1092243 - adding a certificate exception via the certificate manager makes it look like it's possible to do so for HSTS sites

Status: NEW

(Core :: Security: PSM, defect, P3)

Description

[Dana Keeler (she/her) (use needinfo) [:keeler]]

If a site is HSTS, we don't allow an override if a user encounters a certificate verification error when visiting it. However, it's still possible to make it look like an override has been added by using the certificate manager (about:preferences -> advanced -> view certificates -> servers -> add exception). This is probably a bit confusing to users since adding an exception that way won't do anything (i.e. if they then try to visit that site, they'll still see the certificate error page that lacks the option to add an override).

Comment 1

[Ralf Hauser]

Attachment: exceptionAdded.png show that the work around doesn't help :(

Comment 2

[Ralf Hauser]

Attachment: hstsError.png still appears

Comment 3

[Ralf Hauser]

so, what can I do?

And what's the reasoning for not allowing an exception for power users to begin with???

Comment 4

[Ralf Hauser]

see also Bug 1119778 and Bug 902884

Comment 6

[Paul Rubin]

Adding exceptions should be allowed, at least through a manual dialog.  This is becoming a considerable pain for those of us who have removed startssl/wosign from the trusted root store.  For example, https://wiki.python.org uses a startcom certificate and HSTS.  So it's now impossible to view that site AFAICT without re-trusting startssl, even to look at public wiki pages.  The user should be allowed to decide whether to override HSTS using their knowledge of the content semantics of the page they want to visit.  If it's a page they'd be willing to visit with regular HTTP then they should be able to accept the untrusted certificate.

Comment 7

[Ralf Hauser]

see also Bug 1381462

Comment 8

[passwd]

This is really annoying bug, I want to control my browser and I can't add exception with HSTS.
So sad.