SSL certificate errors - John C. Kirk
Sep. 6th, 2008
02:06 pm - SSL certificate errors
I've just been along to the PruHealth website, so that I could check on my vitality points. Unfortunately, it turns out that their SSL certificate expired last night, so I get a big warning message when I try to access the site. I've reported the problem to them, and they should be able to fix it fairly easily, i.e. renew the certificate. However, I've now seen how different web browsers handle this problem, and I think Internet Explorer does a better job than Firefox overall.
In IE7, I get a warning when I try to access the site:
There's no way to view the certificate at this point, but I don't think that's a major problem; non-technical people won't understand it anyway, and techies can look at it before they actually enter any information.
If I choose to continue, the address bar goes red to remind me that there's a problem:
(The bigger the IE window, the darker the shade of red.)
I can now click on "Certificate Error" and view the certificate:
I've highlighted the expiry date; I was surprised that it said today, but I guessed that it meant midnight, i.e. last night rather than tonight.
When I phoned up, the lady I spoke to said that she didn't have any trouble accessing the website. I think that she was using IE6; I don't have access to a copy of that right now, and it's been a while since I last used it, but I vaguely recall that it would give some warning. Anyway, when I got her to click on the padlock, she said that the certificate was valid from 31-Aug-2006 to 09-Jun-2008. I'm guessing that this means the regional settings on her PC are wrong, i.e. it's displaying dates in the US format (month/day/year) rather than the UK format (day/month/year). Anyway, if the certificate did expire in June then there's definitely a problem! She said that she'd pass the information on to the relevant people.
I then had a look at the website in Firefox 2, and the initial warning looks like this:
This is a bit more informative than IE, since it gives a date and time (06/09/2008 00:59). Since we're in British Summer Time at the moment, that time corresponds to 05-Sep-2008 23:59 in GMT, which makes sense, i.e. just before midnight. The warning says that I should check my PC clock, to make sure that it's correct; technically this is valid advice, but it's far more likely that the problem is on the server side, particularly if Firefox is installed on a corporate PC (where all the times are synched from central servers).
If I choose to continue, the address bar looks completely normal, i.e. it's treated the same as any other secure website, with nothing to indicate a problem:
In fairness, Firefox 2 isn't the latest version, and I've been meaning to upgrade to v3 for a while, so this seemed like a good time. Trying the website again in Firefox 3.0.1, the initial warning looks like this:
This still shows the time when the certificate expired, and it no longer suggests a problem with the computer clock. However, there's no direct way to continue to the site.
If I click the link to add an exception, some buttons appear:
"Get me out of here!" takes me to Google, which is reasonable. However, "Add exception..." leads to a far more complicated screen:
There aren't any help buttons here, and you can't access the main Help menu because it's a modal dialog box. If you cancel this screen to access the Help menu, that takes you to the Firefox knowledge base, which you then have to search. The most relevant page I can find is Secure Connection Failed, which is remarkably uninformative: it just tells you to read the text on the screen and click the buttons.
Anyway, you have to click "Get Certificate" before you can do anything else:
(Really, they might as well automate that step, rather than forcing the user to click that button.) The certificate status isn't particularly helpful here, and I'm actually sceptical about their claims; even after a stolen certificate has expired, surely it will still show up in Certificate Revocation Lists? I've highlighted the particularly significant option (at the bottom of the page): "Permanently store this exception". It's on by default, which I think is an extremely bad idea. In a case like this, I'm willing to click through to the website for today, but that doesn't mean that I want to trust the expired certificate forever! If I untick that box, what happens? I.e. how long is "temporary"? The knowledge base doesn't mention this option at all, so there's no help there. I decided to try it and find out.
As with Firefox 2, once I continue to the site there are no warnings in the address bar:
In fact, it looks as if Firefox 3 doesn't do much colour coding at all, which is a pity; the address bar is white for unsecured sites, dodgy SSL certificates, and valid SSL certificates. The only difference is that it turns green for EV (Extended Validation) certificates, e.g. Verisign. Not many sites use EV certificates; my bank (Lloyds TSB) still have a standard certificate, so the absence of green is pretty meaningless at the moment.
I then went to look at the list of security exceptions, which isn't easy to find. Go to the Tools menu, then Options, and the Advanced tab:
Then click on "View Certificates", and go to the Servers tab:
According to that, the temporary certificate expires today (6th September), although it doesn't give a time. When I closed Firefox and came back into it, the temporary exception had disappeared, so I'm guessing it means something like "This exception is valid until the end of the day or until you close Firefox, whichever happens first".
I can't see any situation where you'd want to permanently trust an expired certificate. There are cases where you might want to trust a self-signed certificate, but that's fairly unusual, and I think that type of functionality should be tucked away via an obscure interface. For the average user, keep it simple: "There's a problem with this site, do you want to carry on or not?" So, thumbs up for IE and thumbs down for Firefox. I haven't tried out Google Chrome, but I'd be interested to hear from anyone who has; ditto for Safari etc.
Meanwhile, there's another problem on the PruHealth site (after you log in): they have a link to "View Nectar Statement", but it doesn't work. They're aware that this doesn't work yet, so apparently they're working on it. They've used a relative link rather than an absolute link, so when I click on the button I get sent to:
Missing off the "http://" at the start is an easy mistake to make, but if their webdevelopers are even halfway competent then it should also be an easy thing to fix. Sadly, between this and the BMI glitch, I don't have much faith in their skills.
By the way, I used the Snipping Tool in Vista to grab these screen shots; it's a very nice tool, which I only heard about recently via The Old New Thing.