

FF3 user reported bug about SSL certificate warning - vladimir
http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg04900.html

======
nuclear_eclipse
Unfortunately, there is no solution for stubborn, ignorant users who refuse to
read or understand what the computer is trying to tell them...

The single biggest obstacle here is not that Firefox couldn't convey the
problem to the user, but that the user didn't pay any attention to what
Firefox was trying to tell them. When the user thinks they're always right,
the software can never tell them otherwise...

Granted, I hate FF3's cert complaining process and I'm sure it could be
improved, but no matter what you do, short of refusing to accept bad certs,
this problem will continue to occur.

Oh, and Mozilla, while you try to fix this, will you _please_ add the CACert
root certificate to your browser? For the love of God, why should I trust a
$5000 certificate from an automated purchase with Verisign any more than a
free certificate verified by community members?

Edit: the first reply seems to be a better / more thorough explanation of the
point I was trying to make: [http://www.mail-archive.com/dev-tech-
crypto@lists.mozilla.or...](http://www.mail-archive.com/dev-tech-
crypto@lists.mozilla.org/msg04902.html)

~~~
timcederman
It's always easy to blame the user, but without a complete mental model, they
have no idea why they're getting these warnings, and they've gotten them
enough in the past (try going to <https://paypal.com/>) that they think they
aren't significant.

This is a usability failing, pure and simple.

------
tptacek
Long story short: user received the ominous FF3 self-signed cert warning for
every site she visited. The problem: the sites weren't using self-signed
certs; she was the victim of a MITM attack. Because that's what a MITM attack
looks like: indistinguishable from a self-signed cert.

The moral: FF3's self-signed cert warning isn't ominous _enough_.

