Since the site went live and our first ssl_error_bad_cert_domain error (note: I will be using the Firefox error message to identify most of these errors) was posted, we’ve been receiving emails, comments and IMs regarding this SSL error and why it isn’t a security issue, and how we shouldn’t be posting them. There may be some truth in that, so many sites throw this error that it’s not even funny. I was sent lists yesterday that contained financial institutions, vendors and others who all had this error.
Now as a commenter mentioned this is just a matter of two domains pointing to the same A record. For the record though, it doesn’t necessarily have to be the same A record but more on that later. This issue was something I had in th back of my mind when I mentioned this concept to Marcin, and I’m really glad that people have picked up on it and mentioned it because I get to write this post already.
You see I could care less if there’s “no security implications” to the error message. Although I disagree with that, I believe it’s more accurate to say there’s “no technical security implications”. My concern with this error messages is user perception. The point that I wanted to make was just how plentiful these messages are in the latest round of browsers. However, it should be noted that Firefox is more lenient than IE7 and Chrome in some cases.
You can’t tell a user to “be wary” of SSL errors and know where they are going, there’s more to it than that. There are sites that may throw ssl_error_bad_cert_domain due to the cert containing or not containing ‘www’. There are, however, bigger errors that I’ve seen.
One of these errors may deserve it’s own discussion page, but instead we’ll discuss it here. The error can be seen on: reddit.com, westjet.com and others. The error message contains: The certificate is only valid for a248.e.akamai.net. Now anyone who’s reading this blog probably knows what Akamai is, but does your family know? Do your non-IT coworkers know? Does that person sitting across from you on transit know? Asking people to accept these is like opening the door to MitM. What happens when I MitM their connection and it asks them to accept a certificate that’s valid for loadbalance.mymaliciouswebsite.com. How does your average user know the difference?
So yes, to the technical this is a non-issue but to the people using the computer every day that know nothing about how it operates, or why it works… this is an issue. We’re training users to click through. People argued this point on Vista (it also happens on Ubuntu and OS X), that people would just always click. If this is a vald argument for operating systems, then we should be worried about what this means for web browsing. I encounter more SSL error pages daily than I do UAC pop-ups from Vista.
For those of you saying that doesn’t affect the encrypted status of the traffic, I ask that you remember that that is only one side of SSL. The other is as a form of verification, to authenticate that the site you’re visiting is the site that it says it is. This is where my concern comes from, this is the issue that I have. I should not visit my online banking website and see The certificate is only valid for a248.e.akamai.net but I know of at least one bank who’s main website brings up that message.
So how do we fix this? I’ve also been asked this question already. I guess the answer for that depends on where you think the problem lies. The simplest answer is most likely user education, but we all know educating a user is easier to say than it is to do. So who’s fault is it? Is it the fault of the browser for introducing all these “in your face” error messages? Is it the responsibility of the websites to purchase additional SSL certs to deal with these one off cases? Should certificate vendors be more open with pricing and bundling? I don’t really know the answer but I think it’s something we need to start thinking about.
Possible Fixes:
- Browsers remove ssl_error_bad_cert_domain error for sites where stripping www. (or appending www.) leads to the domain identified in the certificate.
- Website Owners purchase appropriate certificates, purchasing wild card SSL certificates to accomodate sites with multiple associated domain names or buying multiple certificates when their websites span multiple TLDs/ccTLDs
- SSL Vendors provide greatly reduced rates to purchase certificates for multiple TLDs or decreased costs on wild card SSL certs (which interesting enough doesn’t have a price on the Verisign Wildcard SSL page)
I can think of a few other fixes, and a couple of theories that I’m in the process of testing. I will incorporate updates to the list as I confirm my theories, but I also want people to suggest fixes in the comments.
So in the end will you continue to see ssl_error_bad_cert_domain error images posted? Most likely, however we will most likely stick to larger, popular sites and please know that we’re only doing it in hopes that the website owner will resolve the problem. Not to fix any technical errors (although we’ll always post people with technical issues) but to prevent users from learning to quickly click-through browser error messages.
