HTTPS and SSL in practice

To the administrators of the Oxford Student Self Registration website,

When accessing https://www.studentsystem.ox.ac.uk/ for the first time, I was surprised to see Firefox claim that it uses an invalid security certificate. As somebody who does understand the risks involved, I was unwilling to simply blindly accept the certificate, and had a closer look.

It turns out that the signing authority of your certificate, known as "Cybertrust Educational CA", is not included in Mozilla browsers by default, and thus Firefox rightly rejects your certificate. I was able to locate this CA certificate; it is, in turn, signed by a CA known as "GTE Global Root", which is included in Firefox.

Please configure your server to supply the intermediate certificate, "Cybertrust Educational CA", to browsers. This is the correct procedure and the only way in which the site will be accepted by Mozilla browsers, and any other browsers with security policies that are, as they should be, similarly strict.

This newsgroup thread may be of interest: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/dcad2183363667f1?pli=1

Allow me to explain why I feel this is important: by using an apparently invalid security certificate, especially on a website students must use, you are requiring students to simply trust an unknown certificate in good faith, in effect training them not to take these security warnings seriously. While it is true that in this case, it was possible to verify the certificate manually, most students will probably never possess the necessary expertise - why should they? - and instead "learn" to treat computer security with an attitude that leaves the door wide open for fraudulent sites and man-in-the-middle attacks.

Coming from an education institution, this is particularly worrying.

Yours faithfully,

Thomas Jollans

PS: The contact form I'm using uses an unencrypted connection to send the email, even when this website is being accessed over a secure connection. This might also be worth changing.

Addendum: I just sent this letter to Oxford University Computing Services (OUCS) using their so-called suggestions form. Perhaps not the best place, but of those potential addressees I could find this was the one where I felt most confident that my message would end up in the right place. This whole episode reminded me of, and indeed my writing this letter was perhaps inspired by, a blog post by my cousin Leon about a month ago, concerning a similarly problematic attitude at the University of Greenwich.