Closed Bug 813219 Opened 12 years ago Closed 12 years ago

Untrusted connection page is missing "I understand the risks" section

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
16 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 800882

People

(Reporter: kats, Unassigned)

References

(
URL
)

Details

Load https://webmail.staktrace.com
Observe that this gives an "Untrusted connection" warning page with the following details:

webmail.staktrace.com uses an invalid security certificate.

The certificate is only valid for the following names:
  *.dreamhost.com , dreamhost.com  

(Error code: ssl_error_bad_cert_domain)

However, the warning page doesn't have a way to add the page as an exception and load the content anyway. i.e. the "I understand the risks" section is missing. This is NOT the case on some other "Untrusted connection" sites, such as https://people.mozilla.org/ for example - on that one there is an "I understand the risks" section that lets me get past it.

I can repro this on both release (16.0.2) and Aurora (18.0a2) which are what I have installed at the moment.

Note that this is different from bug 756841 because this is not being loaded into a frame, at least as far as I can tell. wget'ing the page with --no-check-certificate gets the page just fine as I would expect.
I can set an exception with Firefox 16.0.2 and Seamonkey trunk.

What you are seeing could be a result of a HSTS header that the site sent in the past. I checked with websniffer and https://webmail.staktrace.com/src/login.php doesn't send a HSTS header.

You can't override a security error if an HSTS header got set. The HSTS info is stored in your profile and you could try if a new profile makes a difference.
We have already a bug that a better error message is shown in case of a security error and active HSTS policy (bug 800882)

- http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Component: Security → Security: PSM
Product: Firefox → Core
Ah, that makes sense. I do send an HSTS header from https://staktrace.com that applies to subdomains as well.
I guess this is really just a dupe of 800882 then.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.