HSTS Security Risk for Bsky.app?
Hello,
Since this morning, I haven't been able to access Bsky on my laptop because of a supposed HSTS risk, which means I can't add an exception to visit it. I use Firefox on my Android and going to the mobile version of the website lets me in no problem, so I assume there's an issue with my laptop.
I'd usually wait a few days and let it solve itself but just in case it's something on my end, I'd like to solve it! I'm on 151.0.4 (64-bit), don't use a VPN or an anti-virus, I have a couple of privacy add-ons but they've been here forever and they've never caused a fuss. I can post a screenshot of the error code and the certificate it sends me if it's any help.
I'd appreciate any pointers! Thanks!
الحل المُختار
Oh this is always kind of random. You inferred correctly the site publishes its global HSTS mandate — meaning nobody is supposed to load it insecurely. You might have run into a routing/networking error, perhaps closer to your end of the line or your provider than on the bluesky delivery side, and normally if, say, the secure port can't be reached, you'd end up with e.g. :80 to :443 upgrade or redirect which if not responding going back to the :80 originally tried if you omitted the full protocol etc. from the URL typed (and probably would get some form of connection error at that moment). This however is cut short with mandatory HSTS where instead of the downgrade if the :443 connection is unavailable, you'd get this verbiage — but it might just mean you weren't able to reach the site from your location at that moment. (I usually just recommend when this happens to change the DNS–over–HTTPS provider to a different endpoint, which might provide different datacenter resolution, and might get a fresh IP to connect to the service not responding in case of these big operators with anycast networks and kajillion clusters to get pointed at a different one…)
For the codecs you might wanna ask separately, these should be available, hopefully some of your addons is not disabling them — IIRC the only issue with these and missing HLS support is on Linux — your Windows should have all the support natively so normally, out of the box, this should just work. (You can always try to verify restarting into Troubleshoot Mode or seeing what a new test Profile would yield, to eliminate any addon/pref impact.)
All Replies (8)
Hi, since the site seems to load as expected from a few places I tried, this might be just a plain connection error in disguise. Would you try changing some of the settings in Configure DNS over HTTPS protection levels in Firefox — e.g. if it's disabled try enabling it for a bit or vice versa, if it's enabled change the provider selected or the protection level.
If you open the full https://bsky.app URL with the protocol specified like here, is the error the same or you get a different wording? (Any "advanced" sections you can expand and paste the error here or attach an image?)
Thanks for answering, @jbr!
So the issue seems to... Kinda have solved itself overnight - I have access to the website now (so much for the error code and advanced screenshot I promised... I should have sent them straight away!) but I can tell things are still wonky. For example, Bsky now tells me that I can't read videos because I "may be missing the required video codecs (H.264/AAC)". So I assume there's still something weird on my end.
I've tried bumping up the DNS protection, then turned it off - no noticeable change. I suppose the main issue got resolved so I could close the topic, but I'd be interested in knowing why that happened because I fiddle with settings sometimes and I'd rather not have carelessly broken something.
Thanks again for your patience!
الحل المُختار
Oh this is always kind of random. You inferred correctly the site publishes its global HSTS mandate — meaning nobody is supposed to load it insecurely. You might have run into a routing/networking error, perhaps closer to your end of the line or your provider than on the bluesky delivery side, and normally if, say, the secure port can't be reached, you'd end up with e.g. :80 to :443 upgrade or redirect which if not responding going back to the :80 originally tried if you omitted the full protocol etc. from the URL typed (and probably would get some form of connection error at that moment). This however is cut short with mandatory HSTS where instead of the downgrade if the :443 connection is unavailable, you'd get this verbiage — but it might just mean you weren't able to reach the site from your location at that moment. (I usually just recommend when this happens to change the DNS–over–HTTPS provider to a different endpoint, which might provide different datacenter resolution, and might get a fresh IP to connect to the service not responding in case of these big operators with anycast networks and kajillion clusters to get pointed at a different one…)
For the codecs you might wanna ask separately, these should be available, hopefully some of your addons is not disabling them — IIRC the only issue with these and missing HLS support is on Linux — your Windows should have all the support natively so normally, out of the box, this should just work. (You can always try to verify restarting into Troubleshoot Mode or seeing what a new test Profile would yield, to eliminate any addon/pref impact.)
Hi,
Thank you very much for the detailed explanation, that's actually very helpful! I know next to nothing to network issues so that's fascinating knowledge to me. I'll keep the DNS trick in mind if it ever happens again.
I'll consider the post closed for now, and ask somewhere else about the codecs if it keeps being a nuisance. Have a great day!
Sure thing! If the video error doesn't go away after restarting or some cleaning up or trying private tabs etc. please just open a separate question — its summary will draw the right people to try reproduce on a similar configuration and see how it looks for them.
(My trick for this kind of issues is to download a separate Firefox Nightly from nightly.mozilla.org that comes with its own isolated profile — and try to see if the same happens there. It may help confirm whether something's unavailable on the system, or the culprit might have been just in addons or profile history interfering. It's kind of a "clean slate" to have on the side for comparison.)
Oh I also quickly checked the attached log to verify the two codecs mentioned are available for you:
H264 SW, VP9 SW, VP8 SW, AV1 SW, HEVC NONE, AAC SW, MP3 SW, Opus SW, Vorbis SW, FLAC SW, Wave SW
so you're only potentially missing the HEVC one, for details see bugzilla.mozilla.org/hevc-windows-support — but that doesn't seem like the error they're showing. So hopefully this will resolve itself for you just over time.
Hi jbr!
Thanks for taking the time to do this! The issue solved itself, at least it seems that way so far... In all honesty it might have been entirely my fault - I read about some settings you could fiddle with to get videos to load while paused on Youtube (media.cache readahead and threshold + media.mediasource), but it also drastically changed the available quality of videos so I ended up going back. Maybe that was the main problem.
Thanks again though, I appreciate your thoroughness!
Glad it works now! (Yeah the Bsky video error message might have been just a best guess on their side, the media source list could have gotten restricted with some legacy prefs so they had no match with present–day media and the verbiage was just too distantly related to the real issue. Great you got it back to working shape, nice job!)
You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.