I’m trying to be hyperbolic today.

So I’ve been spinning my wheels trying to get Firefox 3 to work with Selenium.  But why not use Selenium with IE or a custom browser or Firefox with a custom profile?

Well, because Selenium doesn’t work with IE8.  Although IE8 does allow you permanently add self-signed certs.  It appears to have a javascript error based on the popup blocker:

http://clearspace.openqa.org/message/68291

http://clearspace.openqa.org/message/69194

And Selenium doesn’t work with *custom.  Not Selenium 1.0.1, not on Vista.  Sadly, there’s nothing in the trace about what’s going on.

Granted, it’s an open source project, and jhuggins is sick of working on it, and nobody has stepped up.  But things like popup blockers and ssl-cert blockers are a real issue.  Where there’s a will, there’s a way.  But the way might have to be to use COM.  Which means WATI*.

It looks like the IE8 issue is because Vista needs you to run as adminstrator.

http://clearspace.openqa.org/thread/19335

There must be a million posts on the internet (and no doubt some scrawled in frustration on bathroom walls) about Firefox 3 and it’s broken handling of SSL certificates.

https://support.mozilla.com/tiki-view_forum_thread.php?comments_parentId=158991&forumId=1

Commentary  is as numerous as complaints.  Though there’s little in the way of action.

http://www.freesoftwaremagazine.com/columns/self_signed_certificates_and_firefox_3_possible_solution

http://www.cs.uml.edu/~ntuck/mozilla/

http://www.gerv.net/security/self-signed-certs/

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1326622,00.html

http://www.0xdeadbeef.com/weblog/?p=521

http://www.pcworld.com/businesscenter/article/150215/debating_the_firefox_ssl_certificate.html

In particular, self-signed certificates have 2 issues.

One is just a really bad UI design based on a misunderstanding by the folks at Firefox (RIP Mozilla) of what:

1. SSL is used for and
2. a certificate authority does.

That issue is that Firefox actually blocks people from visiting sites they want to visit in a misguided attempt at protecting them from themselves.  Their theory is that if it is theoretically possible for someone to intercept internet communication (it hasn’t been done in real life yet), adding several buttons saying “beware”, “warning”, and “go away” will stop people from wanting to visit sites on the internet that haven’t paid a company $20 to join the “safe companies on the internet” club.

Note to Firefox: Anyone who goes to the effort to intercept internet communications is willing to spend $20 to join that club.  They’re shooting for a minimum gross income of at least $21 anyway to make it worth their while.

Firefox doesn’t realize that the real reason people want to use SSL is to protect their communication on the internet.  They trust the source, they want to give them money (or information) and don’t want anybody snooping inbetween.  They want encryption, and they want host verification.  They don’t really care about the Verisign logo (which is actually extra now) in the corner of the browser.

But since back in 1995 (before the IPO), the only income Netscape could get was from a little startup (with government backing) who thought they could create a brand of the “safe internet club” and sell it to businesses wanting to “get online” and their plan was to put their logo in the browser.   So because pre-IPO Netscape got government money channeled through a would-be entrepreneur bereaucrat (who was beat by a solo programmer from South Africa who used their monopoly buy-out money to go to Space) we have Firefox 3’s horrible UI for “beware of the non internet safe club website”

PS.  self-signed certs are most definitely proof that the host is who they say they are.  You can’t go phishing by showing your ID.  The real issue is with DNS.

But enough about their deliberately bad UI.  Microsoft’s is little better.  That’s just to show a potential motive for why they’ve ignored the real problem for years.

“Permanently store this exception” seems to be temporary

Firefox 2 just had a popup warning. There was a byzantine and obscure way to actually bypass their silly marketing scheme disguised as warnings, but Firefox 3 has been broken since day 1, as far as I can tell.  Firefox 3 actually avoids the popup (for some strange reason — not enough XUL, I guess) and it’s easier to find a way to turn of their Verisign spam (which is kind of pointless for the internal networks it troubles most), but the problem is that when you check “Permanently store this exception” — it doesn’t.

It’s a lie and they know it.  They pretend it isn’t an issue, they try to scare ignorant people that the world will end if they use a self-signed cert, or they try to change the subject.

http://blog.johnath.com/2008/08/05/ssl-question-corner/

I believe many of them just don’t understand the issue, don’t understand what SSL is for and how it works, and are just too lazy to try to reproduce it.  But you can’t really deny it when there is a third party extension published on your own website that actually tries to fix the bug:

Remember Certificate Exception

Of course, my additional problem (and the cause for this rant) is that the Remember Certificate Extension doesn’t work with Selenium.  You can’t automate around the problem.  Firefox 3 is dead in the water for SSL in testing environments (where you almost always have to self-sign — or use an “untrusted” verifier for your certs.)

And what’s more, Firefox won’t let you download Firefox 2.