Wednesday, August 20, 2008

Problem accepting self-signed SSL certificates on FF3

Firefox 3 changes the default handling of invalid SSL certificates, to make it harder for end users to do things they probably don't want to do. If you have used FF3 to access an HTTPS web site via an intercepting proxy such as Burp, you probably know about this behaviour.

The way the feature is documented, FF3 prevents you from accessing an HTTPS site which uses an invalid SSL certificate (such as a self-signed certificate). In order to access the site, you need to explicitly add an exception, which is more cumbersome than simply clicking a "connect anyway" button. When you use an intercepting proxy, your browser receives the proxy's self-signed SSL certificate, and so you cannot connect without creating an exception.

The problem is that, for many users, the feature is not working as documented. When FF3 receives an invalid SSL certificate, many users are just seeing the following error dialog, with no option to add an exception:

You can try to add an exception manually, by going into Options / Advanced / Encryption / View Certificates / Add Exception ...

However, when you click "Get Certificate", you receive the same error dialog as originally, and the "Confirm Security Exception" button is never enabled.

At this point, there is no clue within the product or documentation about how to fix the problem, and I've spoken to several users who have given up and used another browser.

However, you can fix the problem by tweaking FF3's configuration. Somewhat bizarrely, you need to go to about:config and change the network.dns.disableIPv6 option to true:

Having done this, you will now see a completely different error message when FF3 receives a self-signed SSL certificate:

If you follow the "Or you can add an exception ..." link, then everything works as documented, and you can add an exception for the invalid certificate:

I assume that Firefox will fix this usability issue at some point, but in the meantime, if you have had problems accepting invalid certificates, try disabling IPv6 in the FF3 configuration and see if things start working.


Anonymous said...

Thx, awesome ... I try to fix this problems the last days but didn't know how to make it.

Matt Presson said...

A friend of mine has also been on the mailing list for this specific issue.

The recommended workaround for proxies from Mozilla is to set your proxy to instead of localhost.

ascetik said...

I posted this as a bug a while ago on the firefox site and the recommendation that matt provided is the workaround that mozilla suggests. It works perfectly in my browser. If your like me and use several proxies then you will have to do the same for each. It worked with webscarab as well. It will still ask you to create an exception for each certificate.

Anonymous said...

Self signed certs are NOT invalid certs, unless they have expired. They are just as valid as any others. They are simply certs that, unlike commercial certs, are not inherently trusted by client browsers. This does not automatically make them any less secure and with the proliferation of cheap "trusted" commercial certs it may only be a matter of time before a master key escapes into the wild and fake but trusted certs start appearing.

What hope is there for the poor old users when so much of the industry appears not to understand the fundamental difference between security and trustworthiness.

Anonymous said...

Thanks!! I've been looking for a workaround for months! I've been using other browsers but missed firebug. Cheers!

chinmay said...

Thanks a lot. Awesome fix!!

SSL Certificate said...

Self signed certs are NOT invalid certs, unless they have expired.