A friend tried to get a Thawte S/MIME cert tonight, and was having trouble.  I decided to get a new cert to walk him through the process.  It turned out to be a change in the Thawte enrollment process, that I hope is a web site bug.

After the Thawte CA issues the cert, it takes you to a page with the "Fetch" button at the bottom.  When you click on that button, Firefox is supposed to import the certificate so you can use it.  Instead, tonight my friend and I got this confusing Save File dialog.



Eh?  SPC files are code signing certs, right?

I tried to alert Thawte, but that also proved to be a challenge.  Their vintage email submission code does not allow exotic symbols like equals, quotes, and parentheses.  Sadly, that means I cannot include actual URLs to their site since many of the good ones include an equals sign.

I really like the Thawte free S/MIME cert program and I hope they get this fixed before you read this entry. ;-)

There is a lot to love in Firefox 3. But one of the things I still struggle with is the Find Text feature. It just doesn't work the way I do and I don't think it's gotten much attention in years.

First, the Next and Previous buttons are backwards. See this page for a visual. But let's ignore that for a bit.

Second, Firefox always scrolls long pages such that the search string, if it appears on the page, is positioned at the very bottom on the page. Aren't there some better algorithms than that? It's often the case that the first occurrence of a word is the first of many occurrences, but all the subsequent hits are hidden below the visible window region. At a minimum, FF should scroll so the string is in the middle of the page.

Third, I'd like Firefox to highlight all occurrences of the word. Maybe my usage pattern is very different from most people, but I'd like to see all occurrences highlighted, and the "Highlight all" button removed. Why would you not want to see all the results? Search engines don't return one result and wait for you to say "Next". Further, sometimes the string is hard to see on web sites with strange color choices. I'd like to see someone come up with a way to make them more visible (without blinking, of course).

Fourth, I'd like for the the text I'm searching for to remain highlighted across page transitions. If I'm looking for a term on a page, and then click on a link to another page on that site, I'm frequently looking for the same term on that page also. So I hit "Highlight all" again, click to another page, click "Highlight all", and so on.

The Google toolbar does some of what I want, but it seems to only do it when I've sent the query string to Google. What about pages on my home or work networks?

I spend time each day trying to find the right stuff on a page. I'd like to see some real innovation for Firefox 4!

Is there a plug-in that I should be using?

Background
We've been making some changes to improve the security of SSL sessions. You'll start to see these changes starting in upcoming builds of Firefox 3. These changes will fall into two categories:

1. UI improvements that include support for Extended Validation (EV) certificates
2. UI to handle SSL errors

The first change is outside the scope of this blog entry (though they are important). If you want to get more information on those topics, you might start by reading Johnathan Nightingale's blog entries here.

This post describes the changes we're making to the error messages Firefox displays when you encounter an SSL problem. The most common problems we see are:

1. Expired certificate: The certificate that the SSL server sent to Firefox was expired. Certificates that have expired are not valid in much the same way that credit cards are not valid once they have expired.
   
2. Self-signed certificate: The certificate's issuer is itself. This type of certificate is most common in test servers, and on intranets. Banks, online stores, and other reputable businesses would never use a self-signed certificate.
   
3. Incomplete certificate chain: The SSL certificate chains to a CA (intermediate or root) that Firefox either does not have, or does not trust. In either case, Firefox cannot connect the dots to be sure that the site is who it claims to be.
   
4. Domain mismatch: The web address you are visiting says one thing, but the certificate was issued to a different address. A common scenario exhibiting this problem occurs when you visit http://example.com but the certificate was issued to www.example.com.
   

In previous versions of Firefox, we presented a dialog box that described the error and allowed users to continue anyway. The problem with this approach is that in general users don't know what the implications of such a decision are. We've seen many instances where people breeze by those warnings without a second thought. Software shouldn't ask users questions they cannot answer.

You can read more about the change to SSL errors on Johnathan's blog entry here.

Overriding errors: Exceptions
While in most cases the error page warns of a misconfigured server (or possibly an attack), there are some special circumstances when knowledgeable users will need to override these errors. For example, web site administrators might have an internal test or staging server. That server might use SSL, but with a self-signed certificate that Firefox would not be able to validate. In such cases, there is a way for knowledgeable users to override the error.

To override the error, you need to create an exception. The SSL exception dialog is located in the Preferences window, under Advanced/Encryption/View Certificates. Once there, click on the Servers tab, and then on "Add Exception...". The UI should be straightforward from there. You can add as many exceptions as you need for your testing purposes.

Sharing exceptions
There are also cases where administrators might wish to share their overrides between themselves. One admin might go through each of the internal sites that uses self-signed certificates. He can then share his override settings with other administrators. If you fall into one of these special cases, here is some information on how you can share override information.

The override definitions are stored in your Firefox 3 profile directory in a file called cert_override.txt. You can share the lines in that file that pertain to the web site in question.

For those of you who want to know more about the format of that file, here is the breakdown:

1. hostname:portnumber (primary key). The override is bound to this combination of hostname and port number.
2. OID of hash algorithm used to generate a certificate fingerprint. This is currently set to OID.2.16.840.1.101.3.4.2.1 which means SHA-256 and may change in the future.
3. Certificate Fingerprint using the algorithm from the previous field
4. One or more characters that define the time of override: M, U, and/or T:
1. M : allow mismatches in the hostname
   
2. U : allow untrusted certs (whether it's self signed cert or a missing or invalid issuer cert)
   
3. T : allow errors in the validity time, like expired or not yet valid certs
5. A special encoding of the allowed cert's serial number and the issuer name as a base64 encoded string (the database key obtained from NSS)

Note: when you update your cert_override.txt file, the browser must be shut down. Otherwise the file will be overwritten, destroying your changes.