I find it odd that firefox now trains people to ignore certificate warnings.

image: firefox screenshot

A certificate is a mechanism to assure you that the website you’re visiting is genuine, that any cons & rip–offs on the site are genuine cons & rip–offs, that it is the site it claims to be. They’re issued by trusted third parties, in a chain of identity verification that’s fairly solid. Ultimately, they’re more reliable than nothing, although that isn’t saying as much as many people seem to think.

Firefox has a problem at the moment which means it gets aspects of certification wrong. For example, it objects to self–signed certificates (it has other errors). Now that’s fair enough, such certificates are dubious. However, it doesn’t allow me to tell it that, actually, that site is genuine, so it always objects to a site that I, the user, know to be genuine—because I set the sodding thing up.

It refers to a site that is something I’ve put up myself, on my internal subnet, to allow me to check out next cloud. I can’t use one of those nice free Lets Encrypt certificates on the site because it is not visible to the internet, as Lets Encrypt requires. So I have to use a self–signed certificate.

Now, I accept it is valid for firefox to warn people when they first come to a site that it has a self–signed certificate. However, it is wrong, indeed clueless, for firefox to imply, by disabling the option to mark the site is valid, that such sites can never be valid.

By preventing me telling firefox to stop being quite so stupid, the firefox warnings are becoming spurious. The encourage me to ignore their warnings, because most of the time those warnings are annoying falsehoods, they’re worse than noise. By getting this wrong, firefox weakens the power of its warnings, so weaken the security its apparently trying to strengthen. This is the mistake.

Firefox should give the warning, but allow the user to tell it, yes, this site is valid.