I don’t mind the warning. I do mind the half a dozen of clicks to dismiss what could be said and done in one or two.

However, for those of us who _are_ using self-signed certs it’s important to realize that Firefox 3′s system actually makes it easier to detect problems with those certs. If they change, you actually get a warning about it instead of just getting the same warning dialog with only slightly different text.

If you go read Johnathan’s post you will see that the tools to act as a man in the middle are getting easier and easier. We’re trying to get out ahead of those tools as best we can, attempting to make life better for users.

We won’t get everything right the first time but what we have is far better for less technical users and I would argue is better than Firefox 2 for technical users since it has a sense of certs changing and can give you a useful warning instead of just the same old dialog.

Also, in that report 58% of _what_ certs? Those that are most likely to be phished? Top 100 commerce sites? Or everything everywhere? For the commercial sites that I visit (a couple of banks, other secure commerce sites) I have never ever seen a bad cert. About the only time I see the cert warning dialog is when I am accessing one of these new-fangled free software site thingies.

We talked about CACert a little bit at the summit and there’s a bug on file. CACert needs to go through the same process as every other CA that we include in our root certs. I’ve seen one assertion in another blog that says “it’s because of Mozilla’s policy” and that’s true on fact, but not in spirit. CACert needs to meet a basic set of criteria to be included in our root set and it’s non-trivial for a reason.

Anyway, just a bunch of thoughts on the topic. Feel free to follow up on my blog if you want.

As Toady said, though, getting CAcert into Firefox should help.

Self-signed certs provide *encryption* but do not guarantee the identity of the server.

I really don’t mind the new dialog that much. If you do, I suggest using cacert.org. That will mean only having to add 1 exception globally instead of 1 per site.

The old dialog may have been faster to get through, but wow it was ugly.

Self-signed certificates do not indicate that the DNS hasn’t been attached and you haven’t entered a phishing site. However noone can decrypt the communication. So it only guarantee that nobody read the username/password except the server I connected to.

> If you’re running a volunteer site, and want a self-signed cert just to encrypt usernames & passwords, your visitors represent less than 1% of the internet population, sucks to be you!

Why do you provide a version for Linux? We are also <1% of Internet population as well.

As my dad used to say: “a slip of the tongue is no slip of the mind, but if it slips too often, it gets caught behind”. Never really understood what that meant, but it sounded good