Yes it is, thanks to inane design.

You are not getting it, just as everybody here, because nobody cares to explain the real reason. This is a deep design problem in FF:

- FF is currently NOT ABLE to download a resource on a server with non-compliant cert (for whatever compliance criteria, by default the criteria is that the cert must be signed by a known CA)

- FF is currently NOT ABLE to NOT display the whole ‘secure’ interface (including the green bar idiocy (1)) for any PAGE whose every HTTP elements have been obtained over SSL links with compliant certs (except that the MAIN element (the element whose address is in the address bar) must be downloaded over a green SSL link for the green bar to appear, obviously)

The problem FF 3 advocates don’t want you to know is that you must lower the bar (even for green sites) to be able to download ANY piece of information from a self-signed page.

(1) it must be understood that the green thingy provides additional certified information NOT additional security; we may as well have a blue bar for sites allowed to collect VISA card numbers, a yellow bar for Mastercard, a blue-white-red bar for sites allowed to collect French social security numbers, etc.

No it ABSOLUTELY does not, OBVIOUSLY.

OBVIOUSLY, a PASSIVE listener (f.ex. on a wireless link) will not be able to decrypt an SSL session made with a server using a self-signed certificate.

OBVIOUSLY, going from PASSIVE to ACTIVE means taking the risk of being detected, especially when fake certificates are going to be inserted, and thus MUCH LESS LIKELY to be done all other things being equal.

That makes it a MUCH LOWER RISK to have an SSL session with a server using a self-signed cert than a clear-text session.

You understand NOTHING about security. You just repeat what you have heard.

Let the grown-ups talk and LISTEN.

The simplest solution is also the best: notify the user about the problem, and then allow the user to proceed anyways at their option. A visual warning indicator can remain on the page. As long as this happens, firefox has done it’s job. Anything more is getting in the way of the user’s intentions without providing any benefit to anyone. Make a recommendation, but let the user drive.

An invalid cert is no less secure than vanilla HTTP, why all the ruckus?

Frankly, your nuts if you think a few days of expiration makes the cert any less secure than a few days earlier. The bank will renew the cert, but in the mean time there is no reason to prevent users from accessing the site using the old cert (so long as a clear notification is in place).

I hope all of you guys defending the FF SSL roadblock always say “NO” when asked about new SSH keys, otherwise you are total hypocrites.

As a FF user I hate to say this, but developers made a very poor judgment call with this design. I’ve developed a new habit of using IE again to access my routers because FF is so annoying. Focus on usability.

In the above example of the US army website, it’s pathetic that being an official website they haven’t installed a proper certificate.

It is the responsibility of professionals to create security awareness among end users about this and not to criticize the bold step taken by firefox.

Instead of making negative comments about firefox in forums and blogs like this one should encourage people to follow this, so that webservers would be installed with necessary certificates by respective authorities, thus increasing security.

***********************************************

[quote]Unauthenticated Key Exchange
Exchanging a private key without properly authenticating the entity/machine/service that you’re exchanging the key with. To have a secure session, both parties need to agree on the identity of the opposing party. [/quote]

@Indrek, system, etc
Here is why self-signed certificates are bad for the general public (emphasis on “general public”): it gives them the impression of security even though they have done nothing to ensure security. If you have done any programming for end users, you know that 80% of the people out there do not read. At. All. So, when they get a notification of a problem with a certificate, they just click “continue” without further thought. This is why a MITM attack on a site with a self-signed cert is so easy. The majority of users will never, ever stop to check the fingerprint, or even give it a second thought. they’ll just keep clicking through. Even if the cert error comes up in the middle of a session. But they see the padlock icon and ASSUME that everything is secure. That’s why giving self-signed/expired certs the same easy acceptance as Authenticated certificates is more dangerous than standard http: because the user THINKS their connection is secure, when it very well might not be.

Now, for the other 20% of the population out there, SS certs aren’t an issue. They know to check the cert, get the fingerprint, and then compare it to what the fingerprint should be. They become highly suspicious if the site they are on suddenly presents them with an unknown certificate in the middle of a session.

But those users arent the ones Mozilla is trying to address here; it’s the 80% they are trying to protect. By making it more cumbersome, they are at least TRYING to drill it into the user’s head that there might be an issue.

SS certificates have a place: intranets and sites where only that 20% visit.

Well, if that brings a convenient and free way to have valid certificates (and several on the same machine), it’s indeed a positive direction.

But in the meantime, you’ll have a very small number of new valid certificates, along with a huge number of websites either less secure (because HTTP is less secure than self-signed HTTPs), or not accessible from FF3.