?

Log in

No account? Create an account

SSL certificate errors - John C. Kirk

Sep. 6th, 2008

02:06 pm - SSL certificate errors

Previous Entry Share Next Entry

I've just been along to the PruHealth website, so that I could check on my vitality points. Unfortunately, it turns out that their SSL certificate expired last night, so I get a big warning message when I try to access the site. I've reported the problem to them, and they should be able to fix it fairly easily, i.e. renew the certificate. However, I've now seen how different web browsers handle this problem, and I think Internet Explorer does a better job than Firefox overall.

In IE7, I get a warning when I try to access the site:
IE7 warning
There's no way to view the certificate at this point, but I don't think that's a major problem; non-technical people won't understand it anyway, and techies can look at it before they actually enter any information.

If I choose to continue, the address bar goes red to remind me that there's a problem:
IE7 address bar
(The bigger the IE window, the darker the shade of red.)

I can now click on "Certificate Error" and view the certificate:
IE7 certificate
I've highlighted the expiry date; I was surprised that it said today, but I guessed that it meant midnight, i.e. last night rather than tonight.

When I phoned up, the lady I spoke to said that she didn't have any trouble accessing the website. I think that she was using IE6; I don't have access to a copy of that right now, and it's been a while since I last used it, but I vaguely recall that it would give some warning. Anyway, when I got her to click on the padlock, she said that the certificate was valid from 31-Aug-2006 to 09-Jun-2008. I'm guessing that this means the regional settings on her PC are wrong, i.e. it's displaying dates in the US format (month/day/year) rather than the UK format (day/month/year). Anyway, if the certificate did expire in June then there's definitely a problem! She said that she'd pass the information on to the relevant people.

I then had a look at the website in Firefox 2, and the initial warning looks like this:
Firefox 2 warning
This is a bit more informative than IE, since it gives a date and time (06/09/2008 00:59). Since we're in British Summer Time at the moment, that time corresponds to 05-Sep-2008 23:59 in GMT, which makes sense, i.e. just before midnight. The warning says that I should check my PC clock, to make sure that it's correct; technically this is valid advice, but it's far more likely that the problem is on the server side, particularly if Firefox is installed on a corporate PC (where all the times are synched from central servers).

If I choose to continue, the address bar looks completely normal, i.e. it's treated the same as any other secure website, with nothing to indicate a problem:
Firefox 2 address bar

In fairness, Firefox 2 isn't the latest version, and I've been meaning to upgrade to v3 for a while, so this seemed like a good time. Trying the website again in Firefox 3.0.1, the initial warning looks like this:
Firefox 3 warning
This still shows the time when the certificate expired, and it no longer suggests a problem with the computer clock. However, there's no direct way to continue to the site.

If I click the link to add an exception, some buttons appear:
Firefox 3 warning 2
"Get me out of here!" takes me to Google, which is reasonable. However, "Add exception..." leads to a far more complicated screen:
Firefox 3 add security exception

There aren't any help buttons here, and you can't access the main Help menu because it's a modal dialog box. If you cancel this screen to access the Help menu, that takes you to the Firefox knowledge base, which you then have to search. The most relevant page I can find is Secure Connection Failed, which is remarkably uninformative: it just tells you to read the text on the screen and click the buttons.

Anyway, you have to click "Get Certificate" before you can do anything else:
Firefox 3 add security exception 2
(Really, they might as well automate that step, rather than forcing the user to click that button.) The certificate status isn't particularly helpful here, and I'm actually sceptical about their claims; even after a stolen certificate has expired, surely it will still show up in Certificate Revocation Lists? I've highlighted the particularly significant option (at the bottom of the page): "Permanently store this exception". It's on by default, which I think is an extremely bad idea. In a case like this, I'm willing to click through to the website for today, but that doesn't mean that I want to trust the expired certificate forever! If I untick that box, what happens? I.e. how long is "temporary"? The knowledge base doesn't mention this option at all, so there's no help there. I decided to try it and find out.

As with Firefox 2, once I continue to the site there are no warnings in the address bar:
Firefox 3 address bar
In fact, it looks as if Firefox 3 doesn't do much colour coding at all, which is a pity; the address bar is white for unsecured sites, dodgy SSL certificates, and valid SSL certificates. The only difference is that it turns green for EV (Extended Validation) certificates, e.g. Verisign. Not many sites use EV certificates; my bank (Lloyds TSB) still have a standard certificate, so the absence of green is pretty meaningless at the moment.

