You are here

Firefox and SSL pages with self-signed certificates

Submitted by Druss on Tue, 2009-04-07 10:16

If you're a firefox user (and usually, also a programmer), you've very likely come across situations where you are confronted with an error page while accessing an https address, because the certificate is self-signed. Getting around it involves adding an exception, which requires a multitude of steps ...

While I can understand the reasoning behind this, it becomes a real pain in the rear-end when you're just visiting a test site or dev site or even a local intranet site which is self-signed. Furthermore, while Firefox is extensively customisable, there is no option to turn this off in about:config etc. There have also been, until now, no extensions to work around this ...

When I whinged - yet again - about this earlier today, a kind soul pointed me to a new extension named Perspectives, a CMU project, which provides the following functionality:

  • If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
  • It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.

I just had to install the add-on to make the warnings go away. I still continue to get warnings in the status bar when there are sites that are misrepresented or have expired certificates ... a win-win situation if you ask me.