In association with heise online

11 March 2009, 11:21

Firefox and security certificates

The right way to handle encryption with Firefox 3

by Jürgen Schmidt

Secure data transmission on the internet relies on encryption and security certificates. Mozilla has revised the way Firefox 3 handles certificates, but not always for the better. A few modifications will sort things out – and give you more security.

All sorts of information – even critical stuff like passwords and account information – is commonly sent over a connection in the clear, but if you want to keep eavesdroppers at bay, you have to use encryption. Encrypted web sites can be recognised by the "https" ("s" for "secure") instead of "http" in the URL.

How do you know for sure that the correct addressee is actually at the other end of the line? Complying with the advanced encryption standard (AES) in 256 bits is useless if some crook is sitting there, because you're giving information away at no charge. A server operator can have his identity confirmed by a reliable Certificate Authority (CA), so that your browser can check his digital signature and tell you if you're at the right place.

Up to version 2, Firefox did this by colouring the complete address line yellow and displaying a padlock icon. This, as long as you knew what it meant, was hard to miss and its omission was a clear indication of an unencrypted site. Since version 3, Mozilla, like Microsoft with Internet Explorer 7, has been concentrating on extended validation (EV) certificates. With these Certificate Authorities give an assurance that the identity of the applicant has been checked more thoroughly.

Technically, however, EV SSL (secure socket layer) certificates don't differ from conventional SSL certificates, nor have they yet won broad acceptance, other than by banks, because they're quite expensive. In early 2008, the Netcraft monitoring service could only detect a little over 4,000 of them worldwide. That represents just 0.5 per cent of the more than 800,000 "normal" SSL certificates in force, i.e. those signed by standard CAs.

When looking at a whole page, the difference between the favicon and the SSL indication is almost indiscernible.
When looking at a whole page, the difference between the favicon and the SSL indication is almost indiscernible.

As before, most online shops use normal SSL certificates, for transactions involving the input of personal data, credit-card information and the like. But Firefox now handles them very poorly. It starts by dropping the padlock and the yellow colour from the address line. What's left is a small blue frame around the page's "favorites icon" (favicon), something so easy to forge that any fakery is far from obvious.


Zoom

You can improve this slightly by calling up the JavaScript pseudo URL about:config. Firefox will then display a warning that "This might void your warranty!". Click "I'll be careful, I promise!", input identity into the Filter box to get to browser.identity.ssl_domain_display, and then change its value from 0 to 1.

That will make Firefox bring the address line for https sites into line with that for EV SSL sites, except that it's blue instead of green. This minimises the risk of confusion with unsecured sites.

After the change, Firefox shows the current https domain against a blue background, as in line 2.
After the change, Firefox shows the current https domain against a blue background, as in line 2.

Next: DIY certificates

Print Version | Permalink: http://h-online.com/-746231
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit