Imagine your bank's certificate says that they run their web site. If one day the certificate changes to a self-signed one, you have clear evidence of a man in the middle attack.
What should the browser do in this situation? Someone pointed out that an HTTPS connection with an unknown self-signed certificate identifies the site just as well as a plain HTTP connection, suggesting that we should treat both connections as equally insecure: so simply hide the yellow bar.
please, don't try to tell me that users look at the yellow bar
Lets imagine a user who never expects the yellow bar. In the example above, when there is strong evidence of a man in the middle attack, the only warning the user gets is that a UI element which they don't notice is unexpectedly hidden.
You really want to warn the user in this situation, so Firefox gives them a big error message and makes them take positive action (adding the unverified, possibly malicious, certificate to their list of fully trusted root certificates) before they can get past it. That is fair enough.
But then there is the kicker. The browser can only tell that a certificate has changed if it has already recorded the old one. It can't distinguish between a site which has always had a self-signed certificate and one which just happens to have one today, unless it recorded the certificate yesterday. So it treats both as man in the middle attacks, which explains why Firefox will always give you a warning about unverified certificates until you verify them yourself.
Sure, but couldn't the man in the middle just as easily provide a non-SSL server? Or are you assuming that the user is accessing a bookmarked https:// url (in which case the browser should already know the correct certificate)?
What should the browser do in this situation? Someone pointed out that an HTTPS connection with an unknown self-signed certificate identifies the site just as well as a plain HTTP connection, suggesting that we should treat both connections as equally insecure: so simply hide the yellow bar.
Lets imagine a user who never expects the yellow bar. In the example above, when there is strong evidence of a man in the middle attack, the only warning the user gets is that a UI element which they don't notice is unexpectedly hidden.You really want to warn the user in this situation, so Firefox gives them a big error message and makes them take positive action (adding the unverified, possibly malicious, certificate to their list of fully trusted root certificates) before they can get past it. That is fair enough.
But then there is the kicker. The browser can only tell that a certificate has changed if it has already recorded the old one. It can't distinguish between a site which has always had a self-signed certificate and one which just happens to have one today, unless it recorded the certificate yesterday. So it treats both as man in the middle attacks, which explains why Firefox will always give you a warning about unverified certificates until you verify them yourself.