The Untrusted Certificate Dialog

Lots of good comments on my post about informed choices and real security, it would be nice to see some good open source solutions out there. And I’m glad I didn’t bump into david on the street that day, he has more good ideas about the issues of phishing and SSL certs.

To follow up a bit more I spent a little time examining this crazy dialog. I’m not trying to pick on firefox, but it’s an excellent example of where things can go wrong. And in a lot of places they go right, we definitely aren’t at this point.

I couldn’t find a site right away that brings up this issue even though I feel like it happens somewhat often. So I grabbed a screenshot I found and changed the URL, but here’s how the dialog would look if you just found an issue with www.URL.com.

Because I’m like the Lorax who speaks for the users I’ve translated the options available in the dialog so they can be read from the point of view of someone who doesn’t understand the underlying technology. I also added what is a little bit of reality as well.

Unable to verify the identity of www.url.com as a trusted site
The website you’re looking at is not configured correctly. This error is not your fault.

Possible reasons for this error
We used this dialog for a couple awkward reasons, but this error has nothing to do with anything you did

A. Your browser does not recognize the Certificate Authority…
Something could be wrong with the browser software. Odds are you can’t fix this. It might be nice if the browser software could check for an update right now or allow you do make it check.
B. The site’s certificate is incomplete due to a server misconfiguration
The web site maintainer has made an all too common mistake. There’s really, really, pretty much nothing you can do about this error. Thanks for reading it!
C. You are connected to a site pretending to be www.url.com …
Something evil could be going on! Someone might be trying to trick you! Though odds are this isn’t true, it’s likely that guilt or the legal department required us to put this dialog up just for this case.

Please notify the site’s webmaster about this problem
Contact the person who runs the web site. You know who that person is, right? You know how to contact them? It might be nice to offer a mailto webmaster@url.com address? Maybe not.

Before accepting this certificate, you should examine the site’s certificate carefully…
Here is a foreign language you never studied in your life, please read it’s message carefully and pick out any grammar errors. Severe grammar errors could indicate a problem, simple grammar errors could just mean it’s a simple mistake. Remember, read carefully!! Fun Fun Fun!

Accept this certificate… [in a number of different ways with different consequences]
After carefully examining and understanding the certificate you should choose the correct option to proceed safely.

Help!
If you’re having trouble with what to do click here. Oh, gotcha! This help is about the dialog, it has no advice for the site itself!

Cancel
Don’t go to the site you wanted to go to

OK
Go to the site you wanted to go to, but risk losing your soul!

And with all that dialog you still haven’t seen the site itself because the browser blocks the loading, however the blocking is probably for security sake and might be hard to work around. One might find a way to use services like Snap which offer screen captures of sites for free at least then you’d know what you are about to look at.

So the real issue here is that this dialog doesn’t help most people to advance, it is merely an idiot light in car speak. We could say The terrorist threat of this web site is at Yellow, do you wish to proceed? and it would be about as helpful. To protect people from phishing you need a more complete solution, and phishing is a serious problem. Warnings about errors in a site configuration could just be done as subtle warnings such that people interested can take notice while others are able to continue without the dialog litter.

Other Fun Dialogs and Stuff

Alex Faaborg has some good slides from his Web 2.0 Expo Presentation where I got these other screenshots of interesting dialogs that provide choices, but maybe not in the way we want. The POSTDATA dialog is a tough one to fix and I don’t think I have any real ways to improve that, but boy does it suck.

Firefox POSTDATA Dialog is Not Human Readable

About this entry

You’re currently reading “The Untrusted Certificate Dialog,” an entry on Bryan Clark

Published:: 05.02.07 / 11am

Category:: Design, Security

Recent Comments

Pierre-Luc Beaudoin: Well, now that's why I couldn't get reservations ...

Bryan Clark: Canadian: The Helms amendment and NSC order 725 b...

Bryan Clark: Sheesh, missed copy and paste! Corporation it is...

TFKyle: just a random note: CBC stands for Canadian Broad...

James Bowes: Get yourself a Montreal smoked meat sandwich, too...

Snark: Eh, that shirt doesn't read "CANADA", but "CAN AD...

Canadian: Know the ground rules. One of your travelling com...

Robert Smol: Hello, please have a look at Evolution's email Se...

Jesper Kristensen: Bryan: I am not sure. Maybe just use one signatur...

First Look at Thunderbird 3 Alpha 1 [Screenshot Tour] | Another Way To Be Rich: [...] the native OS X Address Book. This rough fe...

About

My name is Bryan Clark, I’m a User Experience Designer working with Mozilla Messaging on Thunderbird; currently living in the Boston area. I have interests in design, economics, architecture, and beer. Previous to my work with Mozilla I was one of a select few Interaction Designers at Red Hat, working on their Desktop Team, OLPC, GNOME, Online Desktop and many other projects.

This blog focuses mainly on my work driving design in an open source context.

Martijn May 2, 2007

So, do you also have ideas on how a better dialog should look? Instead of just criticizing the current one?

Kevin Kofler May 2, 2007

Well, for one it should say what the error really is: is it a self-signed certificate? (This special case is easy to detect in software, and a common case.) Is it an expired certificate? (That one even results from a specific error from the SSL validation which is then often turned into that generic error.) Too bad most browsers just spit out that generic error. (Konqueror does that too, but at least when you click “Details”, it gives reasons for why the cert is invalid, so it says if it’s self-signed, expired or whatever. I’d prefer having those in the main dialog though. But Firefox doesn’t even bother giving you reasons in the details, it just spits out the cert’s data and lets you do the validations yourself.)

Brian Nickel May 2, 2007

A decent POSTDATA dialog would require a smarter browser. Upon submitting the page, the browser would store some interesting information, like a field was named “pass” or “comments”, a 15MB file was sent, a “image/png” was sent, etc. The address could be useful too, like “login.php”

The dialog could then say something like, “You originally sent data (via POSTDATA) to view this page, to view it again would require you to resend the data. …”

* “It appears you submitted your login information. It would probably be harmless to continue.”
* “It appears you submitted a 15MB media file called ‘animals-wearing-hats-with-a-wide-angle-lense.ogg’. You probably do not want to post this again.”
* “It appears you posted a comment on a blog or forum. You probably do not want to post it again.”

If the page is being navigated to, an additional button, “Return to previous page” could be helpful.

GUEST May 2, 2007

IMHO Opera has rather useful dialogs.

Bryan Clark May 2, 2007

@martijn: Well it’s difficult to remove. Because until you tackle the phishing problem that guilt/legal issue is going to stick around. But if we assumed we had a solution for that I wouldn’t use a dialog at all. The invalid cert would be treated like a javascript error, similar notification principle as they are both only interesting to people who understand the tech.

Scott Lamb May 2, 2007

I just realized your advogato post was syndicated from here. I don’t know if you saw my two posts there, but your comments about “C” are horribly wrong!

http://www.advogato.org/person/slamb/diary.html?start=61
http://www.advogato.org/person/slamb/diary.html?start=60

Here is Safari’s text for comparison. It gets right to the point, which is that you shouldn’t supply confidential information.

Safari can’t verify the identity of the website “www.slamb.org”.

The certificate for the website was signed by an unknown certifying authority. You might be connecting to a website that is pretending to be “www.slamb.org” which could put your confidential information at risk. Would you like to connect to the website anyway?

[?] [Show Certificate] … (gap here) … [Cancel] [Continue]

@kevin: I agree that when looking at the error message the browser should just be able to tell you what is wrong with it instead of you figuring it out from the cert. Assuming the phishing problem can be handled I wouldn’t suggest keeping the dialog around, I think it can be handled like a site error message. Of course if you load a page with a form it might be a good time to warn people that things aren’t secure.

