![[SimGuy.net]](/shared/logo.png){kind=logo}
This is the comments page for the item you selected! With any luck, it should be fairly obvious what this means for you. If not, I'll tell you.... Give me your thoughts on whatever it was that I said, or take a look at what others already flamed me for. :)
Original Post
Sunday, April 20, 2008
3:40 - from the firefox-3-is-in-my-way dept:
Firefox version 3.0 has implemented a new user "protection" feature which forces phishing scam reports and SSL certificate mismatch errors to be full page messages which completely block access to the page. I can accept the phishing scam feature because it is possible to disable the warnings entirely if they bother you.
The SSL error page, to its credit, allows you to bypass it if you like, as
there are some sites which legitimately use an SSL certificate that cannot be
fully verified. I see the types of cases where this happens daily in my line of
work. The problem is, the old verification method from 2.x and below resulted
in up to two dialog boxes, in which the defaults were to accept the issue and
continue with a single click each. In orther words, two clicks total. The new
behavior requires no less than five clicks:
- Click the link which un-hides the button that allows you to add an exception.
- Click the button to add an exception.
- Click the button in the new window to re-fetch the certificate that it didn't like.
- Click the button to add the exception.
- Reload the page.
This assumes that the new window that pops up already contains the URL you tried to go to, which sometimes seems not to be the case and causes you to have to type and click many additional times.
I filed a bug about this, because I am not willing to accept the need to do more than double the work previously needed to access sites without fully validated certificates. The response so far seems to suggest they don't consider my use case worthy of consideration.
I know that a lot of customers of Steadfast will be frustrated by this change as well. To get a "validated" certificate, you must pay a yearly fee to have your certificate signed and then install it properly on your server. In a lot of cases, this is simply not worth the money, since an unsigned certificate still accomplishes the basic goal of encrypting the information sent to and from the system. I consider the idea of trusting some random set of "certificate authorities" to arbitrate who is and is not to be trusted by me based solely on who is willing to pay them up to hundreds of dollars per year a bit of a scam. I believe that self-signing of certificates ought to be an acceptable practice for users that just need encryption and don't need any fancy "seal of approval" from a mystery corporation.
That said, the reasoning for the more complex blocking of the page is somewhat sound from Mozilla's standpoint. Users can sometimes be victims of "man-in-the-middle" attacks, in which someone manages to get a computer in between the user and the real server, allowing them to create an encrypted but compromised session. In such a case, it would be less likely that the destination would happen to have a validated certificate (though it's not impossible and thus this does not actually guarantee anyone's safety when using SSL). For most users, adding a five-click exception is fine once in a while, but when you need to do this many, many times a day like I do, this is a major irritation and impedes workflow.
The way to solve it is simple. I'd like a way to specify a set of network address ranges to which these certificate verification steps do not apply. However, it seems as though Firefox developers are not going to help me out, so I decided to find a quick way to reduce the number of clicks to a predictable two or fewer. I have found that it's pretty easy to edit the Firefox "chrome" to do so. There are only two files that affect this user interface, called "netError.xhtml" and "exceptionDialog.js" and changing the behavior was simple, though for the purposes of getting what I want, I didn't really care to make sure I did things "the right way."
I edited netError.xhtml to eliminate the first click. netError.xhtml is found in the "toolkit.jar" file in your Firefox home directory (it's just a zip file) at the path content/global/. The changes I made are here. I edited exceptionDialog.js to eliminate the third and fifth clicks. exceptionDialog.js is found in the "pippki.jar" file (also a zip file) within content/pippki/. The changes I made to it are here.
After doing this, I repackaged the updated files back inside their respective jar files. As a side note, you can also eliminate click number 4 if you add a line that reads "addException();" directly below the line "checkCert();" which will make the first click add the exception with no further prompts. I didn't do this because I want the chance to review the certificate, should I run into a site on which an unvalidated certificate actually bothers me.
If Mozilla does not want to fix this problem for me, I may consider maintaining the adjustments an an extension. However, I'm not familiar with Firefox extensions or the work needed to replace "built-in" files using extensions, so if anyone wants to save me the work of RTFMing, and give me some advice or a working extension, I won't complain. :)
For now, at least I have a solution that works to avoid so many unnecessary extra clicks.
Comments
No one has posted any comments yet! There's still time to make the first post on this comments page and become an instant celebrity!
