Bypassing HTTPS-only mode is not available in certain situations
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: u562210, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(2 files)
Screenshot from 2020-11-19 14-14-32.png
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Steps to reproduce:
- Enable HTTPS-only mode.
- Go to website using service as Cloudflare but not supporting HTTPS in the end host.
- Try to bypass HTTPS-only mode.
Actual results:
Getting Cloudflare 521 error ("Web server is down"), without any option to bypass the HTTPS-only mode for this website, because FF think HTTPS is working.
Expected results:
Should be able to bypass HTTPS-only mode in any situation.
|
||
Comment 1•4 years ago
|
||
Hey Saul,
I tried reproducing this issue on the latest versions of Firefox Nightly 85.0a1 (2020-11-24), beta 84.0b4 and release 83.0 on seo.com and storify.com though I am not sure these sites fit the criteria (they do use cloudflare). Can you give us an example of site where this issue is encountered?
Can you test the issue while in Safe Mode? You can find helpful info here : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode .
Also a fresh new profile could help. You can find more about creating a new profile here : https://support.mozilla.org/en-US/kb/troubleshoot-and-diagnose-firefox-problems#w_6-create-a-new-firefox-profile .
If possible, you can test this issue on the nightly build as well. Download the build from : https://www.mozilla.org/en-US/firefox/nightly/all/ .
(In reply to Andrei Purice from comment #1)
Hey Saul,
I tried reproducing this issue on the latest versions of Firefox Nightly 85.0a1 (2020-11-24), beta 84.0b4 and release 83.0 on seo.com and storify.com though I am not sure these sites fit the criteria (they do use cloudflare). Can you give us an example of site where this issue is encountered?Can you test the issue while in Safe Mode? You can find helpful info here : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode .
Also a fresh new profile could help. You can find more about creating a new profile here : https://support.mozilla.org/en-US/kb/troubleshoot-and-diagnose-firefox-problems#w_6-create-a-new-firefox-profile .
If possible, you can test this issue on the nightly build as well. Download the build from : https://www.mozilla.org/en-US/firefox/nightly/all/ .
Hi Andrei,
I can't share this specific website, but I'm trying to find others that have this issue.
Anyway I figured out that I can see the HTTPS-only mode select box (see new attached image) only when trying to go to HTTP page that have been upgraded to HTTPS, and I think this is a problem and this select box should be appear always.
But now there is a new problem, as you can see even when HTTPS-only mode turned off for this website, it's still being upgrade to HTTPS. Only when I'm turning of the HTTPS-only mode from preferences, this page stop being upgraded to HTTPS. Why?
These problems exits also in safe mode, fresh profile and nightly build.
Thanks.
|
|
||
Comment 4•3 years ago
|
||
Setting a component for this issue in order to get the dev team involved.
If you feel it's an incorrect one please feel free to change it to a more appropriate one.
|
||
Updated•3 years ago
|
I think http://www.yopmail.com/ is a good candidate.
It doesn't use cloudfare and has an HTTPS responding server that does nothing…
So when HTTPS-Only is enabled, even when explicitly set to Off for this site, FF checks (I guess) that an HTTPS version is available and automatically switches to it. And then you're stuck on the empty, but secured, page!
I know this site is quite special and I think this is an error to have the HTTPS also responding (maybe an ongoing attempt to move to something more secure…), but this in an example of where the current FF behaviour isn't helpful.
HTH
M.
OK… :-/
Just tried with a fresh new profile and FF behaviour is “correct”, thanks to the fact that the TLS Certificate is expired. But once you created an exception for this site (something unrelated to this bug, I'd say), you have the described behaviour.
Best example I can provide so far ;-)
|
||
Comment 8•3 years ago
|
||
Hi Saul!
What's especially weird that you are saying that you still get upgraded after HTTPS-Only Mode has been disabled.
Here is my longshot idea/question: If you go to the HTTPS-Version of your secret site, does Cloudflare respond with a strict-transport-security header? This would explain why upgrades still happen after you disabled HTTPS-Only Mode, and why the UI doesn't show up (because strict-transport-security happen before HTTPS-Only upgrades).
Can you check that for me?
You can check it like this:
- Open a new tab
- Open the network monitor
- Go to your site
- Click on the first request in the list
- Check under "Headers" > "Response Headers" if you see
strict-transport-security
If the header is there, then Cloudflare has probably been misconfigured by the maintainer (maybe you can reach out to them).
Hi Julian,
I did the test and I can't see any strict-transport-security security header in the response headers.
All the response headers:
HTTP/2 521 No Reason Phrase
date: Thu, 14 Jan 2021 12:54:16 GMT
content-type: text/html; charset=UTF-8
set-cookie: cf_use_ob=0; path=/; expires=Thu, 14-Jan-21 12:54:46 GMT
x-frame-options: SAMEORIGIN
cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
expires: Thu, 01 Jan 1970 00:00:01 GMT
server: cloudflare
X-Firefox-Spdy: h2
|
||
Comment 10•3 years ago
•
|
||
Here's some information about the Cloudflare-specific 521 status code (including how to fix it on the webserver itself):
https://kinsta.com/knowledgebase/error-521/
|
|
||
Comment 11•3 years ago
|
||
For me there are two different problems here: One for the mysterious website and one regarding HTTPS-Only
So there is a known issue that HTTPS-Only Mode doesn't show the "unbreak site"-UI after a seemingly successful upgrade. From the perspective of the Browser that makes sense, because the request got upgraded and the server responded with a valid certificate. We know about that, but there is not really a solution for that.
Then there is the issue that the mysterious website is responding with a 521 status code when accessed via HTTPS. That is an issue the website maintainers have to solve. Either by turning on HTTPS for their site (obviously the preferred option ^^), refusing the connection, or redirecting to the HTTP page (but please don't). If you are in contact with the maintainers, maybe you can reach out to them about this.
The final issue, and the one I'm most interested in, is your statement that the page is still being upgraded to HTTPS, because that shouldn't be possible. If that's the case then it's hard to tell why, without having the actual website to test. If you can still reproduce this particular issue, maybe you could provide an alternative website that has the same behavior, or if that works for you, you could send me an Email with the address, so I can check it out.
|
|
||
Updated•3 years ago
|
|
|
||
Updated•5 months ago
|
Description
•