Closed
Bug 813219
Opened 12 years ago
Closed 12 years ago
Untrusted connection page is missing "I understand the risks" section
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 800882
People
(Reporter: kats, Unassigned)
References
()
Details
Load https://webmail.staktrace.com Observe that this gives an "Untrusted connection" warning page with the following details: webmail.staktrace.com uses an invalid security certificate. The certificate is only valid for the following names: *.dreamhost.com , dreamhost.com (Error code: ssl_error_bad_cert_domain) However, the warning page doesn't have a way to add the page as an exception and load the content anyway. i.e. the "I understand the risks" section is missing. This is NOT the case on some other "Untrusted connection" sites, such as https://people.mozilla.org/ for example - on that one there is an "I understand the risks" section that lets me get past it. I can repro this on both release (16.0.2) and Aurora (18.0a2) which are what I have installed at the moment. Note that this is different from bug 756841 because this is not being loaded into a frame, at least as far as I can tell. wget'ing the page with --no-check-certificate gets the page just fine as I would expect.
Reporter | ||
Updated•12 years ago
|
Comment 1•12 years ago
|
||
I can set an exception with Firefox 16.0.2 and Seamonkey trunk. What you are seeing could be a result of a HSTS header that the site sent in the past. I checked with websniffer and https://webmail.staktrace.com/src/login.php doesn't send a HSTS header. You can't override a security error if an HSTS header got set. The HSTS info is stored in your profile and you could try if a new profile makes a difference. We have already a bug that a better error message is shown in case of a security error and active HSTS policy (bug 800882) - http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Component: Security → Security: PSM
Product: Firefox → Core
Reporter | ||
Comment 2•12 years ago
|
||
Ah, that makes sense. I do send an HSTS header from https://staktrace.com that applies to subdomains as well.
Reporter | ||
Comment 3•12 years ago
|
||
I guess this is really just a dupe of 800882 then.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•