This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Support
Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Allow sites with Expired Certificate to be accessed and given temporary exception

TsukiZero
Making moves
‎01-06-2023 05:58 AM
Status: New idea

So to say, this whole deal of SEC_ERROR_EXPIRED_CERTIFICATE blocking access to the entire page is really dumb, and needs to be given the option to allow a particular exception or another through, without allowing or denying all.

For an example, I went to access a site today whose certificate expired in LESS than twelve hours, and in an ideal world that would be given an exception.

I'm pretty sure you could at least do like Microsoft Edge and allow us to continue to the page:

TsukiZero_0-1673013482541.png

 

Comment
9 Comments
Status changed to: New idea
Jon
Community Manager
Community Manager
‎01-06-2023 06:06 AM
‎01-06-2023 06:06 AM

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

jscher2000
Leader
‎01-16-2023 09:40 AM
‎01-16-2023 09:40 AM

For an expired certificate -- here's a test page for quick reference: https://expired.badssl.com/ -- you should see an Advanced... button on the error page. Clicking that button provides more detailed information about the problem and a button allowing you to proceed to the page. If you do that, Firefox will save an exception for the certificate so it continues to be trusted on future visits (assuming it's not a private window).

Xerkus
Making moves
‎09-11-2023 07:10 PM
‎09-11-2023 07:10 PM

Firefox currently does not allow an exception for expired certificate when HSTS is used. This entirely precludes user from making a decision to accept risk and proceed anyway.

For example, today wiki.php.net certificate expired among many other supporting websites due to broken automated renewed certificate propagation to related webservers. Until process is fixed on the server side there is currently no way to access those pages with Firefox.

Upon closer inspection of HSTS RFC I can see that it specifically declares No User Recourse policy in https://www.rfc-editor.org/rfc/rfc6797#section-12.1

   Failing secure connection establishment on any warnings or errors
   (per Section 8.4 ("Errors in Secure Transport Establishment")) should
   be done with "no user recourse".  This means that the user should not
   be presented with a dialog giving her the option to proceed.  Rather,
   it should be treated similarly to a server error where there is
   nothing further the user can do with respect to interacting with the
   target web application, other than wait and retry.
WillR24
New member
‎01-18-2024 10:35 PM
‎01-18-2024 10:35 PM

Hopefully this is a bug rather than a feature that was intentionally implemented.

If it's a bug, I look forward to it being fixed.

If it's a "feature", it's absurd. The way it used to work was sufficiently obscure that it was impossible to bypass the warning accidentally. It's my computer, it's my risk. (And the certificate for the site that I will now have to access in Bing et al w/o my bookmarks etc handy just expired a day or two ago and I'm quite willing to take the risk). On the upside, this will force me to overcome inertia and try other browsers that seem to be far more popular now than FF has become!

IoanN85
New member
‎01-27-2024 10:59 AM
‎01-27-2024 10:59 AM

Yeah, don't treat us like babies, Mozilla. We are entitled to take risks with our own security. You need to allow us to bypass this thing.

Xerkus
Making moves
‎01-28-2024 09:10 PM
‎01-28-2024 09:10 PM

HSTS specification declares no user recourse policy as I highlighted above. There will not be a way to accept invalid certificate.

Strict transport security is not a default and enabled by website owner.

DVS75
New member
‎02-27-2024 03:47 AM
‎02-27-2024 03:47 AM

Yes, you have to use other browsers that are more user-oriented in these cases.

I have never had any issues opening sites with expired certificate and strict transport security.

If I understand what I am doing, then why do I need these barriers?

Jens_Hansen
New member
‎03-26-2024 08:09 AM
‎03-26-2024 08:09 AM

We really do need a feature or option for accessing site like these.

In my case the web-interface of an appliance is using Let's Encrypt and does not auto-renew in time, rending me unable to access and renew the Certificate.

nartemenko
New member
‎07-18-2024 01:24 AM
‎07-18-2024 01:24 AM

1) Clear cookies and cash of the website.
2) Follow guide https://superuser.com/questions/1780337/let-firefox-accept-a-website-with-self-signed-certificate by Fee.

Copyright © 2024 Khoros, LLC