Mozilla has included an update in Firefox 66 aimed at improving the effectiveness of the security warnings that the browser displays for SSL/TLS machine identity issues.
Released on 19 March, Firefox 66 ships out with an updated mechanism for clarifying the risk associated with expired SSL/TLS certificates.
Web browsers like Firefox, Google, Safari and others display warning messages whenever they detect an attempted connection to a server that’s using an invalid or risky certificate. To protect users against the threat of man-in-the-middle (MitM) attacks, these alerts typically inform web browser users that the connection they’re attempting to make is not secure. It may then prevent the user from connecting if the site is found on their browser’s HTTP Strict Transport Security (HSTS) Preload List. If the site doesn’t appear on such a resource, the warning enables the user to continue with the connection at their own risk.
Meridel Walkington, senior content strategist at Firefox UX, reflects how Firefox’s old warning messages “included some vague, technical jargon nestled within a dated design.” These alerts traditionally informed users that the site they were attempting to visit was not configured properly because its owner had used an invalid security certificate. They then gave users the option of reporting errors such as this to Mozilla.
By contrast, the new warning messages don’t mention website configurations. They do refer to certificates, but they break from the past in that they provide some valuable context in the process. Specifically, they explain how websites use certificates to verify their identities and note how someone could be using an invalid certificate to impersonate the site.
This is a significant step forward, as many users continue to be under-informed about the role that machine identities play in securing their machine-to-machine connections and communications. Educating users about the importance of machine identities is the first step in increasing their awareness about how to avoid the risks of clicking through a site that may be using a fraudulent certificate.
The messages make two additional changes aimed at better informing users. First, they allow users to view the digital certificate in question. Second, they include a section discussing what users can do next. A sample alert shared by Mozilla told users that they could reach out to the website’s admins, for example.
Mozilla’s changes come at a time when other browsers are also making changes designed to protect users against MitM attacks resulting from invalid SSL/TLS certificates. For instance, back in June 2018, Google announced its plans to make HTTPS protection the standard unmarked state for web pages in an upcoming version of Chrome. Sure enough, Google began marking HTTP-protected sites as “Not Secure” in October 2018.
Not everyone is a fan of the way that browser alerts have been treated in the past. Among them is Scott Carter, Senior Manager – US for Venafi. He doesn’t feel that vaguely worded warning messages make much difference to the average web user:
Most users are just going to click the accept the risk and continue on to the site. Like in so many other situations, the convenience of connecting to their destination outweighs the attendant security risks of doing so in the presence of an invalid security certificate. So why bother? Web browsers would be better off not loading the site in the first place.
For the sake of protecting their users against digital threats, every organization that owns a domain has an incentive to keep their SSL/TLS certificates valid. The best way they can do this is by using a centralized platform that can help them manage all keys and certificates. In particular, this tool should issue alerts when there’s an issue with one of their certificates, and it should help automate the certificate renewal process.