Closed Bug 762985 Opened 12 years ago Closed 8 years ago

add a pref to control whether or not "Permanently store this exception" is checked by default

Categories

(Core Graveyard :: Security: UI, defect)

13 Branch
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: jwilk, Unassigned)

References

Details

(Keywords: polish, Whiteboard: [good first bug])

I never want to add permanent security exceptions. Unfortunately, in the "Add Security Exception" dialog, the "Permanently store this exception" checkbox is selected by default. Could you make this default configurable? I'm currently using an addon[0] to achieve the same thing, but I feel it's overkill and it should be implemented in Firefox proper. Thanks for considering.

[0] https://addons.mozilla.org/en-US/firefox/addon/y-u-no-validate/
I always manually disable the "permanent" checkbox but I understand the usability behind the decision to enable it by default. Adding yet another peference option for this would be also overkill IMO
I agree that a configurable default would be useful.

Though I think the real solution is to change the default to disable the "permanent" checkbox. Usability should not be regarded as more important than security in this case.
Note: a work-round is to use Private browsing mode.
This disables the setting and clears the checkbox.
Why is this enabled by default anyway? That seems rather unsafe.
Anne, dveditz can explain the rationale (as I have seen him do before), but I think that the main point is to remove the potential for training users to click through this sequence.  The exception process demands actual thought.  The addon is a fine solution for folks who know enough to care about this.

Permanent by default is actually OK for corporate services or your home router.

BTW, I think that I might have opened a duplicate of this bug a long time ago, I'll see if I can find it.
But if you click through you actually *do* permanently install an exception without it being clear how to undo it. At least if the checkbox was not checked by default it would be gone at the end of a session (presumably).
Agree with Anne, and I cannot understand Martin's thought process. If one is worrying about inexperienced users, as Martin seems to be, and along similar lines as other decisions in the Mozilla world, it would be logical to NOT permanently store the exception. Further, as I (at least) store exceptions for internet sites more frequently than intranet sites, the safe decision is to NOT permanently store the exceptions.

While an addon fixed this "for people who care", I am sure it is 100x more lines of code to achieve than a simple boolean check before that dialog is being displayed, if native. Given this, I am not sure in what sense "overkill" is being thought of, but it certainly isn't in the sense of code efficiency.
Severity: enhancement → normal
Component: Preferences → Security: UI
Keywords: polish
Product: Firefox → Core
Summary: Please make "Permanently store this exception" default configurable → "Permanently store this exception" should be unchecked by default and have a pref
Whiteboard: [good first bug]
Status: UNCONFIRMED → NEW
Ever confirmed: true
The reason to permanently store the exception is that when this happens, the certificate is essentially pinned for that site. If the user re-visits a site with an exception, they have reasonable confidence that the certificate hasn't changed (i.e. if they trusted it once, they can continue to trust it).
Summary: "Permanently store this exception" should be unchecked by default and have a pref → add a pref to control whether or not "Permanently store this exception" is checked by default
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
Is there a chance that the resolution will be revised? Since Firefox 57 will drop XUL, the mentioned add-on that implements this will just stop working. A hidden preference in about:config would be enough, this setting is intended only for advanced users anyway.
Flags: needinfo?(dkeeler)
It's unlikely. We feel the current behavior best protects users (note that when you permanently store an exception, that site is essentially pinned to that certificate, so if it changes, you'll (hopefully - see bug 399910) notice). Putting engineering effort into supporting this rare configuration is not the best use of our time.
Flags: needinfo?(dkeeler)
I would like to request an advanced (about:config) option to change the default behavior for this.  We do network device configuration by the hundreds and would like to have the option to not save.

thank you~
With Firefox 57 (Quantum) the Add on https://addons.mozilla.org/en-US/firefox/addon/y-u-no-validate/versions/ no longer works. Either a replacement or a config: entry or a bug fix is needed.
See Also: → 1414753

"Status: RESOLVED WONTFIX" - "won't fix" is maybe "resolved", but not "solved". Wilfully ignoring a problem does not solve it. (This holds also for the other bugs with "Status: RESOLVED WONTFIX".)

You need to log in before you can comment on or make changes to this bug.