Firefox 3 makes great hay over how much happier they are for their security bits. Especially their seemingly deeply thought out position on not allowing self signed certificates to be used easily on the web. Cudos to them for their stance.
One … well … not so small … problem.
It breaks things. No, I am not arguing whether or not self-signed is good or bad.
It breaks things you can’t possibly fix. Like embedded web servers in remote systems. You know, like the systems that we support.
Suddenly “upgrading” to FF3 breaks these non-upgradable web servers. Because the logic in FF3 doesn’t seem to accept allowing all exceptions, only ones where the button to allow the exception actually works.
Yeah, thats right. I am sitting staring at a screen with FF3 happily and cheerfully telling me what an idiot I am for even considering using a self signed certificate site, and not allowing me to get past its obviously morally and self-righteously superior modal dialog box … whilst a customer with a problem is begging us to fix it.
Hmmm…. what to do … what to do…
I feel an “upgrade” is in order. To FF2. Yeah, Mozilla corp won’t like it. They will stop supporting it real soon.
By then, we will be on a new, non-mozilla browser.
Good job Mozilla, you are obviously more superior in your security than I. You are obviously protecting us from the millions of web servers embedded within devices that use expired or self-signed certificates, which CANNOT BE CHANGED OR UPGRADED.
The last boneheaded thing like this I saw was our friends at Reuters. Seems like they don’t like PDAs browsing their sites. They insist you update to a more modern browser.
Which isn’t generally possible on a PDA.
Nor is it generally possible to flash a new certificate into an embedded HTTP server.
So this forces our hand. FF3 has been, outside of this issue, IMO, a horrible step backwards. Lots of functionality, useful stuff, was lost in the transition. Little was gained.
I am now giving Opera a serious re-looking at. It runs everywhere, it deals with Java semi-intelligently, and it doesn’t balk at the security bits which we can’t change. It does the right thing.
[Update] The embedded web servers are in IPMI cards BTW, and an HP inkjet printer we have. Switching to Opera and a quick googling got me the right Java-goodness (never thought I would apply that word to Java), and whammo. It worked. System restored. Customer happy. Had I stuck with another broken technology, it would not have been fixed. I wonder if I am going to get flamage back, or intelligent well reasoned self-righteous replies. Or even wake someone up in the Mozilla organization by filing a bug against the browser. Since they don’t understand why what they did is broken, they most likely will mark it WONTFIX. Which means my effort would be not all that different from tilting at windmills. Which I won’t do.