those messages and take care of that annoying feature that prevents the users from actually browsing the net.

It's not preventing people from doing anything. In fact, it is a meaningful message that actually makes SSL meaningful. And aside form people who use servers with constantly changing certificates, it is a one-time thing to add an exception.

Please also understand that there are proxies or internal sites, or even a security software that uses self-signed certificates, and they change every build or on every connection.

If you're behind a proxy (or anything that intercepts secure transmissions), you probably shouldn't be using anything that requires SSL.

And for users on internal networks, they should contact their IT people to have them actually set it up properly (i.e. create their own root CA, distribute it, and sign all of the certificates using that).

The fact that this is actually a problem just goes to show how poor of a state SSL really is in. If people aren't following the rules, then the system is meaningless.

So, please save us, like, 2 hours of total 24 clicking here and there, and give us a chance to embrace all the risk for doing this.

http://kb.mozillazine.org/Browser.xul.e ... t_bad_cert
http://kb.mozillazine.org/Browser.ssl_override_behavior

Saves you some clicks.
There have always been ghosts in the machine... random segments of code that have grouped together to form unexpected protocols. Unanticipated, these free radicals engender questions of free will, creativity, and even the nature of what we might call the soul...

Henry Lloyd
Guest
 

Post Posted February 3rd, 2010, 1:47 am

Bluefang, apparently you're not reading the entire thread carefully. The suggested links don't work, I mean, the solutions don't work. Is it an inconsistency in FF ? So, if FF is targeted only to non-programmers and sysadmins, I shall be forced to leave it in favor of either Opera or Chrome - they don't have such annoying features. It's plain and simple. IT people in my department are certainly aware how to manage certificates, but there are pieces of code generated every day, if not twice a day - having a different real issued certificate for each build is nonsense. This is my point, I don't care how bad SSL is, I just need option to override that behavior, the way it was before. This is a similar case with Pidgin IM where developers have decided not to give the users an option to resize the input window with some stupid arguments, despite of users' protests and the bugs submitted to fix this - over 2000. I left Pidgin behind just because of this attitude - "We will tell you what's best for you" - the software is intended to be used by people, the users, not only the developers. It's very simple. So how many messages and bugs will take for Mozilla to fix this, or graciously provide an option to disable it completely at our own risk ? I don't have much time waiting. And no, I'm not behind a proxy, but even if I was (sometimes it's happening) I MUST be able to decide what to do. Or you're saying the the users of FF are all stupid and we should prevent their attempts to fall into the snake pit ?
See, it's not a matter of configuring or something on the user's side - the infamous messages that are not helping anyone, like : "it could be a firewall/virus/trojan/antivirus software, proxy, your OS, your profile, your time zone, your extensions, some earthquakes in the area, magnetic storms in your building, bla bla, etc". It's a matter of deliberate change without option to bring the old one back - do you remember Google changing the UI of Gmail - they had and I believe still have a link to the old one. Again, it's very simple.

Gopher John

User avatar
 
Posts: 1721
Joined: May 8th, 2008, 3:42 pm
Location: Northwest Ohio

Post Posted February 3rd, 2010, 8:44 am

SSL is under constant attack. Perhaps the hackers are smelling blood. One of the more recent attacks is going on now against PayPal and the CIA. See http://www.securityfocus.com/news/11572

These attacks make the warning even more relevant and necessary.
The significant problems we face cannot be solved at the same level of thinking we were at when we created them. - Albert Einstein

shobha_satpute
Guest
 

Post Posted February 3rd, 2010, 8:51 am

philcox wrote:Firefox 3 is a bit boring with the "This Connection is Untrusted" messages on some sites, caused by the fact the sites probably did not pay their fees to the "certification" companies, or do not have any (I don't care at all as long it is not a banking site).

How to disable these messages ? about:config option ?

The certificate is not trusted because the issuer certificate is unknown. The certificate is only valid for sina
(Error code: sec_error_unknown_issuer)

dickvl

User avatar
 
Posts: 51451
Joined: July 18th, 2005, 3:25 am

Post Posted February 3rd, 2010, 1:58 pm

Did you retrieve the certificates to check who issued the certificates?
You should always do that to see if that helps to identify the problem (missing intermediate certificate or something else).

You can test a website via one of the SSL checking websites.
http://www.networking4all.com/en/suppor ... ite+check/
http://www.sslshopper.com/ssl-checker.html

If such a check confirms that there is a problem then you know that it is not on your site.
Firefox stores intermediate certificates automatically if you visit a website that sends them and use them on websites that do not send them.

Bluefang

User avatar
 
Posts: 7846
Joined: August 10th, 2005, 2:55 pm
Location: Vermont

Post Posted February 3rd, 2010, 5:02 pm

Bluefang, apparently you're not reading the entire thread carefully. The suggested links don't work, I mean, the solutions don't work.

