SSL with Firefox 3


Mozilla Firefox BrowserThe new Firefox 3 browser is approaching fast its final release to the public and millions of fans will download the new product from Mozilla this month. For me this is a very exciting event and a great opportunity to show you which changes and improvements will effect us, specially in relation to SSL secured web sites.

A personal note upfront before I continue: Since I’m involved at Mozilla, specially what cryptography and certification authorities concerns, disagreements and different points of views are natural and even though I’m not always in complete agreement with everything that happens with Firefox, the time has come to put the differences aside! The Firefox browser is build and created as a community effort, allows and encourages the involvement by others and because of that receives a lot of input from diverse sources. And perhaps because of that Firefox has the potential to be the best browser at all. Obviously some differences will remain and heated discussions will continue in an effort to make it the best product, but today is the time to focus on what has been achieved and how it will affect our browsing habits and of those which offer content for the browser - the web site owners and operators!

Did I say web site owners? Why should a new browser affect them really? Web sites owners will find out, that Firefox 3 takes a new approach what SSL secured sites concerns, a measure which makes the browser more secure and protects the casual user a lot better. This was a long overdue, but a big step for the browser and the user interface (UI) developers did away with what was done previously and came up with some very refreshing ideas. Let me introduce “Larry” who will provide you with quick and basic information about a secured website you may be visiting soon. When hovering over the site icon in the address bar the colors change and some very basic information is displayed, for example:

SSL secured site

This web site is secured with a SSL certificate issued by StartCom and to actually see the indicator as in the image above, the settings of about:config need to be adjusted. Change the variable browser.identity.ssl_domain_display to 1 which is much better than the default settings. Otherwise a small blue area is created around the site icon which can be problematic (one of my disagreements I still have with the folks at Mozilla).

When clicking on the site icon, “Larry” will give us some more information about what he knows about the site’s certificate and the status of the web site, for example if the site is encrypted and secure and if the organization was validated according to the EV guidelines. And this is how Larry will present himself depending on the different states (plain text, SSL, EV):

 Trust Indicator

The more interesting part is however, what happens when Firefox encounters a problem with the web site’s certificate or secure connection. Than Larry gets very angry and Firefox displays an error page:

Firefox Load Error

Any error the browser encounters, like the sec_error_unknown_issuer above, will be treated this way, being it sites secured with self-signed certificates, unknown issuers, mismatch of the domain name and more. If previously the user could just click on a small popup window which presented a warning nobody would read anyway - today the user receives a stern warning. There is also a workaround to accept the site’s certificate nevertheless which requires a few steps and is intended for the more savvy users, who obviously know what they are doing. All the others really should not connect to such a site.

What does that mean for web site owners who relied on all kind of self-signed certificates and those issued by unknown providers? It means that the visitors to their sites will have a lot of troubles and operators of such sites will have at last the opportunity to get a certificate from a known provider. This is specially encouraging for me,  since StartCom makes a big effort by providing basic digital certificates totally free of charge in order to improve security and authenticity of the web. This was one of the major goals of the StartCom Certification Authority from the outset and I’m more than glad to serve the Internet community with this service, now more then ever! And with it, the relying parties - we all, can rely on our browser and the secured sites.

  • To get the new Firefox in time, join the big event of the Firefox Download Day. It’s an attempt to set a new Guinness World Record for the most software downloaded in 24 hours!
  • For the brave ones, here is the Firefox 3 Release Candidate.
  • To get a legitimate free SSL certificate without charge, head over to StartSSL!

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Other Posts
Accountability and Privacy
Announcing Better Trust™

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

>> Let me introduce “Larry”

Do you know of any *official* place where a description of “Larry”, along with the proper statements about the copyright/trademark, could be found?

>> For the brave ones, here is the Firefox 3 Release Candidate

How is a Release Candidate more “risky” than a Beta? I am thinking of RHEL 5.2 coming with FF 3.0 Beta5!

>> join the big event of the Firefox Download Day. It’s an attempt to set a new Guinness World Record for the most software downloaded in 24 hours!

And what is the *relevance* of such an idiot record? Has it anyhing to do with anything of: quality, awareness, etc.?

1.) No, I think they are still working on that page. See https://bugzilla.mozilla.org/show_bug.cgi?id=435961

2.) An RC is still not a release and FF3 hasn’t been released yet.

3.) It’s called clever marketing without paying a dime. Idiotic or not, it serves the purpose, it has nothing to do with quality, with awareness perhaps it does however :-)

Hmm, also not fixed (and won’t be fixed soon): https://bugzilla.mozilla.org/show_bug.cgi?id=433412

As for the initial question, http://www.dria.org/wordpress/archives/2008/05/06/635/ says a lot, hopefully Mozilla will publish an official page once FF3 is out.

Still, this means you mush be “a brave person” to use RHEL 5.2 for a desktop? It comes with FF3b5!