Closed Bug 1263997 Opened 9 years ago Closed 9 years ago

HSTS errors must be overridable

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
45 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: BenWiederhake.GitHub, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Build ID: 20160318172635 Steps to reproduce: Steps to reproduce: Visit a site with an overly aggressive HTTP Strict Transport Security policy, that does not actually apply to all content for the domain. (Text taken from https://bugzilla.mozilla.org/show_bug.cgi?id=1089473#c0 , but the intended aspect of this Ticket will be different) In my case, I stumbled upon https://www.xfce.org and https://git.xfce.org, which "only" has a certificate for xfce.org and wiki.xfce.org. After the initial "Yeah, add an exception for this site" dialog, I got locked out a bit later, with the HSTS error popping up. (In this case, it probably should have been clever enough to notice that HSTS is not going to work, but that's a different Ticket.) Also, the bugs #1216735, #1123971, #1171203, #648186 can be seen as further motivation. All these are cases where HSTS is "in the way". The "obvious" way to reset this bit currently doesn't work: #1119778 and #1123971 Thus, please re-add the "add exception" dialog for HSTS errors. Actual results: Firefox displays an error message about HTTPS, HSTS, and the implications of the current situation. However, there is absolutely no way to resolve this issue. Even though I know the current issue and understand the implications of wanting to ignore HSTS, there's no easy way to get through. Instead, the error message spends four lines [killing the dancing pig](https://en.wikipedia.org/wiki/Dancing_pigs). Manual workaround: After every single page load: - close the tab - close firefox - edit SiteSecurityServiceState.txt to remove lines about xfce.org - open the destination tab This is obviously bad. Expected results: Firefox displays an error message about HTTPS, HSTS, and the implications of the current situation. There should be a button/dialog/interaction so that I can tell Firefox that "yeah, I know that all security is lost after this point, but I really want to see that website". Maybe add the concept of "HSTS exceptions" just like there already are HTTPS exceptions?
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
pretty sure this is by design, but if webcompat is different we should take that into consideration.
Component: Networking: HTTP → Security: PSM
In a non-normative section, the specification recommends that HSTS not be overridable: https://tools.ietf.org/html/rfc6797#section-12.1 As far as I know, all implementations follow this recommendation (I just double-checked Chrome). It is unlikely that this behavior will change in Firefox.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
For me, Chrome (as of 54.0.2840.71) allows proceeding to the insecure site via "Proceed to the domain.name (unsafe)" link in the advanced section of the error page (I couldn't find the ticket where they changed that, though). Our IT has just recommended the whole company to switch to Chrome while they are trying to get the certificate renewed...
I may have spoken too soon about Chrome, since it does _not_ allow the override on some of my colleagues machines (perhaps it depends on how recent the last visit to the site with HSTS was?). Looks like the situation is symmetric: Firefox users can switch to Chrome to access the problematic site, while Chrome users can switch to Firefox.
You need to log in before you can comment on or make changes to this bug.