Discussion about official Mozilla Firefox builds
That's due to bug 327181. The intention is that it should be quite difficult to work around invalid/expired/etc. certificates, thus there's not even a switch in about:config. See https://bugzilla.mozilla.org/show_bug.cgi?id=327181#c115 for how to get past that warning for a single domain, though.
I can tell you this bug 327181 in it's current state would be enough for the common user to go back to the Evil Empires IE or another browser so they do not to have to try and find a work around! just my 2cents.
Firefox/Thunderbird Is the Best!!!! Most of the time
Strange, this site is blocked by Minefield, but IE 7 on Vista HP allows it to load:
How is that 'parity' ? I really don't understand all this stuff much.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a9pre) Gecko/2007100804 Minefield/3.0a9pre Firefox/3.0 ID:2007100804
EDIT: Bug filed: https://bugzilla.mozilla.org/show_bug.cgi?id=399019
Littlemutt, neither do I @ understanding this stuff that much. But while it appears IE is being the 'cool' parent, Firefox is being the strict parent going 'Don't do as you saw, do as I say'. Lead by my example, don't take shortcuts and so on.
It's like we're trying to teach websites that establish themselves in this manner or have lazy webmasters that don't renew expired certificates that they get a 'time out'... permanently... until they clean up their act. So maybe this is another 'zero tolerance' policy we're implementing much like the new security for addons, where addons on the web & previously saved/archived addons can not be installed due to missing a [SSL] httpS url (yes, I know of the pref - But a exception needs to be made for not checking locally saved files into a longterm solution).
Current: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b2pre) Gecko/2007112000 Minefield/3.0b2pre
For kicks: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/20060728 Firefox/22.214.171.124
The bug has been marked 'INVALID', but something still seems to be amiss when the site works if you visit godaddy.com first - how are we the end user supposed to know that?
EDIT: well now the bug has been reopened and the discussion continues.
New bug filed: https://bugzilla.mozilla.org/show_bug.cgi?id=399045
which has some interesting turns as well.
I hate to think if this is not 'fixed' or something, the number of complaints about sites working one time and not the next, then suddenly working again just because you visited some site that got it 'right'. Yikes!
Yeah, so the original bug 399019 is now marked Tech Evangelism ("webmaster fix your server"), and a new bug 399045 was filed to make it so visiting GoDaddy first will not validate the cert (which makes sense).
This business of giving no override dialog is based on the reasoning that 95% of users always click OK. On the other hand, wouldn't that 5% be enough of a user base to alert the webmasters and/or fraud authorities what is going on? So maybe that's not protection enough, and no warning dialog is harsh enough. Type in "I agree" here... that kind of thing?
What are the scenarios for a bad guy faking a cert? The ones I can think of are a phishing email or a XSS frame.
Cheap certs don't verify the business info anyway, and they will validate fine. Mainly SSL just gives you encryption, and a sanity check on whether the servers have been hijacked since the last time you visited the site.
One would hope people associate firefox with secure browsing, and so if firefox denies them access to a site on security grounds, they should take note and do without that site. If they go to the site in another browser then I would hope they realise they are taking a risk.
Give a big nasty error. Make it really scary. Offer to spam the webmaster with hate filled emails. Whatever. If someone wants to continue on to a site at that point, they should be able to. Firefox is a web browser not a nanny.
Last edited by DanRaisch on January 31st, 2012, 5:49 am, edited 1 time in total.
Reason: Edited for language.
But how can I "take the risk" if I want to? I want to access a site I can definitely trust although it doesn't have a valid cert. How can do that with new build now?
Zeniko's already mentioned that the work-around is in bug 327181 comment 115.
Out of the box, firefox 2 protects its users against phishing. Firefox 3 will also protect its users from malware and now also from such dodgy security certs. The fact is most* of our users need protected from themselves when it comes to surfing the web because they can't tell the difference between a good site and a bad site.
(*obviously not clever people like you who know what a browser is, an internet is, a security certificate is, and can make judgements based on technical information the browser may present to you. I'm talking about the 95% of our new-fish users who don't care about computer crap and just want to surf the web safely.)
If a website can no longer be accessed, then the webmaster should use a valid cert on a properly configured server, or not use SSL at all. Otherwise, what is the point of it?
Anyway, there's plenty of discussion on the newsgroups and in bug 327181 if you want to understand the thinking behind this, and there's a work-around; and i guess it's something an extension might be able to add back into firefox, if you really deal with sites with dodgy certs so regularly.
Also, how am I supposed to get the webmaster's email address if I can't even read the page, anyway? (If anyone says "webmaster@domain rfc blah blah blah," I am familiar with it, but it pretty much never works)
* I think there is a big difference between pure "computer security" issues and being the "information police" or something. Plenty of reputable SSL certificate owners tell lies all the time, and I think it is something that the computer illiterate everyman is already familiar with, and firefox doesn't enter that equation.
To say nothing of not being able to access said site and the 'Report Broken Web-Site' function. Launching the report will not allow an insert of a bad URL.
Gets more Catch-22 all the time.
I don't know what you mean by this, do you have steps to reproduce? If i go to such a site, eg https://pdn.palm.com/ or http://server.scottellis.com.au/ and then Help > Report Broken Website, the Web Site URL is populated with the correct address for me.
Well, now I can't get it to fail. Was getting a URL yesterday not even related to the failed cert site.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a9pre) Gecko/2007101005 Minefield/3.0a9pre Firefox/3.0 ID:2007101005
Who is online
Users browsing this forum: Grantius and 1 guest