secure connection failed – an improvement

A patch was recently checked into the Mozilla codebase that marks bug 327181 “Improve error reporting for invalid-certificate errors” as Resolved Fixed. This bug significantly changes the way Mozilla will handle invalid certificates and as a result will hopefully make RMD redundant so earlier today I played around with a nightly build of Firefox 3.0 alpha (Minefield). My impression? I think the changes, while still rough around the edges, do a pretty good job of appeasing the various sides in the bad certificate handling saga.

The first thing you’ll notice when browsing to a website that presents an invalid security certificate is that the familiar mismatched domain error dialog is no more. Instead an in page Secure Connection Failed error is presented. Note that there is no way to temporarily accept the mismatch and visit the website:

secure connection failed

Before websites that present invalid certificates can be visited the certificate must first be added to the new security exceptions list. The dialog for this list is intentionally buried in the Preferences / Options dialog:
Edit > Preferences > Advanced > Encryption > View Certificates > Servers -> Add Exception…

Firefox - Add Security Exception

For current users of RMD I think it would be helpful to get your impressions of the changes and so I put together a little screencast of the new functionality in action. I encourage you to take a look and provide Mozilla with your feedback. Even better would be to download a recent build of Minefield and try it out for yourself.

Watch the overriding invalid certs screencast.

7 Responses

  1. Iang says:

    October 24, 2007 at 10:41 am

    It is good to see that the plugins path for experimenting with security models is finally beginning to bear fruit! You’ve achieved more than I have in 4 years of ranting :)

    I am not sure what Minefield is, but it seems a very apt name for something that identifies sites.

    The sentance “Legitimate banks, stores, and other public sites…” is likely to make people’s blood boil. Misuse of the security model is rampant, so much so that trying to claim something about its results is a bit fraught.

    Maybe “Sites that have fully compatible certificates will not ask you to do this. Beware of phishing attempts to imitate valid sites.”


  2. andrew says:

    October 24, 2007 at 12:43 pm

    That’s some good feedback Iang. I’ve heard of other’s taking issue with the wording too and it’s important that Mozilla get it right. Do make sure you ‘em know:
    http://www.mozilla.org/projects/minefield/

    (Minefield is the ‘code-name’ for Firefox 3).

    Thanks!


  3. Delfi_r says:

    November 7, 2007 at 10:45 am

    I think that it’s very different to add an exception before the connection than to remeber a setting as in the RMD method.

    If i could choose I prefer the RMD method, asking for a fix and saving for the future.


  4. andrewlucking.com » rmd 1.4.6 & no rmd for firefox 3 says:

    January 8, 2008 at 9:50 pm

    [...] for this update is that I’m hoping version 1.4.6 will be the final release. Back in October I wrote about the new security exception features in Firefox 3 which essentially provide the functionality [...]


  5. Clif says:

    June 19, 2008 at 2:14 am

    Is it strange that I got this error page for gmail and facebook? As far as I can tell, they are as public as sites get.


  6. Fletch says:

    November 3, 2008 at 4:20 am

    There is no immediately obvious way to view the offending certificate. This is bad. I want to see it and figure out what’s wrong with it before I add an exception!


  7. Jan says:

    December 31, 2008 at 2:51 pm

    Can I just say that whatever Firefox did to this version is driving me crazy enough to resort to going back to using IE. I am getting these secure connection errors on just about every site I use, including Yahoo. If I override it, it works for that time, but the next time I go back..I have to do it again?? Seriously, who has that kind of time. They’d better find something to do with this version or I’m dumping it.


Leave a Reply