SSL certificate errors

I’ve just been along to the PruHealth website. Unfortunately, it turns out that their SSL certificate expired last night, so I get a big warning message when I try to access the site. I’ve reported the problem to them, and they should be able to fix it fairly easily, i.e. renew the certificate. However, I’ve now seen how different web browsers handle this problem, and I think Internet Explorer does a better job than Firefox overall.

In IE7, I get a warning when I try to access the site:
IE7 warning
There’s no way to view the certificate at this point, but I don’t think that’s a major problem; non-technical people won’t understand it anyway, and techies can look at it before they actually enter any information.

If I choose to continue, the address bar goes red to remind me that there’s a problem:
IE7 address bar
(The bigger the IE window, the darker the shade of red.)

I can now click on “Certificate Error” and view the certificate:
IE7 certificate
I’ve highlighted the expiry date; I was surprised that it said today, but I guessed that it meant midnight, i.e. last night rather than tonight.

When I phoned up, the lady I spoke to said that she didn’t have any trouble accessing the website. I think that she was using IE6; I don’t have access to a copy of that right now, and it’s been a while since I last used it, but I vaguely recall that it would give some warning. Anyway, when I got her to click on the padlock, she said that the certificate was valid from 31-Aug-2006 to 09-Jun-2008. I’m guessing that this means the regional settings on her PC are wrong, i.e. it’s displaying dates in the US format (month/day/year) rather than the UK format (day/month/year). Anyway, if the certificate did expire in June then there’s definitely a problem! She said that she’d pass the information on to the relevant people.

I then had a look at the website in Firefox 2, and the initial warning looks like this:
Firefox 2 warning
This is a bit more informative than IE, since it gives a date and time (06/09/2008 00:59). Since we’re in British Summer Time at the moment, that time corresponds to 05-Sep-2008 23:59 in GMT, which makes sense, i.e. just before midnight. The warning says that I should check my PC clock, to make sure that it’s correct; technically this is valid advice, but it’s far more likely that the problem is on the server side, particularly if Firefox is installed on a corporate PC (where all the times are synched from central servers).

If I choose to continue, the address bar looks completely normal, i.e. it’s treated the same as any other secure website, with nothing to indicate a problem:
Firefox 2 address bar

In fairness, Firefox 2 isn’t the latest version, and I’ve been meaning to upgrade to v3 for a while, so this seemed like a good time. Trying the website again in Firefox 3.0.1, the initial warning looks like this:
Firefox 3 warning
This still shows the time when the certificate expired, and it no longer suggests a problem with the computer clock. However, there’s no direct way to continue to the site.

If I click the link to add an exception, some buttons appear:
Firefox 3 warning 2
“Get me out of here!” takes me to Google, which is reasonable. However, “Add exception…” leads to a far more complicated screen:
Firefox 3 add security exception

There aren’t any help buttons here, and you can’t access the main Help menu because it’s a modal dialog box. If you cancel this screen to access the Help menu, that takes you to the Firefox knowledge base, which you then have to search. The most relevant page I can find is Secure Connection Failed, which is remarkably uninformative: it just tells you to read the text on the screen and click the buttons.

Anyway, you have to click “Get Certificate” before you can do anything else:
Firefox 3 add security exception 2
(Really, they might as well automate that step, rather than forcing the user to click that button.) The certificate status isn’t particularly helpful here, and I’m actually sceptical about their claims; even after a stolen certificate has expired, surely it will still show up in Certificate Revocation Lists? I’ve highlighted the particularly significant option (at the bottom of the page): “Permanently store this exception”. It’s on by default, which I think is an extremely bad idea. In a case like this, I’m willing to click through to the website for today, but that doesn’t mean that I want to trust the expired certificate forever! If I untick that box, what happens? I.e. how long is “temporary”? The knowledge base doesn’t mention this option at all, so there’s no help there. I decided to try it and find out.

As with Firefox 2, once I continue to the site there are no warnings in the address bar:
Firefox 3 address bar
In fact, it looks as if Firefox 3 doesn’t do much colour coding at all, which is a pity; the address bar is white for unsecured sites, dodgy SSL certificates, and valid SSL certificates. The only difference is that it turns green for EV (Extended Validation) certificates, e.g. Verisign. Not many sites use EV certificates; my bank (Lloyds TSB) still have a standard certificate, so the absence of green is pretty meaningless at the moment.

I then went to look at the list of security exceptions, which isn’t easy to find. Go to the Tools menu, then Options, and the Advanced tab:
Firefox 3 options
Then click on “View Certificates”, and go to the Servers tab:
Firefox 3 Certificate Manager
According to that, the temporary certificate expires today (6th September), although it doesn’t give a time. When I closed Firefox and came back into it, the temporary exception had disappeared, so I’m guessing it means something like “This exception is valid until the end of the day or until you close Firefox, whichever happens first”.

I can’t see any situation where you’d want to permanently trust an expired certificate. There are cases where you might want to trust a self-signed certificate, but that’s fairly unusual, and I think that type of functionality should be tucked away via an obscure interface. For the average user, keep it simple: “There’s a problem with this site, do you want to carry on or not?” So, thumbs up for IE and thumbs down for Firefox. I haven’t tried this out in any other browsers (e.g. Google Chrome).

By the way, I used the Snipping Tool in Vista to grab these screen shots; it’s a very nice tool, which I only heard about recently via The Old New Thing.

Leave a Reply

Your email address will not be published. Required fields are marked *