I didn't say they's "fix" the problem. I said it'd save you some clicks.

So, if FF is targeted only to non-programmers and sysadmins, I shall be forced to leave it in favor of either Opera or Chrome - they don't have such annoying features.

Feel free. No one is stopping you other than yourself.

It's plain and simple. IT people in my department are certainly aware how to manage certificates, but there are pieces of code generated every day, if not twice a day - having a different real issued certificate for each build is nonsense.

If they're generating self-signed certificates for every build already, then it is a pretty minor change to have those generated certificates signed by a Root CA that the IT people create. Then they just need to distribute the root cert.

This is a fairly easy concept to understand. So either they don't understand or they're being lazy.

I left Pidgin behind just because of this attitude - "We will tell you what's best for you" - the software is intended to be used by people, the users, not only the developers.

No, the position of Pidgins developers, is that they're writing it for them selves (i.e. arbitrary will and the users don't matter) and they just chose to also distribute it.

At least Mozilla has the best intentions in mind with the changes they've made. They're adhering to the SSL spec and choose not to allow users to disable the relevant errors.

It's very simple. So how many messages and bugs will take for Mozilla to fix this, or graciously provide an option to disable it completely at our own risk ? I don't have much time waiting. And no, I'm not behind a proxy, but even if I was (sometimes it's happening) I MUST be able to decide what to do. Or you're saying the the users of FF are all stupid and we should prevent their attempts to fall into the snake pit ?

1. I seriously doubt that Mozilla will change this behavior, and I hope they don't.
2. Yes, the majority of [computer] users ARE stupid when it comes to security and privacy.
3. Mozilla is not preventing you from visiting the site (or all into the snake pit as you say). The only thing it does is slightly slow you down, and it only takes a couple seconds to add an exception.
There have always been ghosts in the machine... random segments of code that have grouped together to form unexpected protocols. Unanticipated, these free radicals engender questions of free will, creativity, and even the nature of what we might call the soul...

Henry Lloyd
Guest
 

Post Posted February 8th, 2010, 6:13 am

This is the first time I see a user given a chance to boot off the software by a member / lover of the software or perhaps a developer. Apparently, this is the type of attitude I'm talking about when referring to Pidgin. It is the intentional change that breaks my daily usage (and not only me), with no option to restore the old behavior. It's extremely simple, and I don't need more arguments. It was working this way, now it's working the other way. Yes, I will leave Firefox, and I will make sure to distribute this message to more people, unless it gets deleted promptly by admin. I will show the world the attitude of Mozilla.

Gopher John

User avatar
 
Posts: 1721
Joined: May 8th, 2008, 3:42 pm
Location: Northwest Ohio

Post Posted February 8th, 2010, 7:25 am

Henry Lloyd wrote:This is the first time I see a user given a chance to boot off the software by a member / lover of the software or perhaps a developer. Apparently, this is the type of attitude I'm talking about when referring to Pidgin. It is the intentional change that breaks my daily usage (and not only me), with no option to restore the old behavior. It's extremely simple, and I don't need more arguments. It was working this way, now it's working the other way. Yes, I will leave Firefox, and I will make sure to distribute this message to more people, unless it gets deleted promptly by admin. I will show the world the attitude of Mozilla.


Goodbye. :D
The significant problems we face cannot be solved at the same level of thinking we were at when we created them. - Albert Einstein

xdfe
Guest
 

Post Posted February 9th, 2010, 9:16 pm

Bluefang wrote:3. Mozilla is not preventing you from visiting the site (or all into the snake pit as you say). The only thing it does is slightly slow you down, and it only takes a couple seconds to add an exception.


The problem here is that this too introduces a security flaw. Suppose site X uses an invalid certificate, and since I don't intend to exchange any sensitive information with the site, I add an exception. Now next time I visit that site, or a different site using that certificate, the certificate remains trusted and I receive no warning that something is amiss. This increases my vulnerability if the now-trusted certificate is used to orchestrate a man-in-the-middle attack against me.

What is being asked for in this thread is the ability to add a one-time exception, to proceed without trusting the certificate forever. This behavior of Mozilla is rooted in the logical fallacy that if all secure transactions require SSL/TLS, then all SSL/TLS transactions also require security. But this is not true -- there are many sites that display only informational content over SSL, and while needlessly so, requesting the content provider to move the site to a nonsecure channel is not typically an option. For these sites, Mozilla gives users the option to (a) trust an invalid certificate by adding it as a permanent exception, or (b) forgo access to the site altogether. When (b) is not an option, it exposes nontechnical users to jump through hoops needlessly; but, more critically, nontechnical users are encouraged to trust an invalid cert in perpetuity and without reservation.

