Closed Bug 412652 Opened 17 years ago Closed 5 years ago

Option to disable "Add an exception..." on certificate error pages (e.g. if Firefox is in "kiosk mode")

Categories

(Firefox :: Security, enhancement, P5)

Product:
Firefox
Component:
Security
Platform:
x86
All
Type:
enhancement

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: carsten, Unassigned)

References

(
URL
)

Details

User-Agent: Opera/9.25 (Windows NT 5.1; U; en) Build Identifier: I'd like to have an option to disable the "ok" button at certificate warnings. for example if I try to reach https://www.gmx.de firefox give me "Security Error: Domain Name Mismatch" (that's correct) and 3 buttons 1. View Certificate 2. OK 3. Cancel I want be able to disable the OK-button for every type of security warning separately. Configurable via about:config reason for this request: 99% of the users didn't understand the warning and click ok, if there is a real MITM attack it suckseeds Reproducible: Always Steps to Reproduce: 1. open the website https://www.gmx.de 2. 3. Actual Results: 3 buttons View Certificate, OK, Cancle Expected Results: 2 buttons View Certificate, Cancle
Firefox 3 uses an error page rather than a dialog for certificate errors (including hostname mismatches), and there isn't a huge "OK" button on the error page. Having an option to disable OK buttons would be... strange. Why show a modal dialog at all if your only choice is going to be "Cancel"? There are some cases where a pref letting you choose between "Automatically deny" or "Ask me" makes sense, but choosing between "Ask me" and "Ask me but don't let me answer 'yes'" doesn't make a whole lot of sense.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
Sorry, I didn't look at Firefox 3, my fault. In Firefox 3 this line shouldn't appear at the error page: "Or you can add an exception…" The user should not have the choice to ignore the error.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Summary: Option to disable OK-button at certificate warnings → Option to disable "Add an exception..." on certificate error pages
This would be nice to have in a few minor situations. "Kiosk mode" comes to mind, as a cafe owner you don't want users setting up permanent exceptions that will affect subsequent users. Corporate installations might also want the ability to lock users out of this functionality, especially for something like a salesforce who travels and don't understand the risks of MITM.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:want p4]
Of course, in those situations companies can just use a userChrome hack to hide the line, I guess we're talking about something a little more "normal" than that. Still, we're accumulating a lot of prefs here... too bad we can't overload the expert pref into a 3-state without breaking anyone already using it... tbh, the kiosk scenarios described feel like extension fodder to me, not part of the core product.
Component: Security → Security: PSM

Seems like this would be implemented on the front-end.

Component: Security: PSM → Security
Product: Core → Firefox
Summary: Option to disable "Add an exception..." on certificate error pages → Option to disable "Add an exception..." on certificate error pages (e.g. if Firefox is in "kiosk mode")

Dan, I suppose you're no longer working on this? I'll set this to P5 unless there's some concrete demand for it...

Flags: needinfo?(dveditz)
Priority: -- → P5

I definitely am not. We do have slightly more kiosk support built-in than in comment 12 days so it might be more wanted. Also might be, e.g. a gov't/enterprise requirement that users not be allowed to connect beyond the set of approved roots.

Assignee: dveditz → nobody
Flags: needinfo?(dveditz) → needinfo?(mozilla)
Keywords: sec-want
Whiteboard: [sg:want p4]

We actually implemented this in policy:

https://github.com/mozilla/policy-templates/blob/master/README.md#disablesecuritybypass

Does this over this bug?

Flags: needinfo?(mozilla)

Oh, yup, we have that and I should know it :facepalm:

Status: NEW → RESOLVED
Closed: 17 years ago5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.