There's a contentious debate brewing around Firefox 3's handling of SSL security certificates – the tools that tell the browser whether your connection is actually secure and connected to the site you're trying to access.
Some users find the new features to be overkill. As it stands, if you visit a website with either an expired or a self-signed SSL certificate, Firefox 3 will not show that page at all. Instead, the browser shows the "customs officer" graphic (at right) and an error saying the website may be dangerous. The user can still bypass the message, but site owners are arguing that Firefox is being too strict about security and forcing a poor user experience.
We think that's a good thing. It protects the user, who might otherwise not know any better, and there's simply no excuse for letting your SSL certificates expire.
Of course, excuse or no, according to Netcraft, as many as 18% of the Fortune 1000 websites have expired SSL certificates. That means the odds are pretty good that Firefox 3 is going to block you from accessing some legitimate sites.
But turning around and blaming a poor user experience on a feature of Firefox 3 when site owners have failed to keep their certificates up-to-date is ludicrous.
When it comes to self-signed certificates, the debate is a little more realistic. The old argument is that buying a certificate from a registered authority is expensive, but as Firefox developer Johnathan Nightingale points out, that isn't true anymore. There are plenty of options in the $20/year range and even some free SSL certificates.
Still, with many web hosts providing integrated, self-signed SSL certificates for free, there are a lot of sites out there using them. Luckily, all a user needs to do to get Firefox 3 to play nice with self-signed certificates is add an exception, which takes a grand total of two clicks.
In the end, the problem isn't one with Firefox 3. It's on the site owners. That, as some have loudly proclaimed with much hand wringing, Firefox 3's new strict handling of SSL hurts legitimate sites is true, but the wounds are self-inflicted.
See Also:
