Security issues with access to IP adress
I have seen many references to this problem that Mozilla does not seem to want to fix.
I have to log in to my (remote) server regulary using the server IP address - there is not a domain name.
Every time (cookies/history always cleared on exit) it presents the message "Warning: Potential Security Risk Ahead" and then have to click advanced then accept the risk. Under previous versions I use, this could be stored so you do not have to go thrugh this process EVERY time on logging in to the server.
Everyone knows you can NOT assign a security certificate to an IP address so why does Mozilla not take this into consideration?
Will they change this in future versions?
Is there a work around (no config changes seem to work or chrome changes)
rgds JR UK
All Replies (8)
This belongs in regular Firefox. I would suggest you open a bug.
Thanks Mike, but not sure what you mean by "regular firefox"!
This is on the latest ESR version and I have seen comments somewhere that this is a new "security check" and you can no longer bypass it!
I can understand a domain if the security certificate doesn't match theweb domain - great to block it - but as an IP can NOT have a security Certificate this is a major problem.
Just using Firefox to access our interal network IP adresses (web cameras etc) AND our local servers AND our remote web hosting servers, this gets asked every single time we look anywhere. For our security we do not keep cookies or similar between sessions.
I am not sure why the developers have taken this path as defeats the object of us using Firefox ESR!!!
Any clues as to where to get answer and get theis so called feature removed - you used to be able to store "exceptions" in the config settings but this option has been removed
rgds
I meant that is it not an enterprise specific function, so it doesn't belong in the enterprise section of SUMO.
And this is really more of a bug than a support request, so you should open a bug here:
If you click "Accept the Risk and Continue", the exception is stored and you won't be asked again.
You can verify this by looking at the file cert_override.txt in your profile.
I checked this by visiting https://93.184.216.34/ and accepting the risk (It's example.com) and it worked.
So there is no checkbox because it's not needed anymore.
I don't believe clearing history/cookies clears this file, but I'll check.
Is it possible something else is deleting the file?
Thanks for your reply. The browser does indeed ut the exception in cert.....txt but when the browser closes, it rewrites that file as a blank file.
Have removed the "clear site data on exit" so says Firefox will not delete this but still writes a blank cert...txt file.
After this seesion I will try and make the file read only and see what happens!
John
Hurrah!!!
A work around, BUT, making the certoveride.txt read only after accepting the exception works!!!!!!
Might help others. Just have to temp make it r/w if you want to add another certificate
John
Hi John, I haven't researched what causes Firefox to clear certificates from the file, but if you have Firefox set to clear "Site Settings", that one clears customizations such as site-specific zoom level and various site permissions/exceptions (such as pop-up permission, cookie exceptions), so maybe it's that one.
Just to close the loop here (I know it's been a while), I have verified that it is definitely Site Settings that clears this from cert_override.txt.