Presenting Security Exceptions to the User
By Clayton on Aug 19, 2008
There is a post today on Pingdom talking about the new Firefox SSL error page that appears when you try to connect to a site with a self-signed or invalid certificate.
As you see in the image above, it actually doesn't show the page you're going to until you explicitly allow it as an exception.
Pingdom goes on to talk about how this can create a lot of issues (particularly for internal sites), but then goes on to estimate that 18% of Fortune 1000 web sites would be affected my this.
Much of my comment on the laws of identity yesterday were related to the user experience and how we need to look at how users really use their computers and identity to understand the best real solutions to identity problems.
The question here is whether Firefox is over-warning. I would argue that it isn't. SSL with valid server certificates is one of the most basic steps a site can take towards being secure. Just because the US Army site above isn't using a valid cert and many other large companies neglected to update their certs doesn't mean that Firefox shouldn't be aggressive in its warning.
This is similar to the experience many of us had with white page directories in the 90's. At first the data in them was highly inaccurate, but once people started using them to find you or authentications were hooked into them, suddenly you couldn't work with inaccurate information and were motivated to fix the problem.
The same thing will happen here with these sites. Unless they want the millions of Firefox 3 users to be put off, they'll upgrade to this minimum level of security. Once they have, the exceptions will look particularly outstanding and be an instant red flag that a site might not be what it seems.