In bug https://bugzilla.mozilla.org/show_bug.cgi?id=460374 the reporter complained about how difficult it is to override bad cert errors in FF3. She complained because she was getting bad cert errors on EVERY https site she visited. ALL the https sites she visited were apparently presenting self-signed certs. The example for which she provided evidence was www.paypal.com. By the time she filed the bug, she had already overridden the bad cert errors for all the major https sites that she visited with any frequency, including facebook, myspace, hotmail, her college's network servers, and more. In hacker speak, she was *owned*.

(Please discuss this here, not in that bug.) Despite all the additional obstacles that FF3 put in her way, and all the warnings about "legitimate sites will never ask you to do this", she persisted in overriding every error, and thus giving away most of her valuable passwords to her attacker. None of this had triggered any suspicion in the victim. She was merely upset that the browser made it so difficult for her to get to the sites she wanted to visit. She was complaining about the browser. FF3 had utterly failed to convey to her any understanding that she was under attack. The mere fact that the browser provided a way to override the error was enough to convince her that the errors were not serious. I submit that the user received no real protection whatsoever from FF3 in this case. KCM would not have helped. If anything, it would have reduced the pain of overriding those errors to the point where the victim would never have cried for help, and never would have learned of the attack to which she was a victim. The question is: how can FF3+ *effectively* protect users like her from MITM attackers better than FF3 has already done? Is removal of the ability to override bad certs the ONLY effective protection for such users? The evolution of that UI is under discussion in bug https://bugzilla.mozilla.org/show_bug.cgi?id=431826 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto