secure connection failed - an improvement
A patch was recently checked into the Mozilla codebase that marks bug 327181 “Improve error reporting for invalid-certificate errors” as Resolved Fixed. This bug significantly changes the way Mozilla will handle invalid certificates and as a result will hopefully make RMD redundant so earlier today I played around with a nightly build of Firefox 3.0 alpha (Minefield). My impression? I think the changes, while still rough around the edges, do a pretty good job of appeasing the various sides in the bad certificate handling saga.
The first thing you’ll notice when browsing to a website that presents an invalid security certificate is that the familiar mismatched domain error dialog is no more. Instead an in page Secure Connection Failed error is presented. Note that there is no way to temporarily accept the mismatch and visit the website:
Before websites that present invalid certificates can be visited the certificate must first be added to the new security exceptions list. The dialog for this list is intentionally buried in the Preferences / Options dialog:
Edit > Preferences > Advanced > Encryption > View Certificates > Servers -> Add Exception…
For current users of RMD I think it would be helpful to get your impressions of the changes and so I put together a little screencast of the new functionality in action. I encourage you to take a look and provide Mozilla with your feedback. Even better would be to download a recent build of Minefield and try it out for yourself.
Iang says:
October 24, 2007 at 10:41 am
It is good to see that the plugins path for experimenting with security models is finally beginning to bear fruit! You’ve achieved more than I have in 4 years of ranting :)
I am not sure what Minefield is, but it seems a very apt name for something that identifies sites.
The sentance “Legitimate banks, stores, and other public sites…” is likely to make people’s blood boil. Misuse of the security model is rampant, so much so that trying to claim something about its results is a bit fraught.
Maybe “Sites that have fully compatible certificates will not ask you to do this. Beware of phishing attempts to imitate valid sites.”
andrew says:
October 24, 2007 at 12:43 pm
That’s some good feedback Iang. I’ve heard of other’s taking issue with the wording too and it’s important that Mozilla get it right. Do make sure you ‘em know:
http://www.mozilla.org/projects/minefield/
(Minefield is the ‘code-name’ for Firefox 3).
Thanks!
Delfi_r says:
November 7, 2007 at 10:45 am
I think that it’s very different to add an exception before the connection than to remeber a setting as in the RMD method.
If i could choose I prefer the RMD method, asking for a fix and saving for the future.
andrewlucking.com » rmd 1.4.6 & no rmd for firefox 3 says:
January 8, 2008 at 9:50 pm
[…] for this update is that I’m hoping version 1.4.6 will be the final release. Back in October I wrote about the new security exception features in Firefox 3 which essentially provide the functionality […]
Clif says:
June 19, 2008 at 2:14 am
Is it strange that I got this error page for gmail and facebook? As far as I can tell, they are as public as sites get.