unwanted force HTTPS

[Sal O'mander]

Hi, just wanted to report a bug. Was on the forum site and wanted to see if it could be served via HTTPS so i stuck the "s" in th url bar and it redirected to the nothing that it would redirect to. After that i could not get any attempt to go to any page in the forums NOT to attempt HTTPS. I checked in NoScript options (had i been mentally absent and added an entry there?--No). Restarted FF twice but still had the problem. Disabled the Perspectives extension (since it had been invoked by the redirection) but the problem was still happening.

Anyway, went snooping under the hood and found the following entry in noscriptSTS.db:
forums.informaction.com;1453952648;
Deleted it and the problem disappeared. But really i have no idea how it got there in the first place...
Was the problem in my machine or on the forum server?

All's fine now... ...

[Giorgio Maone]

If you did not accept the invalid certificate, it's a bug.

[dhouwn]

I can reproduce this on Firefox 4. Two make me wonder:

• Why is NoScript's implementation still active when there's a native one?
• Why is there even an option for ignoring an invalid certificate? I thought it was explicitly mentioned in the spec that the user should not be given an the option on sites using HSTS?

[Giorgio Maone]

I can reproduce this on Firefox 4. Two make me wonder:

• Why is NoScript's implementation still active when there's a native one?

It will be removed before Firefox 4 final

Why is there even an option for ignoring an invalid certificate? I thought it was explicitly mentioned in the spec that the user should not be given an the option on sites using HSTS?

If you're connecting with the site for the first time, the certificate gets served before any HTTP-level communication can occur, i.e. before the STS header can be seen.
At that stage, you may accept an invalid certificate explicitly, thus making it a valid certificate, which will enable HSTS.

The spec says that after HSTS is enabled (i.e. the header has been seen first time with a valid, even if made valid by user action, certificate), no chance should be given to user to accept further invalid certificates.

Are you observing anything different than the above?

[Sal O'mander]

If you did not accept the invalid certificate, it's a bug.

Did accept the certificate--not directly but via the Perspectives extension. It's set to only accept the certificate temporarily, so after the browser closes the info is wiped and the certificate has to be re-accepted the next time FF is opened and the site is visited again.

after HSTS is enabled (i.e. the header has been seen first time with a valid, even if made valid by user action, certificate), no chance should be given to user to accept further invalid certificates.

Have just been experimenting and induced the same situation as in the first post. Perspectives still automatically accepted the invalid cert. and then after shutting down the browser, reopening, and coming to the forum (via http), the invalid cert page came up again automatically (dute to the HSTS forwarding to https). From the above quote it seems this should not be happening. Is the right or did i misunderstand?

The invalid cert then invoked Perspectives, which again accepted the cert. It doesn't seem this issue has anything to do with Perspectives---checked to make sure the cert was gone after re-opening the browser and before heading to the forum.