andershol Reporter
	Description • 11 years ago

If I visit e.g. https://isc.sans.edu/ , I get a "Untrusted Connection" warning (see screen shot). Previously (in version 28?) this dialog had a "Add security exception"-button, which allow you to enter the site anyway.

Either restore the button or just have the button say "Continue anyway" and let it add the security exception and continue loading the site (and save the user some clicks and waiting time). Best would probably just be to not give any warnings, but just let the connection appear as a non-ssl connection in the UI (perhaps with a stroked out "https" in the address bar).

	:Gijs (he/him)
	Comment 1 • 11 years ago

With which version are you seeing this? 29/Aurora? And does it still happen if you connect in safe mode? I can't reproduce the "I understand the risks" section not appearing (that is, it appears fine here).

	andershol Reporter
	Comment 2 • 11 years ago

Yes, Aurora version 29 (2014-02-15).

I tried using the "Restart with Add-ons Disabled..."-link in the help menu (which leads to a "Start in Safe Mode"-button), but I still did not see a button.

The "Technical Details"-foldout just have "isc.sans.edu uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)", not a button to see the certificate.

	andershol Reporter
	Comment 3 • 11 years ago

Right-clicking the warning page and choosing "Inspect Element (Q)" reveals that the "I Understand the Risks" ("id="expertContent") element have a hidden="true" attribute (causing the css on the page to hide it). But if I remove the attribute to display the item, expand the item, click the "Add Exception..."-button and click "Confirm Security Exception", the warning page just reloads.

	andershol Reporter
	Comment 4 • 11 years ago

It seems the button is hidden here (the "getCSSClass"-function do return "badStsCert" on the test page):
http://dxr.mozilla.org/mozilla-central/source/browser/components/certerror/content/aboutCertError.xhtml#88
The code, with the reference to "STS Spec section 7.3", was added in in this changeset:
http://hg.mozilla.org/mozilla-central/rev/5dc3c2d2dd4f#l1.12 referencing bug 495115.

In bug 495115 comment 3 the draft spec is linked:
http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html
Which states in section 7.3 "When connecting to a Known STS Server, the UA must terminate the connection with no user recourse if there are any errors (e.g. certificate errors) with the underlying secure transport (regardless of what header fields are in any response)."

I guess the "with no user recourse" part is what is the issue here.

The current version version of the spec seems to be rfc 6797, which has no section 7.3, but talks about this in section "12.1. No User Recourse":
http://tools.ietf.org/html/rfc6797#section-12.1

I think my user agent should obey to me, not the ietf.