Closed
Bug 973222
Opened 11 years ago
Closed 8 years ago
Make certificate validation warning dismissible
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 800882
People
(Reporter: andershol, Unassigned)
Details
Attachments
(1 file)
(deleted),
image/png
|
Details |
If I visit e.g. https://isc.sans.edu/ , I get a "Untrusted Connection" warning (see screen shot). Previously (in version 28?) this dialog had a "Add security exception"-button, which allow you to enter the site anyway. Either restore the button or just have the button say "Continue anyway" and let it add the security exception and continue loading the site (and save the user some clicks and waiting time). Best would probably just be to not give any warnings, but just let the connection appear as a non-ssl connection in the UI (perhaps with a stroked out "https" in the address bar).
Summary: Make certificate validation warning disable → Make certificate validation warning dismissible
Comment 1•11 years ago
|
||
With which version are you seeing this? 29/Aurora? And does it still happen if you connect in safe mode? I can't reproduce the "I understand the risks" section not appearing (that is, it appears fine here).
Flags: needinfo?(andershol)
Yes, Aurora version 29 (2014-02-15). I tried using the "Restart with Add-ons Disabled..."-link in the help menu (which leads to a "Start in Safe Mode"-button), but I still did not see a button. The "Technical Details"-foldout just have "isc.sans.edu uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)", not a button to see the certificate.
Flags: needinfo?(andershol)
Right-clicking the warning page and choosing "Inspect Element (Q)" reveals that the "I Understand the Risks" ("id="expertContent") element have a hidden="true" attribute (causing the css on the page to hide it). But if I remove the attribute to display the item, expand the item, click the "Add Exception..."-button and click "Confirm Security Exception", the warning page just reloads.
Updated•11 years ago
|
Status: UNCONFIRMED → NEW
Component: General → Security: UI
Ever confirmed: true
Product: Firefox → Core
It seems the button is hidden here (the "getCSSClass"-function do return "badStsCert" on the test page): http://dxr.mozilla.org/mozilla-central/source/browser/components/certerror/content/aboutCertError.xhtml#88 The code, with the reference to "STS Spec section 7.3", was added in in this changeset: http://hg.mozilla.org/mozilla-central/rev/5dc3c2d2dd4f#l1.12 referencing bug 495115. In bug 495115 comment 3 the draft spec is linked: http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html Which states in section 7.3 "When connecting to a Known STS Server, the UA must terminate the connection with no user recourse if there are any errors (e.g. certificate errors) with the underlying secure transport (regardless of what header fields are in any response)." I guess the "with no user recourse" part is what is the issue here. The current version version of the spec seems to be rfc 6797, which has no section 7.3, but talks about this in section "12.1. No User Recourse": http://tools.ietf.org/html/rfc6797#section-12.1 I think my user agent should obey to me, not the ietf.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•