In bug the reporter
complained about how difficult it is to override bad cert errors in FF3.
She complained because she was getting bad cert errors on EVERY https
site she visited.  ALL the https sites she visited were apparently
presenting self-signed certs.  The example for which she provided evidence
was  By the time she filed the bug, she had already
overridden the bad cert errors for all the major https sites that she
visited with any frequency, including facebook, myspace, hotmail, her
college's network servers, and more.  In hacker speak, she was *owned*.

(Please discuss this here, not in that bug.)

Despite all the additional obstacles that FF3 put in her way, and all
the warnings about "legitimate sites will never ask you to do this",
she persisted in overriding every error, and thus giving away most of
her valuable passwords to her attacker.

None of this had triggered any suspicion in the victim.  She was merely
upset that the browser made it so difficult for her to get to the sites
she wanted to visit.  She was complaining about the browser.

FF3 had utterly failed to convey to her any understanding that she was
under attack.  The mere fact that the browser provided a way to override
the error was enough to convince her that the errors were not serious.
I submit that the user received no real protection whatsoever from FF3 in
this case.

KCM would not have helped.  If anything, it would have reduced the pain
of overriding those errors to the point where the victim would never have
cried for help, and never would have learned of the attack to which she
was a victim.

The question is: how can FF3+ *effectively* protect users like her from
MITM attackers better than FF3 has already done?

Is removal of the ability to override bad certs the ONLY effective
protection for such users?

The evolution of that UI is under discussion in bug
dev-tech-crypto mailing list

Reply via email to