Open Bug 1678286 Opened 2 months ago Updated 3 days ago

Bypassing HTTPS-only mode is not available in certain situations

Categories

(Core :: DOM: Security, defect)

Firefox 83
defect

Tracking

()

UNCONFIRMED

People

(Reporter: saul.kredi, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0

Steps to reproduce:

  • Enable HTTPS-only mode.
  • Go to website using service as Cloudflare but not supporting HTTPS in the end host.
  • Try to bypass HTTPS-only mode.

Actual results:

Getting Cloudflare 521 error ("Web server is down"), without any option to bypass the HTTPS-only mode for this website, because FF think HTTPS is working.

Expected results:

Should be able to bypass HTTPS-only mode in any situation.

Hey Saul,
I tried reproducing this issue on the latest versions of Firefox Nightly 85.0a1 (2020-11-24), beta 84.0b4 and release 83.0 on seo.com and storify.com though I am not sure these sites fit the criteria (they do use cloudflare). Can you give us an example of site where this issue is encountered?

Can you test the issue while in Safe Mode? You can find helpful info here : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode .
Also a fresh new profile could help. You can find more about creating a new profile here : https://support.mozilla.org/en-US/kb/troubleshoot-and-diagnose-firefox-problems#w_6-create-a-new-firefox-profile .
If possible, you can test this issue on the nightly build as well. Download the build from : https://www.mozilla.org/en-US/firefox/nightly/all/ .

Flags: needinfo?(saul.kredi)

(In reply to Andrei Purice from comment #1)

Hey Saul,
I tried reproducing this issue on the latest versions of Firefox Nightly 85.0a1 (2020-11-24), beta 84.0b4 and release 83.0 on seo.com and storify.com though I am not sure these sites fit the criteria (they do use cloudflare). Can you give us an example of site where this issue is encountered?

Can you test the issue while in Safe Mode? You can find helpful info here : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode .
Also a fresh new profile could help. You can find more about creating a new profile here : https://support.mozilla.org/en-US/kb/troubleshoot-and-diagnose-firefox-problems#w_6-create-a-new-firefox-profile .
If possible, you can test this issue on the nightly build as well. Download the build from : https://www.mozilla.org/en-US/firefox/nightly/all/ .

Hi Andrei,

I can't share this specific website, but I'm trying to find others that have this issue.

Anyway I figured out that I can see the HTTPS-only mode select box (see new attached image) only when trying to go to HTTP page that have been upgraded to HTTPS, and I think this is a problem and this select box should be appear always.

But now there is a new problem, as you can see even when HTTPS-only mode turned off for this website, it's still being upgrade to HTTPS. Only when I'm turning of the HTTPS-only mode from preferences, this page stop being upgraded to HTTPS. Why?

These problems exits also in safe mode, fresh profile and nightly build.

Thanks.

Flags: needinfo?(saul.kredi)

Setting a component for this issue in order to get the dev team involved.
If you feel it's an incorrect one please feel free to change it to a more appropriate one.

Component: Untriaged → Networking: HTTP
Product: Firefox → Core
Component: Networking: HTTP → DOM: Security

I think http://www.yopmail.com/ is a good candidate.
It doesn't use cloudfare and has an HTTPS responding server that does nothing…

So when HTTPS-Only is enabled, even when explicitly set to Off for this site, FF checks (I guess) that an HTTPS version is available and automatically switches to it. And then you're stuck on the empty, but secured, page!

I know this site is quite special and I think this is an error to have the HTTPS also responding (maybe an ongoing attempt to move to something more secure…), but this in an example of where the current FF behaviour isn't helpful.

HTH
M.

OK… :-/
Just tried with a fresh new profile and FF behaviour is “correct”, thanks to the fact that the TLS Certificate is expired. But once you created an exception for this site (something unrelated to this bug, I'd say), you have the described behaviour.
Best example I can provide so far ;-)

Julian, can you take a look please?

Flags: needinfo?(julianwels)

Hi Saul!

What's especially weird that you are saying that you still get upgraded after HTTPS-Only Mode has been disabled.

Here is my longshot idea/question: If you go to the HTTPS-Version of your secret site, does Cloudflare respond with a strict-transport-security header? This would explain why upgrades still happen after you disabled HTTPS-Only Mode, and why the UI doesn't show up (because strict-transport-security happen before HTTPS-Only upgrades).

Can you check that for me?


You can check it like this:

  1. Open a new tab
  2. Open the network monitor
  3. Go to your site
  4. Click on the first request in the list
  5. Check under "Headers" > "Response Headers" if you see strict-transport-security

If the header is there, then Cloudflare has probably been misconfigured by the maintainer (maybe you can reach out to them).

Flags: needinfo?(julianwels) → needinfo?(saul.kredi)

Hi Julian,

I did the test and I can't see any strict-transport-security security header in the response headers.

All the response headers:

HTTP/2 521 No Reason Phrase
date: Thu, 14 Jan 2021 12:54:16 GMT
content-type: text/html; charset=UTF-8
set-cookie: cf_use_ob=0; path=/; expires=Thu, 14-Jan-21 12:54:46 GMT
x-frame-options: SAMEORIGIN
cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
expires: Thu, 01 Jan 1970 00:00:01 GMT
server: cloudflare
X-Firefox-Spdy: h2
Flags: needinfo?(saul.kredi)
You need to log in before you can comment on or make changes to this bug.