Open Bug 1913690 Opened 6 months ago Updated 5 months ago

Override missing for self-signed certificates

Categories

(Core :: Security: PSM, defect)

Firefox 129
defect

Tracking

()

UNCONFIRMED

People

(Reporter: gerwin_klaus, Unassigned, NeedInfo)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0

Steps to reproduce:

Actual results:

Warning message MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

WITHOUT option to accept and continue

Please see attached screen shot (Strict Transport Security / Public Key Pinning: false)

Expected results:

Warning message WITH option to accept and continue

Trying to move to Core::Security for triage, please move if there's a better component.

Component: Untriaged → Security
Product: Firefox → Core

The severity field is not set for this bug.
:dveditz, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(dveditz)

Where does that grey box come from? That's not normal Firefox UI. I assume that information ("HTTP Strict Transport Security: false") comes from the same machine with the questionable certificate. It's completely irrelevant whether THAT computer has set HSTS because that's the computer that is a potential MITM attack from Firefox's point of view.

There is, indeed, a real https://salt.box site on the public internet that is NOT your local router (see https://dnschecker.org/#A/salt.box), and that site does serve the header Strict-Transport-Security: max-age=31536000; includeSubDomains. I assume you must have visited it at least once, after which the whole purpose of the strict-transport-security feature is to protect you from fraudulent sites trying to MITM your connection to that domain. Since the site is related to NFTs and crypto that protection seems warranted because there are a lot of hackers out there trying to steal cryptocurrency and NFTs from anyone they can. Probably you should pick a different name for your local machine, or if that's what the salt.box people told you to do they need to come up with instructions that don't conflict with the security settings they have enabled on their site.

Component: Security → Security: PSM
Flags: needinfo?(dveditz) → needinfo?(gerwin_klaus)

The override is intentionally missing for HSTS sites because that's what the HSTS spec says should happen, so I think this is invalid. Lots of people disagree with that part of the spec, but we already have feature requests for an "override anyway" option and don't need another one.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: