GNOME Bugzilla – Bug 368155
Certificate selection dialog needs efficiency improvements
Last modified: 2009-01-22 00:06:00 UTC
Epiphany's defaults for SSL certificate authentication differ from Firefox 1.5's "security.default_personal_cert" setting (Epiphany defaults to "Ask Every Time" while Firefox defaults to "Select Automatically"). This has the effect of making Epiphany prompt the user with a "Select a certificate to identify yourself" dialog every time a cert-auth demanding request is made. Using a service which demands such authentication (typically company intranet applications) becomes a chore of re-choosing the cert many many times over a typical session, thus violating the second attribute of usability (efficiency: http://www.useit.com/alertbox/20030825.html). This happens even if the user's certificate store only has one personal certificate to select from: in this case the dialog still focuses on the popup menu (with one choice available), and keyboard-navigation to the "OK" button requires multiple keypresses, further worsening the problem. A couple of alternative suggestions: 1. switch back to the old (and Firefox) default of "Select Automatically". I'm not familiar with the justifications of changing this default originally, but it probably has to do with some kind of privacy issue of automatically sending strong user id to a web site, so the choice should be balanced according to those justifications. 2. Make Epiphany remember the first selection made by the user, either automatically or via a "remember this choice" checkbox in the dialog. In either case, Epiphany should remember the choice over a single session unless the web site rejects the certificate authentication. 3. Introduce an auto-assist that permits the user to change the default setting for all sites. The first would probably be the least amount of work, while the second might be strongest balance between usability and security. Other information:
The problem was that without this pref, there is not any place in Epiphany to select which cert to automatically select when you have more than one. The frequent reselection is probably due to the server having a short ssl timeout; see mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=149673 . Also, it is impossible to remember the selection for a website, because the interface this prompt comes from doesn't deliver that information :( We should implement you suggestion 2) for 2.18, at least. 3) probably needs an improvement to the prompt interface, so is probably 2.20 at the earliest.
From a light reading of the Mozilla bug you referred to, it seems the "Select Automatically" picks a certificate issued by the same authority as used by the web site. This works wonderfully when the authority is a private one, and no further preferences would be required. Not so obviously correct if for instance you have a Thawte personal cert and a public site requiring authentication would have a Thawte issued web cert, though... But that's going to the justifications of the original change, and thus a different issue, I think. Thanks for your input. I'll look into whether our server is indeed configured for too short ssl sessions...
i am getting this message once or twice most times i load a page on gridsite site i am using. seems like the timeout is about 30 seconds (if i reload quicker than that i don't get the dialog). setting security.default_personal_cert to Select Automatically stops it asking. it would be nice to have an option somewhere for this.
OBSOLETE now that we don't have a mozilla backend anymore.