cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
TsukiZero
Making moves
Status: New idea

So to say, this whole deal of SEC_ERROR_EXPIRED_CERTIFICATE blocking access to the entire page is really dumb, and needs to be given the option to allow a particular exception or another through, without allowing or denying all.

For an example, I went to access a site today whose certificate expired in LESS than twelve hours, and in an ideal world that would be given an exception.

I'm pretty sure you could at least do like Microsoft Edge and allow us to continue to the page:

TsukiZero_0-1673013482541.png

 

10 Comments
Status changed to: New idea
Jon
Community Manager
Community Manager

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

jscher2000
Leader

For an expired certificate -- here's a test page for quick reference: https://expired.badssl.com/ -- you should see an Advanced... button on the error page. Clicking that button provides more detailed information about the problem and a button allowing you to proceed to the page. If you do that, Firefox will save an exception for the certificate so it continues to be trusted on future visits (assuming it's not a private window).

Xerkus
Making moves

Firefox currently does not allow an exception for expired certificate when HSTS is used. This entirely precludes user from making a decision to accept risk and proceed anyway.

For example, today wiki.php.net certificate expired among many other supporting websites due to broken automated renewed certificate propagation to related webservers. Until process is fixed on the server side there is currently no way to access those pages with Firefox.

Upon closer inspection of HSTS RFC I can see that it specifically declares No User Recourse policy in https://www.rfc-editor.org/rfc/rfc6797#section-12.1

   Failing secure connection establishment on any warnings or errors
   (per Section 8.4 ("Errors in Secure Transport Establishment")) should
   be done with "no user recourse".  This means that the user should not
   be presented with a dialog giving her the option to proceed.  Rather,
   it should be treated similarly to a server error where there is
   nothing further the user can do with respect to interacting with the
   target web application, other than wait and retry.
WillR24
New member

Hopefully this is a bug rather than a feature that was intentionally implemented.

If it's a bug, I look forward to it being fixed.

If it's a "feature", it's absurd. The way it used to work was sufficiently obscure that it was impossible to bypass the warning accidentally. It's my computer, it's my risk. (And the certificate for the site that I will now have to access in Bing et al w/o my bookmarks etc handy just expired a day or two ago and I'm quite willing to take the risk). On the upside, this will force me to overcome inertia and try other browsers that seem to be far more popular now than FF has become!

IoanN85
New member

Yeah, don't treat us like babies, Mozilla. We are entitled to take risks with our own security. You need to allow us to bypass this thing.

Xerkus
Making moves

HSTS specification declares no user recourse policy as I highlighted above. There will not be a way to accept invalid certificate.

Strict transport security is not a default and enabled by website owner.

DVS75
New member

Yes, you have to use other browsers that are more user-oriented in these cases.

I have never had any issues opening sites with expired certificate and strict transport security.

If I understand what I am doing, then why do I need these barriers?

Jens_Hansen
New member

We really do need a feature or option for accessing site like these.

In my case the web-interface of an appliance is using Let's Encrypt and does not auto-renew in time, rending me unable to access and renew the Certificate.

nartemenko
New member

1) Clear cookies and cash of the website.
2) Follow guide https://superuser.com/questions/1780337/let-firefox-accept-a-website-with-self-signed-certificate by Fee.

ABehrens
New member

@XerkusRFC6779 says that all the features in section 12 are non-normative — they are described but they do not attempt to establish a standard. And section 12.1 says that errors when establishing a secure connection "should be done with no user recourse". The use of "should" rather than "must" means that this is recommended behavior, not required behavior.

So Firefox would still comply with RFC6779 if it allowed sites with expired certificates. Whether is should do so it a matter for discussion — I personally believe it should, with appropriate warnings of course.