Submitted by Mike Dickey on Fri, 06/06/2008 - 12:35
Mike Dickey's picture

The new Firefox 3 browser introduces a new security model that is much more picky when it comes to SSL (encrypted) HTTP servers.

First, the SSL certificate included with Pion is "self-signed," meaning that it is not validated by any Certificate Authority (or "CA"). Most browsers will warn you of this and give you a button that lets you "proceed anyway." Unfortunately, the Mozilla developers must have decided that too many people were "clicking through" without thinking and decided that Firefox 3 should instead make it extremely difficult to use self-signed certificates.

I would feel compelled to applaud the Mozilla folks for this, provided that they also started including support for free CA root certificates as well. Unfortunately, despite being just as secure and reliable as any other CA, browser vendors continue to force people to use paid CA services. In light of their lack of support for free CAs, the security tightening in Firefox 3 just means that small websites will have a hard time using HTTPS without paying money to "the man." I'm sure Verisign just loves this decision..

Arguments aside, self-signed certificates are always going to be necessary, especially for servers that don't and shouldn't have public hostnames. To allow people to use SSL while trying out Pion, we've been including a self-signed "localhost" certificate in our distro. Most browsers just complain before letting you proceed; Firefox 3 just gives you a cryptic error message.

To get Pion's interface working in Firefox 3, you can either replace the included certificate with a valid and "Mozilla approved" CA certificate from Verisign (just replace the sslkey.pem file in your config directory), disable SSL support in Pion (remove or comment-out the <SSLKey> elements in the services.xml config file), or jump through Firefox's hoops:

  • Open up the "Firefox -> Preferences" menu
  • Click the "Advanced" icon
  • Click the "Encryption" tab
  • Click the "View Certificates" button to open a new window
  • Click the "Servers" tab in the new window
  • Click the "Add Exception" button
  • Set location to "https://localhost:8080"
  • (Make sure Pion is running)
  • Click the "Get Certificate" button
  • Click the "Confirm Security Exception" button

And then it will let you open up the Pion web interface in Firefox 3. Thanks Mozilla, for making our lives more difficult... The good news I guess is that you should only have to do this once.

In light of this new development, we are probably going to just have to disable SSL in the next release (support will still be there; it will just be turned "off" by default). Seems like the direction a lot of vendors and websites are being forced to take. =(

‹ Regarding sequence of evnets
Tags:

RSS

© 2008-2011 Atomic Labs, Inc.