Override missing for self-signed certificates
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: gerwin_klaus, Unassigned, NeedInfo)
Details
Attachments
(1 file)
120.29 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0
Steps to reproduce:
-
Updated to 129.0.1
-
Accessed admin interface of local router (https://salt.box/ or http://salt.box/)
Actual results:
Warning message MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
WITHOUT option to accept and continue
Please see attached screen shot (Strict Transport Security / Public Key Pinning: false)
Expected results:
Warning message WITH option to accept and continue
Comment 1•6 months ago
|
||
Trying to move to Core::Security for triage, please move if there's a better component.
Comment 2•5 months ago
|
||
The severity field is not set for this bug.
:dveditz, could you have a look please?
For more information, please visit BugBot documentation.
Comment 3•5 months ago
|
||
Where does that grey box come from? That's not normal Firefox UI. I assume that information ("HTTP Strict Transport Security: false") comes from the same machine with the questionable certificate. It's completely irrelevant whether THAT computer has set HSTS because that's the computer that is a potential MITM attack from Firefox's point of view.
There is, indeed, a real https://salt.box site on the public internet that is NOT your local router (see https://dnschecker.org/#A/salt.box), and that site does serve the header Strict-Transport-Security: max-age=31536000; includeSubDomains
. I assume you must have visited it at least once, after which the whole purpose of the strict-transport-security feature is to protect you from fraudulent sites trying to MITM your connection to that domain. Since the site is related to NFTs and crypto that protection seems warranted because there are a lot of hackers out there trying to steal cryptocurrency and NFTs from anyone they can. Probably you should pick a different name for your local machine, or if that's what the salt.box people told you to do they need to come up with instructions that don't conflict with the security settings they have enabled on their site.
Comment 4•5 months ago
|
||
The override is intentionally missing for HSTS sites because that's what the HSTS spec says should happen, so I think this is invalid. Lots of people disagree with that part of the spec, but we already have feature requests for an "override anyway" option and don't need another one.
Description
•