Another problem is the very ill-chosen wording of the further information about those https sites that have declined to pay an additional charge to Verisign & Co. In spite of their valid certificates, certified by a CA, you get messages like these:
Contradictory statements like "This web site does not supply identity information" and "This web site supplies a certificate to confirm its identity" will only confuse a cautious user, instead of informing him. On the other hand, the additional information showing whether and how often you've already visited the site is more useful.
Home-made certificates
The situation is worse with sites run by operators who don't want to spend any money: they either get their certificates signed by a community-based Certificate Authority such as CAcert, or just do it themselves. For these, Firefox 3 displays an error page headed, "Secure Connection Failed", instead of giving you a warning you can skip with a click.
The browser initially responds to any attempt to "Add Exception" with a "Don't do it, Dave!" type of warning. That's likely to chase most potential visitors away. Only if you're obstinate and insist on adding an exception will you get to the next dialogue, where you can load the certificate.
But it's just here that a security-conscious developer may stop halfway and forget to add that you have to check the fingerprint of the key to confirm that it's genuine.
Rather stupidly, the certificate view then blocks the browser window so that you're unable to seek more information on the web about the raw data shown. And although most exceptions are probably created on the "quick and dirty" principle, Firefox immediately saves them permanently by default.
The exception proves the rule
Self-signed certificates are widely used, especially in a university environment, but even company administrators are frequently unwilling to pay an annual fee to a CA for their intranet servers. Users should be guided through the exceptions jungle as carefully as possible, ensuring, for example, that they import the certificate from the company's CA. The most important thing is to get them to compare the MD5 or SHA-1 fingerprint with trustworthy information from an independent source. Incidentally, an email showing a link to the CA certificate doesn't belong in this category.
Next: Putting things into perspective
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
