Firefox Tougher On Expired SSL Certificates
Firefox 3, which set a one-day record for downloads recently, has been reconfigured in a way that’s setting off alarms for webmasters who haven’t renewed their SSL certificates. As the US Army just learned, Firefox won’t bring up sites with self-assigned and/or expired certificates.
At least, not without some extensive hoop-jumping.
If you’re a merchant you should know that an SSL certificate encrypts data transmissions between two computers. Credit card information, for example, is protected during transmission between those two computers.
But we’re assuming you know that and that yours is up to date.
If not, your site could be one of the estimated tens of thousands of websites virtually inaccessible via Firefox, the world’s second-most used Web browser. This isn’t entirely new to Firefox. Previous versions treated websites with similar issues in a similar way; a pop-up warning not vouching for the site was simple to bypass in a single click.
The new policy, points out Royal Pingdom, presents a message that could be far more frightening to a web surfer. In the case of the US Army’s website, Firefox 3 labels it as having an invalid security certificate before using the phrase "not trusted." Users are then invited to add an exception for sites they trust completely. Beneath that is the choice to "Get me out of here!" or to "Add exception."
Critics believe this process may be a bit too ominous for the average user. "The geeks" at Royal Pingdom write:
Perhaps the error message (and the whole procedure) could have been presented a bit differently to make it easier for inexperienced users to understand, especially now that Firefox is entering the mainstream and is getting a wider user base.
Jonathan Nightingale, who works with Mozilla usability and security issues, defends Firefox’s treatment of SSL certificates in a lengthy blog post, noting that acquiring one isn’t expensive and, if you go through Mozilla, it’s free.
The crowd of webmasters has been quick to jump on Mozilla for this change, which was made in the interest of increased security—thought to be the biggest advantage over IE—but it’s not Mozilla’s responsibility to make sure webmasters’ SSL certificates are up to date or acquired through proper channels.