« Scanning for Unsafe URLs | Main | Scanning for Unsafe URLs - Update 1 »


SSL is a Pain in the Ass

While logging into my TypePad account tonight, I was greeted in Safari 5 with one thing that I, as a web site administrator, hate to see:


Yep.  TypePad's SSL certificate must have been up for renewal, they renewed it with a cert from GoDaddy, and Safari is freaking out about it. When these kind of things happen, it reminds me how sucky SSL can be and how we web site administrators end up looking silly to our bosses and customers for things that are often out of our control.  If you are a customer of TypePad and seeing this message like I am, don't go giving them a hard time about it.  It happens.  It sucks when it does but it happens and sometimes we can't do anything about it.

If any of TypePad's site administrators are reading this, let me just take this time to say that I get it.  I really, really do.  I've been there.   Forces are against us.  SSL is a pain in the ass.  Certificates expire in the middle of the week.  CA's advertise $29 certificates that we dare not use otherwise the security folks will be in our cubes slamming us for buying domain-validated certs.  Certificate vendors change their root or intermediate certificates all the time.  Browser vendors implement their own certificate stores populated with whatever root and intermediate certs the CA's paid them to include.  OpenSSL and JSSE have their own keystores.  Keys go away and new ones get added in when updates are applied.  Application servers often have their own keystores as well.  Some browsers display problems while other browsers do not.  I've been a long-time customer of one particular CA for over a decade and one time I remember seeing emails from them stating that sometime in the first or second quarter of next year, they will be signing newly ordered certificates with a new intermediate cert.  Sometime over the course of a future six month period?  Really??  Will I find out which one I should be chaining when I implement it and get all those Unknown CA warnings?

In todays case with TypePad, Chrome and Safari 5 burp up a warning that the certificate is not trusted.  Firefox and Opera, however, let it go.  As a technical user, I wonder if I'm seeing a TypePad configuration problem or is it simply that Chrome and Safari's (or my operating system's) keystores lack the proper CA certificate?  How should a user react?  It's not something that one can simply say "ah ha!" to and thereby know whether or not you should trust the connection.  Should my trust in Apple or Google be shaken now?  Is my trust in Opera strengthened because of this incident?  Should I be trusting TypePad?  Why isn't Firefox warning me?  Is it broken or is it working?  Why is IE6 letting everything through?  SSL is supposed to be about trust but when you actually think about all the problems that can and do arise, how can we trust it?   A green bar?

Browser writers and ssl library developers should not be placing this much technical responsibility in the hands of the average end-user.  They should not be putting up some vague message that says "This certificate was signed by an unknown authority."  There aren't too many people who know what that means.  The message should be something like, "The certificate in use on this web site is not recognized by this browser.  This could actually be this browser's fault for not having the latest certs.  Or the operating system's fault.  This could also be a self-signed cert.  Or the site's configured incorrectly.  Or the site's been hacked.  Or school is out and some junior in high school is intercepting your connection.  Do you still trust SSL?"  Chrome does a somewhat better job informing the user about what happened but then ruins it by painting everything red and placing that "Back to Safety" button on the page, which is ironic because the page you're fleeing back to safety to is likely not an SSL encrypted page.

A side note to GoDaddy:  What the heck is up with that expiration timestamp?  6:32:47 PM Eastern time?  Seriously?  Couldn't you have at least cut them a break and rounded it up to 7 PM?  I can see the discussion clearly in my mind with the finance people.  "We need this PO cut because at 32 minutes, 48 seconds after the 18th hour of the day, we'll be down!"


TrackBack URL for this entry:

Listed below are links to weblogs that reference SSL is a Pain in the Ass: