MozillaZine

need to disable the invalid security certificate screen

User Help for Mozilla Firefox
plmuon
Guest
 

Post Posted December 30th, 2008, 2:59 pm

Hello,

In our company we have a proxy that verifies all ssl certificates and terminates the ssl connection itself (i.e. decrypts in the middle), then reencrypts and passes the website to the browser with its own certificate.
The reason is the policy that no end-to-end encryption through the proxy must be allowed without the company cheching what is going on.

The irritating result with firefox is, that every external ssl site results in an invalid security certificate screen.
For IE, they have reconfigured IE to not complain about invalid security certificates. This is OK, since the proxy does all the checking, and any site that is not OK is not accepted by the proxy at all.

Is there a way to just trust any ssl site and skip the certificate security checking in firefox? In this case this is OK because, as mentioned, the proxy already does the required checking.

Bluefang

User avatar
 
Posts: 7847
Joined: August 10th, 2005, 2:55 pm
Location: Vermont

Post Posted December 30th, 2008, 4:38 pm

No. Just like in Firefox2, you can not disable SSL related errors, because they are security and privacy concerns. But you can try importing the certificate that is used by the company's proxy server

Preferences -> Advanced -> Encryption -> View Certificates -> Servers -> Import

If you don't have the certificate, but you have already added an exception for a site, you can export that certificate and then import it back in.

I think that will solve the problem, but I'm not sure... this is, after all, a blatant breech of the SSL specification so I'm not sure how Firefox will behave.
There have always been ghosts in the machine... random segments of code that have grouped together to form unexpected protocols. Unanticipated, these free radicals engender questions of free will, creativity, and even the nature of what we might call the soul...

Guest
Guest
 

Post Posted December 30th, 2008, 5:23 pm

Still it would be nice to disable ssl related errors, since in this case (as mentioned) the proxy ensures that no true ssl related errors occur. I would like to have only a visual indication that something is suspect, but not to have to go through 1 screen and 5 mouseclicks all the time in order to accept the invalid certificates :(. It should be possible to have some about:config setting for that?. The current method is much more intrusive than firefox 2 was I think. I can imagine the firefox developers don't want to be blamed when clueless users ignore ssl errors, but those that do have a clue should not have to put up with this. At least chrome, for example, requires only 1 confirmation mouse click in such cases.

I'll also try to import the company's proxy server certificate.

had_enough
Guest
 

Post Posted March 21st, 2009, 3:37 pm

Firefox is like a xxxxx nanny state now. Good luck getting anything done without having Firefox nag you to death.

It even BY DEFAULT sends every URL you visit to Google to check whether it's a phishing site/etc. Even if you never asked it to do that, and you know what the xxxx you're doing. You have to disable this behavior in Preferences>Security> "Tell me if the site..."

Here's an idea Mozilla, offer a secret "I know what the xxxx I'm doing" edition of Firefox that just SHOWS YOU THE PAGE YOU REQUEST, LIKE A WEB BROWSER. If I wanted to have a stupid app second-guessing every decision I make and slowing me down, I'd run Windows Vista and Norton Internet Security.

xxxx you, Firefox. I'm done using this crap. I guess it's Google Chrome and Safari from here on out.
Last edited by LoudNoise on March 21st, 2009, 3:40 pm, edited 1 time in total.
Reason: Language edit

LoudNoise
Moderator

User avatar
 
Posts: 39132
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Post Posted March 21st, 2009, 3:41 pm

Edited for language.
Post wrangler
“It's tough to make predictions, especially about the future.”
― Yogi Berra

hardynic
Guest
 

Post Posted March 21st, 2009, 4:14 pm

The phishing filter NEVER sends any full URLs to Google. See here: http://www.getgooglechrome.net/2008/11/ ... lware.html
Google sends you a huge 50MB file of partial hashes of potentially bad websites. The websites you go to are hashed, and compared to the list. If there is a hit, a request is sent for a longer hash of each site matching the partial hash. Then, your browser compares the long hash of the site you are going to to the list of long hashes from google, and if it matches it warns you about the site. Only when the site you go to matches a partial hash (rare unless it is on the phishing list) is anything sent to google. And even then, the hash is not enough to prove that you actually went to any particular site.
A hash is like a CRC, or a checksum - it can't be reversed to recreate the original data, it is like telling the sum of all the digits in your phone number. It is enough to tell many phone numbers apart, but there is no way to take the sum and go back to the original phone number.

This is much better than how the IE phishing filter works, which as far as I can tell actually does send many URLs you go to to Microsoft. Microsoft sends you a list of popular, non-phishing sites. If the site you go to isn't on the list, it sends the URL to Microsoft, including sub-parameters which may give your username, what you were searching for, etc. This is done by SSL, so at least it is secure. Microsoft promises not to use the information to identify you, but there is always an exception in licenses like that where if a government agency asks them for data, they will hand it right over.

Guest
Guest
 

Post Posted March 28th, 2009, 1:26 pm

and who protects us from google ? they use one the most notorious malware ad servers on the internet.

catland88
Guest
 

Post Posted November 6th, 2009, 8:18 am

Sry for necropost, but I need the helps.
Every day I access the Facebook application server (by SSL, otherwise it doesn't work) about 80-90 times, and EVERY SINGLE ----ING TIME I have to add the exception again.
The cert is the same every time.
It's being rejected because it is registered for facebook.com, instead of APPS.facebook.com.
Is there any way I can get Firefox to remember the exception after I check the 'remember this exception' box, because it only forgets the exception for a site I visit more than any other sites combined.

Bluefang

User avatar
 
Posts: 7847
Joined: August 10th, 2005, 2:55 pm
Location: Vermont

Post Posted November 9th, 2009, 5:18 pm

Then you should contact Facebook and have them fix the problem.
There have always been ghosts in the machine... random segments of code that have grouped together to form unexpected protocols. Unanticipated, these free radicals engender questions of free will, creativity, and even the nature of what we might call the soul...

gessel
 
Posts: 5
Joined: September 29th, 2010, 2:00 pm

Post Posted May 30th, 2011, 3:02 pm

No, firefox really, really should let users override SSL warnings. The theory that the SSL cert verifies that a site is who it says it is and that this matters to anyone at all or has any impact at all on security is predicated on the patently false premise that a statistically relevant number of users would see the difference between bankofamerica.com and bankoamerica.com. They don't. They won't. So give it up. SSL is useful for encrypting communication between client and server. But those of us not funded by multi-billion dollar VC funds can't send bags of cash to the cert mafia to "prove" (as if they actually checked) we are who we say we are.

But because SSL is the mechanism by which we both provide basic cryptographic security which is actually important and does actually prevent real losses and actually works, and is also used to "identify" web sites as being who they say they are to defeat, what? DNS poisoning? the whole system fails.

Not only is the valuable service of encrypted communication unnecessarily burdened, but users become completely inured to SSL failure warnings which are so common as to be meaningless and server-side SSL adoption is retarded by the Morton's fork between risking the privacy and security of user data, teaching users to override the idiotic nanny warnings from firefox, coughing up regular wads of cash for the cert mafia, or just telling people to stop using firefox until the SSL nannies come to their senses.

At the very, very least Firefox could ship with the CaCert.org and .mil root certs.

DanRaisch
Moderator

User avatar
 
Posts: 107774
Joined: September 23rd, 2004, 8:57 pm
Location: Somewhere on the East Coast

Post Posted May 30th, 2011, 4:43 pm

gessel, you've posted to a thread that died more than 18 months ago. Please let these old, dead topics rest in peace.

Locking this due to the age of the original posts.

Return to Firefox Support


Who is online

Users browsing this forum: No registered users and 21 guests