Closed Bug 1334048 Opened 7 years ago Closed 7 years ago

provide a HSTS override for developers

Categories

(Core :: Security: PSM, defect)

38 Branch
defect
Not set
normal

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: hauser, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.6.0
Build ID: 20160127010451

Steps to reproduce:

I got
<<lab.mydom.tld:8443 uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The certificate is only valid for the following names: www-dev.mydom.tld, ocsp-dev.mydom.tld, crl-dev.mydom.tld, ldap-dev.mydom.tld, smtp-dev.mydom.tld, pop-dev.mydom.tld, ... (Error code: sec_error_unknown_issuer) >>


bug 800882#c27 ff. explains why there should not be "user recourse"


Actual results:

I could not access the site with "Strict-Transport-Security" response header.


Expected results:

There should be a developer override! 

bug 800882#c29 explains why: "dictating ... and denying even advanced users the volition and self-determination that they should have"

Adding an exception would be viable and approx. be in line with the "certificate pinning" principles.

The alternatives this forces advanced users into might well be worse: 
1) you force them to mark their hodge-podge issuing ca for tests (whose private key they don't protect in any reasonable way) as universally trusted in FireFox. So if anybody gets hold of that private key, not only the test site, but any site visited by the UA is potentially compromised
2) Firefox is not implementing it properly anyway: If I access the site via numeric IP addresses, all the fuzz about hostname mismatch and unknown issuer all of a sudden no longer matters and I can get there ?!?

So, I am fine if there are some extra steps like: in "about:config" add a property that I want to override HSTS (possibly with an IP-Range or mnemonic domain name of my development system in order not to open the door to widely)... until the "Add Exception" button appears again
Component: Untriaged → Security: PSM
Product: Firefox → Core
If you open up the full history window (History -> Show All History), find an entry for lab.mydom.tld, right-click on it, and then click "Forget About This Site", does it work as expected?
Flags: needinfo?(hauser)
no, there is one less line in "History" - "Today" after clicking "Forget..." but when trying to access lab.mydom.tld , immediately, the same error appears again.
Assuming the domain you're visiting isn't literally "lab.mydom.tld", is the domain on the HSTS preload list? ( https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc <- warning, takes a while to load)
No, it is not on the list, it isn't in public DNS either.
It is a local lab machine and I just put the "lab.mydom.tld" for it's 192.168... IP into the debian stable "/etc/hosts"
If you create a completely new profile and visit the site, do you see the HSTS error the first time you connect?
from a different workstation, it works
What version of Firefox are you using? (Looks like 38 from comment 0?) If you try with a more recent version, does the method in comment 1 work?
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Also with 55.0.2 (64-Bit) windows, "Forget..." doesn't work
Flags: needinfo?(hauser)
You need to log in before you can comment on or make changes to this bug.