There are still many sites/devices either using pure HTTP, or using HTTPS with self-signed (and, usually, expired) SSL certificates.
Before telling me it's time to replace those antiques with something modern:
- HTTP site may be run by someone who doesn't plan to use HTTPS, and/or ignores such inquires
- HTTPS-using device may be impossible to replace (and they aren't always that ancient)
So please tell me whether my assumptions are correct.
1. HTTP-only sites. There's no way to override FF 57 behavior on refusing posting data (at least password fields) over HTTP.
Possible workaround: creating HTTPS front-end that uses HTTPS and passes requests to underlying HTTP site.
2. HTTPS-sites using invalid SSL certificates: there's no way to override FF 57 behavior of refusing opening such sites.
I'd like to understand whether I have to use older FF versions (such as ESR) or different browsers (those allowing forcing browser to use protocol user chooses and/or ignoring SSL-related errors).
Please don't tell me of security risks etc etc etc. I know there are; the reality, however, can force to live with devices that do not comply with security ideals observed by FF developers.
Post-Quantum fate of HTTP-only and invalid HTTPS
-
- Posts: 4
- Joined: October 14th, 2012, 3:08 am
-
- Posts: 4480
- Joined: March 19th, 2005, 10:51 am
Re: Post-Quantum fate of HTTP-only and invalid HTTPS
1 firefox dont refuse sending passwords over http - its just a message that sending over http is not secure. too complicated?
2 ofc, just set exclusions if possible.
for more go https://support.mozilla.org/ please.
2 ofc, just set exclusions if possible.
for more go https://support.mozilla.org/ please.