1436292 - Access to local development sistes has stopped

Status: RESOLVED INVALID

(Core :: Security, enhancement)

Description

[mark.richards]

What feature should be changed? Please provide the URL of the feature if possible.
==================================================================================
Since allowing Firefox Developer to update itself this morning, I cannot access any of my development sites on my local test server. Of course none of the sites have security certificates etc. Every time I try to access a Dev site, such as clq.dev or cliqon.dev, Firefox insists on turning the URL into secure, eg https://clq.dev. 

Playing around with "insecure" settings in about:config achieves nothing. 

As Chrome Canary and Vivaldi are working perfectly, I shall use them until you fix this problem.

So please, no suggestions about Hosts and DNS or Google. This working well yesterday and is broken this morning.

What problems would this solve?
===============================
I would be able to use Firefox

Who would use this?
===================
Everyone in the same position as me

What would users see?
=====================
Their web sites!

What would users do? What would happen as a result?
===================================================
Clap

Is there anything else we should know?
======================================

Comment 1

[John Whitlock [:jwhitlock]]

What version of Firefox are you using?

It may also be useful to see the headers returned by your server. This may work in Powershell:

curl -I http://clq.dev

Comment 2

[mark.richards]

Attachment: Showing Firefox Developer options

You will see that start or home page(s) includes http://clq.dev, not https://clq.dev.

Comment 3

[mark.richards]

Attachment: How Firefox Developer converts url whilst others do not

As you can see from attached Snip, Firefox Dev. since this morning has started converting the URL from http:// to https://. Alternatives such as Vivaldi and Chrome Canary do not so website displays!

Comment 4

[mark.richards]

I hope that these two attachments will demonstrate the problem. The local development webserver is Apache2.4.7, running on Centos 6 with PHP 5.6.

As I said previously, I googled problem and your Forum from some months ago recommended looking at security.insecure_field_warning.contextual.enabled;false

I have fiddled with Booleans, so they may be currently wrong but I had made no changes overnight.

Comment 5

[[:philipp]]

https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/
https://medium.engineering/use-a-dev-domain-not-anymore-95219778e6fd

Comment 6

[Dana Keeler (she/her) [:keeler]]

I'm surprised Chrome Canary works. What version are you using?

Comment 7

[mark.richards]

Having worked in almost every aspect of IT during my working life, most latterly as a web programmer, there are activities in IT and language that goes with it. As the days have progressed since the end of last week, the full ramifications of the situation that I found myself reporting to you, have become more clear. 

This definitely counts as an RTFM error, or to be more precise, as a Read The F*** News. As web programmers, we have been told for years to prepare for the days when the issue of Secure Web Sites would come and bite us in the derriere and that it has now happened, I suppose we cannot complain about. 

If I develop web sites that must be used with HTTPS:// then I must expect that my DEV sites must be secure as well. Whether I like it or not, if I do choose to use the .DEV extension owned by Google, I can hardly complain at you (Mozilla) if you add their requirement that all DEV sites must be secure, to the list of sites and extensions requiring that sort of treatment. 

This closes one bug and opens up a feature request.

One of the prime reasons that impecunious programmers (some of us do it for love not money, eg opensource as in my case) do not get too involved in Certificates, is that proper Certificates cost a lot of money. Many years ago, I had discovered CaCert at cacert.org. They can provide the solution to the problem at zero cost. Unfortunately their Root Certificate or CaCert as an organisation are not "trusted" by Mozilla. Yes I can do that locally in my web browser(s) but that is not the real solution.

So my request is: What are the steps and issues involved in getting CaCert included in the list of approved and pre-installed certificates?

Clearly I also need to contact the Committee of CaCert and discuss this rapid change of events with them.

p.s.Chrome Canary had not updated itself as at Friday morning, it has now!!

Comment 8

[Dana Keeler (she/her) [:keeler]]

CaCert hasn't completed the process to be included in Mozilla's Root CA program, and at this point I think it's unlikely it will (inclusion involves a number of processes that I don't think they're interested in investing in). Here's some more information about Mozilla's Root CA program: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
You can import the CaCert root yourself for your own profile: about:preferences -> search for "certificates" -> "view certificates" -> "authorities" -> "import".

Here are some other options you have:

* Use .test instead of .dev (might involve lots of search/replace, but probably best in the long run)
* Some CAs offer free certificates nowadays:
  * Let's Encrypt: https://letsencrypt.org/
  * Comodo: https://ssl.comodo.com/free-ssl-certificate.php
  (some others offer free 30-day trials, which might work for your needs, depending)
* You can create your own CA certificate, import it in Firefox/Chrome, and use that to create web site certificates (this is a lot more involved - let me know if you want more details on this)