Closed
Bug 1477068
Opened 6 years ago
Closed 6 years ago
Firefox prioritises wishes of websites over wishes of users (no certificate exceptions with HSTS)
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: nljlistbox, Unassigned)
References
Details
Attachments
(1 file)
7.80 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0 Build ID: 20180710113653 Steps to reproduce: 1. Connected to a public WiFi network (with Network Manager) 2. Tried to open (or refresh) a webpage. Actual results: 1. The public WiFi tries to redirect to their login page. 2. The public WiFi has HSTS enabled but there is a SSL_ERROR_BAD_CERT_DOMAIN due to a mismatch between the public WiFi login page domain (starbucks.ca) and the certificate domain (datavalet.io, the service provider). 3. Firefox displays the following information: "www.starbucks.ca uses an invalid security certificate. The certificate is only valid for the following names: secure.datavalet.io, www.secure.datavalet.io Error code: SSL_ERROR_BAD_CERT_DOMAIN" Also displayed is this information, which is the crux of the matter: "This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate." 4. There is no button displayed for the user to add an exception for the certificate. (In other words, Firefox thwarts the user's desire to add an exception for the certificate just because the page has requested HSTS.) Expected results: 1. to 3. as above (except for the improbable assertion that is "not possible" to add an exception for the certificate). Then: - Firefox presents me with a button to accept the certificate. - I press the button to accept the certificate. - The redirection to the public Wifi login page succeeds so that I can log in to it.
There are any number of ways to misconfigure a server. This happens to be one of them. The problem with allowing exceptions in cases like this is that an attack is indistinguishable from a misconfiguration and allowing an exception would defeat the purpose of HSTS.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Reporter | ||
Comment 2•6 years ago
|
||
Only the user can decide how much security they need (if any) for a particular transaction on the Internet. STS is supposed to benefit Web users, not control them. While more and tighter security checks are very welcome in a browser, a paternalistic attitude that would deny the user the ability to bypass those checks (should they choose to do so) is not. Restricting the user's freedom in the name of their security is a very slippery slope. Better to grant them responsibility and let them take the consequences should they choose to exercise it.
You need to log in
before you can comment on or make changes to this bug.
Description
•