TFL and SSL ("invalid certificate" messages)

[tyme]

Recently we've gotten more than a few complaints about the SSL certificate in use at TFL.

As anyone can see, we created the current self-signed cert over two years ago, before the recent hysterical Firefox changes. The self-signed cert costs nothing and allows anyone to use SSL to access TFL, if they're worried about their boss/neighbor/whoever snooping. This use of SSL for non-sensitive purposes is not futile or stupid IMO. Furthermore, with proper diligence -- checking the certificate's hash, ideally from multiple locations and over time -- it is possible to achieve reasonable confidence in the legitimacy of a self-signed certificate.

I don't want to go into the details of Firefox's obnoxious behavior or the reasons for it here. (google "firefox self-signed certificates" for heated opinions on both sides of the argument). I will point out that MSIE 7, Google Chrome, and Opera all handle self-signed certificates in a much more reasonable way. There is a firefox extension that deals with self-signed SSL certificates in a more sane manner: Perspectives.

"So what?"

Google and perhaps some other search engines are indexing SSL versions of pages/urls at TFL. This causes some innocent visitors to get sucked into the https version of TFL, and if they're using Firefox, they get a scary warning and no easy way to get around it. That's very bad.

Disabling SSL might work in the long run, but short-term it will break every incoming https link, which I don't think is a good idea.

Free SSL certificates: Not viable as far as I can tell... Neither Firefox 3, nor Opera (10 beta), nor IE7 or IE8 come with startcom's class 1 cert signing key. I just got a cert for TFL and tested it, and since there's no significant difference in warning messages I'm leaving the current self-signed cert for the time being. At least this way people who have already accepted the cert don't have to accept a new one.

What might work: one of the email complaints recommended sending Googlebot a different robots.txt to deny access when it tries to use SSL. I've started doing that (for all bots, not just google). (after further review, some people seem to think that Google doesn't differentiate https://site/robots.txt from http://site/robots.txt, so denying all in https:// could remove all hits for the site from google.) TFL is also now redirecting every https googlebot request to the non-SSL version of whatever page it wanted. I don't know how this will affect search indexing, but since it only affects SSL pages, which aren't the majority of incoming links to TFL, I'm willing to experiment. Unfortunately, changes targeted at google's indexing take time to go into effect.

So... ideas? I'm not very familiar with search engines' behaviors, so I can only guess how googlebot et. al. will react.

[Mike Irwin]

This is the first I've heard about this.

I googled the "firefox self-signed certificates" and did some reading... VERY interesting stuff.

What kind of costs are involved with a third party certificate authenticator?

I'm using Firefox 3.0.7 and I have NOT encountered any of these certificate issues.

[ChuckC]

Check your PMs tyme

[tyme]

One of the cheaper ones is comodo instantssl I think... $99/yr for 1 year, down to $65/yr for a 5-year cert.

It's just asinine to pay for a cert for TFL when hardly anyone would use it. The whole SSL thing was supposed to be optional for people who know they want it, know what the security implications are, and know enough to check if TFL supports it... (as you point out, most people won't even know about it unless they try it or get hijacked into using it because of silly search indexes and/or silly people linking to tfl with https://).

Chuck, thanks for the input, but we don't want Googlebot to get confused. We just want it indexing http:// pages rather than https://

[Mike Irwin]

Is there any way to create an automatic redirect from https: to http: and just forego the certificate issue entirely?

Have we heard from any members who have been impacted by this?

[tyme]

No, we cannot automagically redirect https to http to get around the problem. The https:// page headers (at least) have to be sent in order to redirect to http://, and no browsers are stupid enough to load and act on any page headers/contents before the user decides what to do about the questionable certificate. It would be a major security problem.

If the certificate is accepted there's no longer any reason to redirect, and if it's rejected then the page never loads at all so there can be no redirect.

And yeah, there have been a handful who were confused/worried by the warning, and at least one who complained knowing what was going on.

I think I'm going to start redirecting all external links to the http:// site as well. It won't fix the warning (see first paragraph of this post), but maybe it will keep people from propagating https:// links, and thus reduce the number of them getting indexed.

[Mike Irwin]

Well that's a bummer.

I just forced this by typing in https and the TFL site name. Got the warning splash screen and worked my way through adding a permanent exception.

I think I understand Mozilla's reasons for doing this, as hinted at in the one splash screen... "Legitimate banks," and e-commerce sites. They're worried about someone getting into a malicious financial spoof site and having their account numbers and passwords harvested and or otherwise having their identity compromised.

We're not an e-commerce site so the risk of something like that happening is non-existent.

It would be nice if Firefox expanded their warnings for when something like this would and would not pose a serious risk.

[JohnKSa]

I'm going to sticky this for awhile.