No longer possible to distinguish trusting certificate always or just once
Categories
(Firefox :: Security, defect)
Tracking
()
People
(Reporter: mozilla, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Steps to reproduce:
- Visited an internal site with a self-signed certificate
Actual results:
There was no choice offered whether to trust the certificate just for this one session or for always
Expected results:
This choice should be offered.
Indeed, in some circumstances I might want to trust the certificate just once. Such as while just visiting the publicly visible parts of the site, and entering no confidential information anyways. However, the site might have forms accepting confidential information, and I might visit it at a later time and miss a warning, because the certificate is now trusted permanently.
In other circumstances, I might want to trust the certificate always from now on. Such as when due to various reasons a public certificate cannot be issued to the site (local network), but I have ways to verify the certificate offline (comparing fingerprints manually). In that case, I might not want to verify that fingerprint everytime* but only on first visit (or when certificate changes)
So this choice should definitively be offered.
Comment 1•4 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Updated•4 years ago
|
Comment 2•4 years ago
|
||
This is an intentional simplification of the UI -- see bug 1492498. If you want a temporary exception visit the site in Private Browsing mode (see bug 1540637). You can also access the old UI through the cumbersome process of finding the "Add Exception..." button in the Certificate Manager accessible through about:preferences#privacy
Comment hidden (abuse-reviewed) |
Reporter | ||
Comment 4•4 years ago
|
||
Indeed, deep down in the certificate manager, the old dialog can still be found... and as you say, the navigation to there is cumbersome. Care to explain again how making access to this checkbox intentionally cumbersome is a "simplification" of the UI?
Reporter | ||
Comment 5•4 years ago
|
||
Ok, so bug 1492498 names a setting, security.certerrors.permanentOverride, which allows to make certificate exceptions always temporarily, rather than always permanent. This is an improvement, but I'd rather prefer to have the option of "Ask every time", i.e. getting the checkbox back. Really, what was the harm in that checkbox? Are there really users which are overwhelmed by this simple yes/no choice?
Reporter | ||
Comment 6•4 years ago
|
||
Just noticed: some certificate exceptions are not stored in the certificate manager (accessible from Preferences->Privacy) but rather in a TRRBlacklist.txt test file. Even "temporary" ones! (This is the case when a site presents a certificate which has been issued for a different domain)
Description
•