Closed Bug 1049187 Opened 10 years ago Closed 10 years ago

Self-signed certificate exception fails on some sites (while working on others)

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
31 Branch
Platform:
x86_64
Windows 8
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 800882

People

(Reporter: abcdzywx, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 20140716183446

Steps to reproduce:

(1) Install and use the "Fiddler" web debugging proxy program: http://www.telerik.com/fiddler
Configure it to intercept HTTPS traffic from Firefox.  This makes Firefox use a self-signed certificate under the "DO NOT TRUST" authority.

(2) In Firefox, go to about:config and set "browser.xul.error_pages.expert_bad_cert" to true.

(3) With a Fiddler2 session open, attempt to visit the following two sites in separate tabs in Firefox:
[1] google.com
[2] support.mozilla.org

(4) For each of the above two sites, when prompted for the invalid certificate, attempt to add a certificate exception and visit the site.  It does not matter if you add a temporary exception or a permanent exception.


Actual results:

When visiting the first site, google.com, the certificate exception will work and you will be able to proceed to the site (Google search engine).

But when for the second site, support.mozilla.org, adding the certificate exception does NOT work for some reason.  No matter how many times you attempt to accept the certificate and add an exception, Firefox continually gives the certificate error.

A check of the certificates in Firefox options shows that an exception is indeed added for the self-signed "DO NOT TRUST" certificate in the case of both sites.  However, for some strange reason, the exception for "support.mozilla.org:443" is ignored, while the exception for "www.google.com:443" is in fact honored by Firefox.

This means that certificate exceptions in Firefox only work in some circumstances and not others.  No idea what modulates the working vs. non-working cases.


Expected results:

Adding a certificate exception should always work, including for self-signed certificates.  Firefox should not go into an infinite loop without ever allowing you to override the certificate error.
Component: Untriaged → Security: PSM
Product: Firefox → Core
support.mozilla.org uses strict-transport-security, which (among other things) basically tells the user-agent to not allow certificate exceptions. Unfortunately, the error page neglects to tell the user why the exception won't work.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.