Mozilla’s Firefox 3 New SSL Policy - Is This The Right Way?
Many people have been praising Mozilla’s Firefox 3 ever since pre-beta. I myself can easily throw myself onto that band wagon. But there is one feature that has been causing a little commotion, and I again can easily agree with the commotion.
Firefox 3 (FF3) limits usable encrypted (SSL) web sites to those that have an approved digital certificate from an authorized vendor of Mozilla’s choosing. Making it so you have to pay to be recognized. What’s the big deal?
When you visit an encrypted site in FF3, and that site uses a self-signed, or simply unapproved certificate, FF3 doesn’t immediately show the page. Instead you are greeted with what, at first glance, would seem to be an error page.
In order to move beyond this page, and actually continue to the site as intended you need to process through 4 clicks to add that site as an “exception”.
The use of a certificate is for SSL – which has two main purposes – allow connections to be encrypted so they can’t be snooped, and it allows sites to be authenticated so they can’t be impersonated. Advocates to Mozilla’s policy seem to only focus on the later stating that a self-signed certificate has no value for authenticating a web site. The real concern is that snooping is much more of a easily attainable threat then impersonation. So it is much more valuable to have a self-signed certificate than nothing at all. But doing so put’s yourself at a inconvenience for FF3 users.
This to me sounds like it is blatantly going against the notions of Net Neutrality. Something that has been fought to keep open for ages. Something like this completely discriminates against those not willing to purchase a “approved” certificate.

