Yes please! I’ll have some of that:
http://www.cs.uml.edu/~ntuck/mozilla/
That’s a blog post by somebody named Nat Tuck that’s gotten slashdotted and dugg within the last week.
Nat’s asking for a Firefox UI improvement – the present behavior in Firefox 3 is to balk when an SSL server presents a self-signed certificate, or a certificate that’s been signed by an unrecognized certificate authority. Nat suggests that the browser should be a little less forbidding when these certificates are encountered.
This is important! HTTPS is the best way to secure communication with a web server. An HTTPS connection uses SSL for encryption and authentication, meaning, if you are using an HTTPS connection you know that
- The server is who it claims to be (say, authenticated as Google.com);
- Nobody can see your data (your privacy is assured because data is encrypted on the wire); and
- The data you receive is what the server sent (integrity is assured because data is encrypted…).
But, there is a catch. The privacy and integrity assurance relies on encrypting the data that goes on the wire, and for this you only need the server’s SSL certificate. However, the authentication feature requires assistance from a trusted third party. This third party, a “root certificate authority” or root CA, has to confirm that the server’s SSL certificate is valid.
For example, Google uses HTTPS for secure sign-in to Gmail. Google presents a server certificate for *.google.com that you can choose to install in your browser when prompted. This server certificate is signed by a trusted third party, Thawte Consulting. Verisign is another well known root CA. So you really know that Google is Google…
Alright, now we get to the point – can you become a trusted third party for certification purposes? Even if it’s only to sign your own apps?
Well… not without a major hassle. Firefox essentially defines the set of trusted third parties in terms of root CA certificates that are shipped with the browser. You can take a look – open up the Preferences, go to the Advanced section, click the Certificates tab and dig around until you see a long list that includes certificates from Thawte and Verisign. See the second column in the table? Where it says “builtin object token”?
Certificates with the “builtin object token” association are shipped with the browser. If you go to the trouble of creating your own certificate, in other words, if you were to decide to become a root CA, and you then install that certificate in the browser, then you’ll eventually be looking at your certificate in that same list, but the second column won’t list the “builtin object token.” It will say “software security device” and Firefox won’t use it the same way it uses the built-in certificates.
And, what Nat is pointing out is that site producers are forced to pay $$$ (or $$$$!) to get their server certificates authenticated by a trusted root CA like Thawte or Verisign.
The problem with that, of course, is that most of us are going to be too cheap to fork over that money just to protect our hobby sites with SSL.
That leaves us without authentication, privacy or integrity assurances.
But! If using self-signing our server certificates, or signing them as a private (non-trusted) root CA, were just a little less scary to the end user, then we’d at least have privacy and integrity.
Hence the request that the Firefox development team try to be a little less heavy-handed when SSL connections are not authenticated by a built-in root CA.
Pretty puh-leeze?