@scott: I think you’re missing the real error with these dialogs. The problem is that your user had the intention to view the web site the dialog is warning about. They want to be there. Again, putting aside the problems of phishing. So it doesn’t really matter what dialog you put in front of them, nobody reads the text. These dialogs look like the hobos wearing signs that say “The End is Near”, sure they get in your way on the sideway and sound scary if you took the time but everyone just walks around them. And the SSL cert validity doesn’t actually matter until someone sends information the site, while you’re just viewing it there’s nothing wrong with an expired cert. When somebody submits information, then you might have an issue.

I think you’re missing the point of the dialog. The user did *NOT* intend to view the website the dialog is warning about. The user intended to go to Big Bank’s website, and this dialog box is breaking the bad news that isn’t it. The browser is unable to satisfy the user’s desire to go to Big Bank’s website.

The cert validity can in some cases matter when viewing the page. I focused on sending information because that’s the most common case, but users can take out-of-band actions based on information obtained from a trusted source. It is important that they know this is not a trusted source.

Everybody does not walk around this warning. The “Aunt Tillie” crowd does not often go to mailing list sites which use SSL for no particular reason. They primarily use SSL for online banking and resellers like amazon.com. If they get a security warning at one of those sites, it is much much much more likely someone is trying to steal their money than that amazon.com screwed up SSL or is using a homegrown CA.

Actually, I take that back: it’s not much much much more likely someone is trying to steal their money. It WOULD be much much more likely, except that the well-known existence of this dialog box discourages people from trying to forge amazon.com’s credentials. If this dialog box did not exist or if it were redesigned by someone who missed its entire point, people frequently would steal money in this manner.

Anonymous May 2, 2007

One way to make the POST-request-again dialog a little better might be something like:
—
“You went beyond this page earlier and then returned back to it using the browser history. Now you’re trying to go beyond it again. Do you want to return to where you were before or start fresh?”

[Start Fresh] [Return to where I was]
—
([Start Fresh] would repeat the POST request and [Return to where I was] would pull the page one page forward in the history from the browser cache.

Joe Buck May 3, 2007

The solution to the Firefox POSTDATA dialog is not to change the dialog. The need to present it at all is a symptom of broken Firefox behavior. I typically see it when I hit the “back” button, and what I want to see is the page I just saw before I clicked whatever I clicked. I don’t want Firefox to re-submit a form. I want it to remember the last page and re-draw it, quickly. If I’m stuck on dialup, I don’t expect a long delay; I expect the browser to just remember the page. After all, the damned program is sucking up 100Mb or more of storage and tons of disk cache.

If the broken Firefox behavior is fixed, then there’s no need for figuring out how to re-word the dialog.

Similarly, one of the most common areas of breakage with certs is that the certificate covers http://www.foobar.com and I’m visiting foobar.com, or vice versa. You say that the issue is that the site is misconfigured. But the certification authorities charge more for a wildcard certificate, so people on a budget don’t pay. For close matches of this kind, the browser should, once again, shut up.

Brian Nickel May 3, 2007

I have to disagree with Scott. Most of the time, I receive the error is from a badly configured server. Like https://www.foo.com and https://secure.foo.com showing the same site, but only secure.* has a certificate. The user DOES want to go to the site, but something is standing in the way. Something that says: “This site has invalid credentials for ‘reason x’. This may be due to a badly set up website or a site pretending to be ‘foo.com’ for fraudulent purposes. You should not trust this website with personal information.” [Go Back] [Continue]

- Brian

PS. [Go Back] or [Previous Page] may me more useful to the user than [Cancel]

fraggle May 3, 2007

WALL OF TEXT

James May 3, 2007

OK — how about:

This site is supposed to be trusted, but the site’s “certificate” is [broken/out of date/not trusted/delete as appropriate].

This may mean you’re connecting to someone *pretending* to be http://www.url.com

If you choose to visit it anyway, treat it with suspicion! Don’t enter any personal information, such as credit card numbers!

