InformAction Forums

Hy

This is my firs post here and I decided to do it because I believe I found an annoying bug.

The problem is as follows. When you visit website with self-signed certificate FF provides you with "Untrusted Connection" error site,
usually at the bottom there are two options that you can expand; "Technical Details" and "I Understand the Risks".

When NoScript Extension is installed the "I Understand the Risks" option does not always appear. This happens even if you have Allow Scripts Globally enabled. Effectively preventing you to view or accept self-signed certificate.

I verified this by disabling all other extensions and the problem still occurs, but when i disable NoScript the the problem seems to go away immediately.
I say, seems to go away, because even with extension installed and enabled it looks like the problem does not occur always.
I'm using NoScript 2.1.4 with FF7, and this is happening for quite some time, for about 2-3 months I think.

spawn wrote:The problem is as follows. When you visit website with self-signed certificate FF provides you with "Untrusted Connection" error site,
usually at the bottom there are two options that you can expand; "Technical Details" and "I Understand the Risks".

When NoScript Extension is installed the "I Understand the Risks" option does not always appear. This happens even if you have Allow Scripts Globally enabled. Effectively preventing you to view or accept self-signed certificate.

For any site served over HTTPS with a self-signed certificate or just a particular one?

hmm, good question. For now I was always trying to connect to particular one(my server), but I will try to find some site with self-signed cert and try to connect to it.
I will get back to you on this one by tomorrow morning when I get back to my workstation.

spawn wrote:hmm, good question. For now I was always trying to connect to particular one(my server), but I will try to find some site with self-signed cert and try to connect to it.
I will get back to you on this one by tomorrow morning when I get back to my workstation.

Are you also using HSTS?

Ok, for now I only found this site that have self-signed cert: "https://www.pcwebshop.co.uk"
And it looks it works okay on this one.

Are you also using HSTS?

Yes I'm using HSTS

When inspecting with firebug I noticed two things.
1. <div id="expertContent" collapsed="true" style="display: none;">
Here: style="display: none;" is added to this div element, how and from where I don't have a clue.
2. When firebug is enabled/opened "I Understand the Risks" always appear as it should

spawn wrote:

Are you also using HSTS?

Yes I'm using HSTS

That's the reason for the different behavior.
The HSTS specification dictates that no chance to accept a self-signed certificate must be given for HSTS sites.
What most likely happened is that you accepted the certificate "just for this session" in the past, hence HSTS could have been activated.
Next time the self-signed non-accepted-yet certificate has been seen, the site was already marked as HSTS so the "don't accept" policy was enacted. Work-around: erase the NoScript's HSTS database (NoScriptSTS.db in your profile folder) and restart over, accepting the certificate permanently on first sight.

Thanks Giorgio, that was it, deleting db solved this.
I suppose I should read HSTS spec more carefully before implementing it on my sever.
And it happened exactly as you said, basically I always accepted cert as "just for this session" from this particular computer.

Then on the other hand I suppose Firefox doesn't fully comply to the spec because it offers to accept self-signet cert even when it already knows the site is HSTS site.

Thanks for your time,
regards

spawn wrote:even when it already knows the site is HSTS site.

Before the very first HTTP communication that's not the case.