Mozilla Connect

The problem is that the HSTS spec is malicious by design: The "No User Recourse" provision is a violation of the implicit contract between a user and their web browser, that the browser is a "user agent" working on behalf of the user. Without a way to say "I know what I'm doing, load this website", the browser has decided to be controlled by the website, not by the user.

Arguably, the ideal case is someone should amend the HSTS spec to remove the malicious provision, but at minimum, Mozilla needs to stop being the literal only browser refusing to prioritize the user's rights over a server's demands. The fact *Google and Microsoft* are following users' rights better than Mozilla here is astounding.

@ocdtrekkiei disagree. In this situation, the browser isn't controlled by the website, it's controlled by a failure to properly secure the connection. The website isn't saying, "Stop me from loading." Firefox is stepping in to protect the user. If you want to argue it's not the browser's job to automatically act on behalf of the user, turn off your firewall, antivirus, swap file, crash recovery, etc. because those all act automatically to protect the user.

Mozilla is currently pushing away loyal users who used FireFox since years,
many of them are developers that NEED Bypass options even if something
at the remote host is insecure. Therefore:

STOP FORCE-PATRONISING USERS ON INSECURE TLS CONNECTIONS!

ALLOW BYPASS, NOW !!!

Thanks.

@cautionbug 

> If you want to argue it's not the browser's job to automatically act on behalf of the user, turn off your firewall, antivirus, swap file, crash recovery, etc.

Yes, that's the point. We can turn all those things off when needed. The same should apply to HSTS.

Currently I'm trying to read a blog post, something that doesn't require the confidentiality provided by tls, but I'm unable to because the server is on the preload list and is serving a certificate that has expired A YEAR AGO. So now, instead of going about my business after acknowledging the expiration of the certificate, I have to jump hoops by spinning up a proxy that intercepts firefox's traffic and serves the website with a certificate created on the fly by a custom CA even though I fully understand what tls is and the "risks" associated with visiting a site with an expired certificate.

Btw really smart, you can't add an exception with about:config for a single site because muh security but installing a new CA for any site (which obviously keeps the padlock happy) is in about:preferences.

Yeah, this is definitely one of those cases where a bad and malicious spec is actually making people less safe, and ultimately causing them to go use a different web browser sometimes just to view plain HTML pages they know and trust the content of. This needs to get fixed, and it needs to stop getting ignored or punted by Mozilla staff.

They won't do anything mate; They don't understand nor listen and are very stubborn (just read the comments).

I'm still using and liking Firefox but it's saddening to watch the devs not seeing the big picture and the risk of disabling security for the whole browser instead of just one website for just once.

I still have a bit of hope though, if one of them is reading all our messages about this subject.

>> If you want to argue it's not the browser's job to automatically act on behalf of the user, turn off your firewall, antivirus, swap file, crash recovery, etc.

>Yes, that's the point. We can turn all those things off when needed. The same should apply to HSTS.

You quite literally can, by following the directions given on the fifth reply to this post

Is there really no way to disable this, even temporarily?! I am a sysadmin and I NEED to be able to override things from time to time.
No wonder devs and coders are switching to Edge....
I refuse to give up Firefox, but you folks sure are making others want to.

@industrial6: yes, back on the first page there were a couple of ways given to disable this temporarily

https://connect.mozilla.org/t5/ideas/allow-firefox-to-bypass-hsts-errors/idi-p/163#M15411

(note: since that answer the profile storage has migrated from SiteSecurityServiceState.txt to SiteSecurityServiceState.bin and you won't be able to delete individual lines. That option will require blowing away HSTS information for all domains.)

There was a time when FF was considered a developer-friendly browser.  Now it has morphed into a "nanny" browser.

Between the HSTS labyrinth and Zendesk's perpetually broken support for FF, I'm moving on after 13 years.

This is unacceptable. I've used Firefox for 20 years.

I know it is a security risk. I don't care. Let me bypass HSTS on a case-by-case basis.

Don't make my permanently change security settings in `about:config` which I will inevitably forget about, leaving my browser permanently less secure.

Let me bypass HSTS on a case-by-case-basis.