I then went to look at the list of security exceptions, which isn't easy to find. Go to the Tools menu, then Options, and the Advanced tab:
Firefox 3 options
Then click on "View Certificates", and go to the Servers tab:
Firefox 3 Certificate Manager
According to that, the temporary certificate expires today (6th September), although it doesn't give a time. When I closed Firefox and came back into it, the temporary exception had disappeared, so I'm guessing it means something like "This exception is valid until the end of the day or until you close Firefox, whichever happens first".

I can't see any situation where you'd want to permanently trust an expired certificate. There are cases where you might want to trust a self-signed certificate, but that's fairly unusual, and I think that type of functionality should be tucked away via an obscure interface. For the average user, keep it simple: "There's a problem with this site, do you want to carry on or not?" So, thumbs up for IE and thumbs down for Firefox. I haven't tried out Google Chrome, but I'd be interested to hear from anyone who has; ditto for Safari etc.

Meanwhile, there's another problem on the PruHealth site (after you log in): they have a link to "View Nectar Statement", but it doesn't work. They're aware that this doesn't work yet, so apparently they're working on it. They've used a relative link rather than an absolute link, so when I click on the button I get sent to:
https://www.pruhealth.co.uk/medical/www.nectar.com/Login.snectar
rather than:
http://www.nectar.com/Login.snectar
Missing off the "http://" at the start is an easy mistake to make, but if their webdevelopers are even halfway competent then it should also be an easy thing to fix. Sadly, between this and the BMI glitch, I don't have much faith in their skills.

By the way, I used the Snipping Tool in Vista to grab these screen shots; it's a very nice tool, which I only heard about recently via The Old New Thing.

Comments:

[User Picture]
From:elvum
Date:September 6th, 2008 01:23 pm (UTC)
(Link)
If a website you use regularly's certificate has expired and the admin can't be bothered (or afford, or whatever) to replace it, you might want to permanently trust it. Or you might want to stop using that website, but that's not always a convenient option.
(Reply) (Thread)
[User Picture]
From:johnckirk
Date:September 6th, 2008 01:54 pm (UTC)
(Link)
Cost shouldn't be an issue for most people, when companies like GoDaddy are selling SSL certificates so cheaply. However, the web admin could always use a self-issued certificate instead; that's what I used to do on my server, when I was the only person accessing it remotely. It doesn't take long to renew a certificate (less than 15 minutes on a Windows box), and if the admin is so lazy that they're never going to do that then I don't have much sympathy. If your data is so sensitive that it needs to be encrypted, do you really trust the non-admin to do backups/patches/etc.? If they just say "Sorry, I'm a bit busy right now, but I'll do that next week", it would make sense to click through the warnings (or do a temporary exception) until that happens. Even if it's a long term issue, and you choose to keep using that website, I'd say that it's still better to keep the warnings so that you're aware of the problem.
(Reply) (Parent) (Thread)
[User Picture]
From:elvum
Date:September 6th, 2008 01:58 pm (UTC)
(Link)
I'm not defending lazy admins, I'm defending the Firefox authors for including a feature. :-) It would have been inappropriate, I contend, for them to have decided on behalf of their users that it would be better for those users never ever to accept expired certificates permanently. It's not like you're forced to accept them permanently; if you prefer to see the warnings every time (as you do), you can.
(Reply) (Parent) (Thread)
[User Picture]
From:totherme
Date:September 6th, 2008 08:10 pm (UTC)
(Link)
It's the same procedure to set up a permanent exception for a self-signed certificate. Like my university's pages, for example.
(Reply) (Parent) (Thread)
[User Picture]
From:totherme
Date:September 6th, 2008 08:08 pm (UTC)
(Link)
Really, they might as well automate that step, rather than forcing the user to click that button.

I think this is one of those rare cases, where the author of the software is justifiably being deliberately user-unfriendly. It seems to me that the whole point of this series of scary dialog boxes is to discourage people who don't know what they're doing from clicking through and trusting the site. If you know what a security certificate is, and why you would want to look at it before adding an exception (temporary or otherwise) for it, then you're probably qualified to add that exception. If you don't know what a security certificate is, or what to look for in it, then you probably shouldn't be clicking through.

Forcing the user to actively "get" the certificate makes it more likely that the user will look at the certificate they just "got". Automatically displaying it would lead most users to consider it useless background, as they hurry on through to the "ok" button.
(Reply) (Thread)