Closed
Bug 1334048
Opened 8 years ago
Closed 8 years ago
provide a HSTS override for developers
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: hauser, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.6.0 Build ID: 20160127010451 Steps to reproduce: I got <<lab.mydom.tld:8443 uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The certificate is only valid for the following names: www-dev.mydom.tld, ocsp-dev.mydom.tld, crl-dev.mydom.tld, ldap-dev.mydom.tld, smtp-dev.mydom.tld, pop-dev.mydom.tld, ... (Error code: sec_error_unknown_issuer) >> bug 800882#c27 ff. explains why there should not be "user recourse" Actual results: I could not access the site with "Strict-Transport-Security" response header. Expected results: There should be a developer override! bug 800882#c29 explains why: "dictating ... and denying even advanced users the volition and self-determination that they should have" Adding an exception would be viable and approx. be in line with the "certificate pinning" principles. The alternatives this forces advanced users into might well be worse: 1) you force them to mark their hodge-podge issuing ca for tests (whose private key they don't protect in any reasonable way) as universally trusted in FireFox. So if anybody gets hold of that private key, not only the test site, but any site visited by the UA is potentially compromised 2) Firefox is not implementing it properly anyway: If I access the site via numeric IP addresses, all the fuzz about hostname mismatch and unknown issuer all of a sudden no longer matters and I can get there ?!? So, I am fine if there are some extra steps like: in "about:config" add a property that I want to override HSTS (possibly with an IP-Range or mnemonic domain name of my development system in order not to open the door to widely)... until the "Add Exception" button appears again
|
||
Updated•8 years ago
|
Component: Untriaged → Security: PSM
Product: Firefox → Core
|
||
Comment 1•8 years ago
|
||
If you open up the full history window (History -> Show All History), find an entry for lab.mydom.tld, right-click on it, and then click "Forget About This Site", does it work as expected?
Flags: needinfo?(hauser)
|
Reporter | |
Comment 2•8 years ago
|
||
no, there is one less line in "History" - "Today" after clicking "Forget..." but when trying to access lab.mydom.tld , immediately, the same error appears again.
|
|
||
Comment 3•8 years ago
|
||
Assuming the domain you're visiting isn't literally "lab.mydom.tld", is the domain on the HSTS preload list? ( https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc <- warning, takes a while to load)
|
|
Reporter | |
Comment 4•8 years ago
|
||
No, it is not on the list, it isn't in public DNS either. It is a local lab machine and I just put the "lab.mydom.tld" for it's 192.168... IP into the debian stable "/etc/hosts"
|
|
||
Comment 5•8 years ago
|
||
If you create a completely new profile and visit the site, do you see the HSTS error the first time you connect?
|
|
||
Comment 7•8 years ago
|
||
What version of Firefox are you using? (Looks like 38 from comment 0?) If you try with a more recent version, does the method in comment 1 work?
|
|
||
Updated•8 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
|
|
Reporter | |
Comment 8•7 years ago
|
||
Also with 55.0.2 (64-Bit) windows, "Forget..." doesn't work
Flags: needinfo?(hauser)
You need to log in
before you can comment on or make changes to this bug.
Description
•