For all parties involved, allowing users to use an invalid certificate for the duration of the session, with an appropriate warning and without adding an exception, would be a more secure option.

teoli2003
 
Posts: 5091
Joined: November 10th, 2005, 2:54 am

Post Posted February 10th, 2010, 12:28 am

xdfe wrote:
What is being asked for in this thread is the ability to add a one-time exception, to proceed without trusting the certificate forever.

So be happy: this is the case right now. When you add an exception, it is by default a one-time exception. You have to check a check-box to make it permanent.

By the way, I wonder if you ever tried it before to come here...

Bluefang

User avatar
 
Posts: 7846
Joined: August 10th, 2005, 2:55 pm
Location: Vermont

Post Posted February 10th, 2010, 4:39 am

Suppose site X uses an invalid certificate, and since I don't intend to exchange any sensitive information with the site, I add an exception. Now next time I visit that site, or a different site using that certificate, the certificate remains trusted and I receive no warning that something is amiss. This increases my vulnerability if the now-trusted certificate is used to orchestrate a man-in-the-middle attack against me.

...

For all parties involved, allowing users to use an invalid certificate for the duration of the session, with an appropriate warning and without adding an exception, would be a more secure option.

1. When you add an exception, you can choose to make it permanent or not. There's no reason for Firefox to notify you each time you visit the site if you added an exception.

2. The exception is only added for the site/server/domain that it was received on. So even if you visit another site with the same certificate, you'd still get an error. And because certificates are signed for a specific domain, it wouldn't be the same certificate. If a certificate is used on a domain it is not signed for, then that produces another error.

3. Adding an exception does give you a certain level of security, provided the site is not compromised when you add the exception. If the site is compromised, you'll be alerted that the certificate was changed from the one you added as an exception.

What is being asked for in this thread is the ability to add a one-time exception, to proceed without trusting the certificate forever.

Uncheck the "Permanently store this exception" option.

This behavior of Mozilla is rooted in the logical fallacy that if all secure transactions require SSL/TLS, then all SSL/TLS transactions also require security. But this is not true -- there are many sites that display only informational content over SSL, and while needlessly so, requesting the content provider to move the site to a nonsecure channel is not typically an option.

That's the site's decision, not Mozilla's. The only thing Mozilla is obligated to do is enforce the SSL rules.
There have always been ghosts in the machine... random segments of code that have grouped together to form unexpected protocols. Unanticipated, these free radicals engender questions of free will, creativity, and even the nature of what we might call the soul...

Guest
Guest
 

Post Posted February 17th, 2010, 5:58 pm

This is BS it pops up on 1 pc but not in the other, its annoying, in fact it itself is the only concern i have...causes more harm then good. I want to disable it but none of you even mentioned to answer the post titled "disable "This Connection is Untrusted" messages" big fail!

Bluefang

User avatar
 
Posts: 7846
Joined: August 10th, 2005, 2:55 pm
Location: Vermont

Post Posted February 17th, 2010, 6:44 pm

That's because you can't disable it.

The likely reason it doesn't show up on one PC is that you added an exception. To check you can go to:

Tools -> Options -> Advanced -> Encryption -> View Certificates -> Servers
There have always been ghosts in the machine... random segments of code that have grouped together to form unexpected protocols. Unanticipated, these free radicals engender questions of free will, creativity, and even the nature of what we might call the soul...

Oh sure
Guest
 

Post Posted February 19th, 2010, 2:25 am

I think the essence of the topic is how to disable this annoying feature, evidently, there's no option to do that, despite the 7 pages written so far. This is the type of behavior that Google showed with Buzz - you are opted in by default with no option to let the feature go. Well, this is pity, and there's even more annoying side of that coin - sometimes it simply doesn't work, as instead, it pops-up multiple times asking you what to do. Unfortunately, this is occasionally reproducible, which means that fluctuating code had been written, otherwise it would have been seen every time. Bad score, Mozilla.

LIMPET235
Moderator

User avatar
 
Posts: 34491
Joined: October 19th, 2007, 1:53 am
Location: The South Coast of N.S.W. Oz.

Post Posted February 19th, 2010, 2:37 am

Just in case this wasn't posted in the other 6 pages...
"We" are not Mozilla.org/.com & have no say in what changes are made.
"We" are just a user to user help forum.
> http://www.mozillazine.org/about/
Ancient Amateur Astronomer
Win-7-HP/Intel® DualCore-2.0GHz/500G HDD/4 Gig Ram/550Watt PSU/350WattUPS/Firefox-20.0-30.0-36.0.1/T-bird-2.0.0.24/SnagIt-v10.0.1/MWP-7.5.0.
RadioYachting. Conficker Test.

Return to Firefox Support


Who is online

Users browsing this forum: a31modela and 19 guests