Noah's Mark - Latest Comments in Firefox’s SSL policy is not bad, you idiot

Re: Firefox’s SSL policy is not bad, you idiot

eddiepetosa — Sun, 13 Sep 2009 04:50:51 -0000

Besides the funny ssl certificates messages Firefox is using, I also got another funny message when my browser crashed. It was something like this: "This is embarrassing...". When I first saw it I had to print screen it and send it to my entire messenger list. Now when I get it I'm as mad as hell because it happens at least twice per day. I finally upgraded. I really hope Firefox won't crash anymore.

Re: Firefox’s SSL policy is not bad, you idiot

Victor Hahn — Thu, 30 Jul 2009 21:25:00 -0000

I certainly appreciate your effort to make your grandma's internet exprience safe. ;-) However, there's one thing you're fundamentally getting wrong. Firefox's shiny little lock icon is some kind of special endorsement. So whenever the conditions for this endorsement are not fulfilled, just don't make it! Just treat it this web session like a normal unencrypted one. Where's the problem? Just leave out the lock symbol.

What Firefox does, however, is demonising SSL w/o trusted certificate while it is still, by orders of magnitude, more secure than not encrypting at all. This is nonsense.

Re: Firefox’s SSL policy is not bad, you idiot

PaulSolt — Sun, 14 Sep 2008 13:23:55 -0000

Good read. I think it's a good system to get in your face; especially for my relatives who are computer illiterate. This step is completely necessary to protect any user from doing harm to themself.

Re: Firefox’s SSL policy is not bad, you idiot

noah — Tue, 19 Aug 2008 23:50:44 -0000

Because they are different services - note the keyword _verification_ in that second part. The first part, the "I want a domain name here plzthx", isn't a complicated problem because there aren't many (enforced) trust/identity strings attached. Also, because there are an inordinate amount of domains being registered and a much smaller number of sites getting SSL certs, I can only imagine the cost for the first will be much cheaper than the second. Sounds pretty simple to me.

Oh, and the real answer is, "because they charge that much and people will pay it." Enter capitalism.

Your suggestion, in the first paragraph, is for how a "trusted" authority should establish trust with an untrusted endpoint - you do some activity to prove to that party that you "own" the domain, and that third party, which is a trusted authority by some other definition, is depended on for its verification of your site. Maybe that is enough to establish trust, but how does it relate to the post?

If you want to complain about the methods CAs use to verify identity, then that is a different discussion. If you feel a CA charges too much for its services, find a different one. The digicert price I found was after clicking 2 links in a google search. I bet you can find better prices without looking too hard.

Or you get behind someone like CACert.org, who gives out free (as in beer) certs and (I believe) is still trying to be accepted by mozilla as a trusted root CA:
https://bugzilla.mozilla.or......

Mozilla has a nice, fair, and public policy for how to become a trusted CA:
http://www.mozilla.org/proj......

So I don't think there are major roadblocks preventing somebody from using your method to establish trust and charging less than $100 a year and getting accepted by mozilla as a root CA. Except, you know, capitalism.

Re: Firefox’s SSL policy is not bad, you idiot

trevelyan — Tue, 19 Aug 2008 16:02:26 -0000

Server identity verification can and should be tested in the same manner that Google Apps does it - stick a new page up on your server or add a new CNAME record to prove you control the domain.

If domain names can be registered for under $10, why should domain name verification cost hundreds of dollars per year?