Closed Bug 1836495 Opened 2 years ago Closed 2 years ago

https-only mode ignores exception to default gateway

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
Firefox 114
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: fabio.gartenmann, Unassigned, NeedInfo)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0

Steps to reproduce:

I wanted to configure my default gateway (router) via http://192.168.1.1

IMO the ISP should provide a certificate, as every customer will run into a safety false positive trying to login which is kinda shocking for muggles I guess.

I've added a exception for https-only mode, assuming I could just land on the http landing page navigating to 192.168.1.1

Actual results:

firefox & firefox developer both still replace 'http' with 'https' ignoring the exception made in https-only mode (maybe there is another setting I'm missing here?)

Expected results:

I'm assuming the ISP login page should have appeared, I don't understand why the exception was ignored I made in https-only mode.

isn't it so that 192.168/16 is private and therefore ALWAYS secure because not publicly accessible? I think you also should differ the warning messages, it's a different story when I try to http to a public ip or http inside of my private network (anyway you also should warn in private network, but it's really a different story than to adding login credentials to a public :80 connection)

bonus question 1:

  • firefox (and developer version) shiow me a self-signed https certificate while ignoring my exception... is this generated by firefox on-the-fly? just a guess, that's why I won't trust that cert. and why wouldn't the ISP provide a cert, every customer has to run into this, and most of them aren't developers like I am (well a bit noobish in networking stilll)

bonus question 2 (non-firefox-related)

  • why would 'Brave' browser which I've also tried want to engage with 'detectportal.brave-http-only.com? I mean I want to access a private network device that stands directly in front of me and brave starts travelling around the world.....

thanks.

The Bugbug bot thinks this bug should belong to the 'Core::Networking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Networking
Product: Firefox → Core
Component: Networking → DOM: Security

isn't it so that 192.168/16 is private and therefore ALWAYS secure because not publicly accessible?

It's "private" in a computer jargon sense ("not a public address") but not in the sense of "personal privacy" or "privacy and safety". The browser doesn't know if the address is private to the house you live in or if it's "private" to a library, school, business, or other semi-public space. But that only explains why Firefox doesn't exempt local addresses from https-only mode, not why your exception failed to work.

How did you create the exception for that site? Did the error page come up and then you clicked the button to proceed to the insecure site (Firefox created the exception)? Or did you go into preferences and add the exception manually? Can you check what's actually saved in preferences for me?

  • Open the Preferences or Settings page (it's named differently on different operating systems) either through the menu or by entering about:preferences#privacy in the address bar
  • Scroll down the Privacy & Security tab to find HTTPS-only options (or enter "https-only" in the search box on that page)
  • Click the "Manage Exceptions" button in the HTTPS-only section

What is the entry in that dialog? It should be "http://192.168.1.1" but I've seen some people mistakenly put "https:" instead

If the Manage Exceptions button is disabled then HTTPS-only mode is not turned on! That would raise a mystery about why you're getting the automatic update. We do have a similar behavior in private browsing mode called "https-first", and some people don't realize that if they set Firefox to "Never remember history" we treat that as private browsing. But https-first is a "best effort" approach and should have carried on to use http: when it found the security error. I don't think this is the state you're in.

Bonus answer 1:

You are not logging in to your ISP (the company that charges you money for internet service). The ISP website will definitely have a legitimate certificate. The 192.168.1.1 address goes to your router, the physical hardware in your home. You may have gotten this hardware from your ISP, but when you talk to that local address you are talking to a simple web site built into that local hardware and not anything on "the internet". It has to use a self-signed certificate because Certificate Authorities will not issue legit certificates for private addresses: they are not unique and no one can prove ownership in the way Certificate Authorities (and browsers) accept. In addition, router makers wouldn't know what address to put in the certificate because, although 192.168.1.1 is an extremely common default address, routers can be configured to use hundreds of other private addresses. A larger private space (like an office) might need multiple routers, and the router for each "subnet" has to have a unique address within that larger private network.

Firefox did not generate this cert either. It's burned into the device at manufacturing time. For other technical security reasons it's usually unique per physical device

Bonus answer 2:

Many places that offer wifi want you to engage with a page on their own site before they'll let you talk to the real internet, either to require a sign-in, possibly pay for access, or even just to get you to click "agree" to their rules. Hotels are notorious for this. Networks set up this way will block all connections until you go through their page. The networks will hijack the first http: request they see from you and redirect you to their page so you can do this, but if you only make https connections (as with an "https-only" mode) they can't do that so it looks like "nothing works" to the user. So browsers send out an http:// "detectportal" request to test the network when you first connect. If it gets hijacked then the user can log in to the network, and if it succeeds then the network is ready to use.

All browsers these days are doing something similar. You should see similar http://detectportal.firefox.com requests from Firefox, too. Brave and Firefox may have made different choices about when we need to test the network, but it's all for a similar purpose.

Anyways, please do let me know what is in your exception list.

Flags: needinfo?(fabio.gartenmann)
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.