August 20, 2008 -- (WEB HOST INDUSTRY REVIEW) -- While expired and self-signed SSL certificates may have warranted yellow flags in Firefox 2 and Internet Explorer, the latest Firefox will scare away users from SSL-carrying sites unless they are certified by a third party, causing controversy as users are blocked from popular sites like Google and LinkedIn.
Reported by BetaNews (betanews.com) and other sources, Modzilla began cracking down on SSCs, which are valid, albeit unauthenticated, SSL certificates used for online encryption and website authentication to guard against phishing attacks, giving users frightening warnings, saying the certificate is "invalid" and "not trusted."
Mozilla began implementing a stricter policy because self-signed certificates can potentially be malicious because there is no third party to verify the site's identity, according analysis from Royal Pingdom, the official blog of uptime monitoring provider Pingdom(pingdom.com). However, they note that most users will be turned off from websites that do not carry an expensive third-party certificate from such Certification Authorities as VeriSign (verisign.com).
"From a security standpoint, the change in Firefox 3 kind of makes sense, but from a usability standpoint, the implementation is too confusing," according to Royal Pingdom.
While site administrators can pay a one-time fee of $29.99 from a company like Go Daddy (godaddy.com) for a basic SSL package, for some it is a matter of principle.
According to Scott M. Fulton's report on BetaNews, some developers self-sign because they do not want to register for security reasons with a third party when working on a covert project. Other developers find it simply more convenient and economical to self-sign certificates, especially when they have many certificates to issue.
Univeristy of Massachusetts's Nat Tuck opposes Mozilla's de facto censorship because he said it infringes on net neutrality, the concept that the internet should be free of restrictions on content, sites or platforms.
"This behavior means that a public web site basically can't be encrypted unless they are willing to pay an approved vendor a yearly fee for a certificate," Tuck wrote in a recent blog posting. "This has two effects: First, some sites are forced to pay for certificates that they otherwise wouldn't have bought. Second, some sites are forced to go without encryption that they otherwise would have had.
"This is really an issue of the basic principles of internet openness. Everyone has equal access to the features of HTTP or SSH, there's no reason why there should be artificial constraints on access to HTTPS. But that's exactly what the Firefox SSL behavior does."
Fulton noted an alternative to SSLs for budget-conscious developers is StartCom Certification Authority's free Class 1 digital certificates (startssl.com).