[ Visit it anyway ] [ View certificate ] [ Keep away! ]

Bryan Clark May 3, 2007

@scott: I’be been trying to separate these two issues, but they keep getting clouded. Intending to go to your bank and ending up somewhere else is phishing and phishing is a serious problem. I don’t think that this cert dialog is actually helping to curtail the phishing problem, I do think this dialog just becomes noise to people because it also appears when a site is simply misconfigured. Essentially it is crying wolf to the person and they will eventually tend to just click through it. And I completely agree that serious sites like banks and amazon won’t screw up their certificates, so there’s not much reason to block people from using sites with bad certs assuming you have a solution to the phishing problem. I just went to core.fluendo.com and they have a bad cert, but it doesn’t mean they are going to steal my identity. Like Brian points out, most of the time it’s a badly configured server, so to help our users we should try not to cry wolf about that.

Scott Lamb May 3, 2007

James:

That text is not bad, minus the extraneous quotes around “certificate”. (”Using this ‘laser’, I will…”)

Bryan:

You’ve been unsuccessful because it’s impossible - the issues are inseparable. The browser does not know the server administrator’s intent. It is unable to distinguish between a “configuration problem” of inadvertently sending a valid certificate for another site and a “security problem” of deliberately sending a valid certificate for another site. I’m skeptical even of heuristics like “‘example.com’ and ‘www.example.com’ are basically the same”.

What you’re doing is like trying to come up with a smart lock that can distinguish between the “forgetfulness issue” of someone forgetting the key and the “security issue” of someone not having the key. You can’t do it - all the lock sees is a “no key issue”, and its policy is to refuse entry. Maybe the “forgetfulness issue” is more common in some situations, but the “security issue” would be common as hell if the lock’s policy was to let people in anyway.

You are convincing me that there is more danger here than I’d realized. Aunt Tillie on her own would handle Safari’s dialog box fine. But the real danger is that her “computer genius” nephew will tell her to ignore it - it’s probably not important because he gets this security warning at his friend Joe’s website and no one has ever stolen his credit card there.

Steven Garrity May 3, 2007

For comparison, here’s a screenshot of the IE7 equivalent:

http://actsofvolition.com/images/screenshots/web/windows-cert-error.png

Anonymous May 3, 2007

My bank has a two stage authentication process where after I enter my username, it then shows me a picture I chose specifically when I created the user.

Since it’s a picture I chose and see every time I login, if I ever see a different picture I’ll immediately realize something is up and be cautious about entering my login credentials.

I think that type of phishing prevention is much more useful than the browser cert warning.

Anonymous: unfortunately, you’re wrong. Your bank’s website is no more secure - and possibly less - for doing this. They should stick to tried and true methods.

Why more no secure? They are proving their identity by sending a shared secret (the picture) to an unauthenticated party. That provides no protection against a man-in-the-middle attack. If I can get you to load my fake webpage, I can also relay your username request to the bank so I can display the correct picture.

Why less secure? Unless they’re smart enough to display a random picture on unknown username, this technique provides a simple way to test the existence of an account.

Richard May 3, 2007

Fixing the POSTDATA dialog is easy if you are the webmaster. Simple do a silent http redirect for every page that recieves postdata, then the actual postdata event does not show up in the browser history. A nice and convinient solution IMHO. I am not sure whether this “should” be solved in the browser actually.

Cheers
-Richard

34412-8160 July 11, 2007

Bryan- I got a laugh out of your asessment, because this just happened to me and you’re totally right- how the heck am I supposed to know what the “fingerprints” are or whether they look “ok”? (but for the record I did “carefully examine” them anyway). But I agree with the others, that this is a necessary popup, it just needs to become a little more useful, or webmasters need to be a little less lazy (because I encountered it on the gmail login, and NOW for “*mozilla.org”.. hehe, what the heck is this??). IDK, maybe I’m running too old of a version of firefox or something? don’t know if its the browser or the websites…

Bryan Clark

The Untrusted Certificate Dialog

Other Fun Dialogs and Stuff

About this entry

22 Comments

Post a Comment »

Comment Guidelines

Categories

Monthly Archives

Recent Comments

About

Recently