Skip to main content
banner image
venafi logo

Mozilla Firefox 66 Improves In-Browser Security Warnings for SSL/TLS Machine Identity Issues

Mozilla Firefox 66 Improves In-Browser Security Warnings for SSL/TLS Machine Identity Issues

person staring at a screen that reads "warning" in large letters with an image of a white lock surrounded by a red circle beneath it
April 2, 2019 | David Bisson

Mozilla has included an update in Firefox 66 aimed at improving the effectiveness of the security warnings that the browser displays for SSL/TLS machine identity issues.

Released on 19 March, Firefox 66 ships out with an updated mechanism for clarifying the risk associated with expired SSL/TLS certificates.

Web browsers like Firefox, Google, Safari and others display warning messages whenever they detect an attempted connection to a server that’s using an invalid or risky certificate. To protect users against the threat of man-in-the-middle (MitM) attacks, these alerts typically inform web browser users that the connection they’re attempting to make is not secure. It may then prevent the user from connecting if the site is found on their browser’s HTTP Strict Transport Security (HSTS) Preload List. If the site doesn’t appear on such a resource, the warning enables the user to continue with the connection at their own risk.


Meridel Walkington, senior content strategist at Firefox UX, reflects how Firefox’s old warning messages “included some vague, technical jargon nestled within a dated design.” These alerts traditionally informed users that the site they were attempting to visit was not configured properly because its owner had used an invalid security certificate. They then gave users the option of reporting errors such as this to Mozilla.


By contrast, the new warning messages don’t mention website configurations. They do refer to certificates, but they break from the past in that they provide some valuable context in the process. Specifically, they explain how websites use certificates to verify their identities and note how someone could be using an invalid certificate to impersonate the site.

This is a significant step forward, as many users continue to be under-informed about the role that machine identities play in securing their machine-to-machine connections and communications. Educating users about the importance of machine identities is the first step in increasing their awareness about how to avoid the risks of clicking through a site that may be using a fraudulent certificate.  

The messages make two additional changes aimed at better informing users. First, they allow users to view the digital certificate in question. Second, they include a section discussing what users can do next. A sample alert shared by Mozilla told users that they could reach out to the website’s admins, for example.



Mozilla’s changes come at a time when other browsers are also making changes designed to protect users against MitM attacks resulting from invalid SSL/TLS certificates. For instance, back in June 2018, Google announced its plans to make HTTPS protection the standard unmarked state for web pages in an upcoming version of Chrome. Sure enough, Google began marking HTTP-protected sites as “Not Secure” in October 2018.

Not everyone is a fan of the way that browser alerts have been treated in the past. Among them is Scott Carter, Senior Manager – US for Venafi. He doesn’t feel that vaguely worded warning messages make much difference to the average web user:

Most users are just going to click the accept the risk and continue on to the site. Like in so many other situations, the convenience of connecting to their destination outweighs the attendant security risks of doing so in the presence of an invalid security certificate. So why bother? Web browsers would be better off not loading the site in the first place.

For the sake of protecting their users against digital threats, every organization that owns a domain has an incentive to keep their SSL/TLS certificates valid. The best way they can do this is by using a centralized platform that can help them manage all keys and certificates. In particular, this tool should issue alerts when there’s an issue with one of their certificates, and it should help automate the certificate renewal process.


Related posts

Like this blog? We think you will love this.
wildcard certificates
Featured Blog

Wildcard Certificates Make Encryption Easier, But Less Secure

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more