X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

Is there a way to disable the HSTS ( HTTP Strict Transport Security ) list built into Firefox or to allow exceptions?

Posted

HSTS is problematic in that it incorrectly assumes that all users trust the default list of CAs and makes the adding of exceptions impossible even by advanced users.

For example, torproject.org is inaccessible on Firefox unless I am willing to trust DigiCert to never sign a fake certificate either by negligence or by court order of any country in witch they operate, thereby making every https: site ( not just torproject.org ) vulnerable to a MITM attack.

A user disabling CAs in the browser is not unreasonable given the ever growing list of CAs built into Firefox ( each one a potential point of failure ), the number of CAs that have been recently compromised and the very low standards required to obtain a certificate.

While I understand the desire to protect the average user who doesn't understand how certificates work and will click past warnings without reading them, this protection should not come at the expense of more security conscious users.

I would recommend an about:config setting that would allow the creation of exceptions by users who explicitly choose to do so.

So far the only kludge I have been able to come up with is to modify c:\program files\mozilla firefox\xul.dll with a hex editor and replace the sites on the list ( this is far from an ideal solution ).

Chosen solution

This seems to work: right-click > New Integer (name test.currentTimeOffsetSeconds and value e.g. 11491200 or greater) in about:config. You may also have to Clear Now the Cache and Active Logins with Time range to clear set to Everything via Tools (Alt + T) > Clear Recent History.

about:config Entries

The Config Descriptions add-on adds helpful source comments in about:config.

Reference

Attachment

Read this answer in context 0

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.0; rv:17.0) Gecko/17.0 Firefox/17.0

More Information

dumdidadida 172 solutions 1436 answers

Hi,

It could be because the Tor project doesn't provide a HTTP version of the site. For sites with an equivalent HTTP version you can also try to manually fill in the site, or if the autocomplete completes the address, press the right arrow once, followed by Backspace and Enter.

Helpful Reply

dumdidadida: Thanks for your reply, but it doesn't address the problem. HSTS is designed to FORCE the use of https, this is a good thing in most cases. However, HSTS is problematic in that it incorrectly assumes that all users trust the default list of CAs and makes the adding of exceptions impossible even by advanced users.

torprojec.org is just an example, this effects every HSTS site. You can reproduce this problem yourself in version 17 or later if you temporary disable "DigiCert High Assurance EV Root CA" in your certificate store and then visit torproject.org. You will notice the ability to add exceptions has been removed and that the cert_override.txt file found in the user's profile is also ignored.

dumdidadida 172 solutions 1436 answers

If the site certificate (https://www.torproject.org/) is added prior to visiting the site via Tools (Alt + T) > Options > Advanced > Encryption > View Certificates > Servers > Import, then it seems to work. Also, on the same screen, you also have to Edit Trust and Trust the authenticity of this certificate (Tor), while leaving the Firefox built-in CA bit as is (untrusted/deleted).

HSTS standard

Question owner

dumdidadida: Thank you for your help.

Your work around was effective. What I had been doing successfully until version 17 was to create exceptions in cert_override.txt by means of adding something like

www.torproject.org:443 OID.2.16.840.1.101.3.4.2.1 23:B8:54:AF:6B:96:C0:22:4F:D1:73:38:2C:52:0B:46:5A:94:F2:D4:E7:23:88:93:F6:3A:D2:D7:83:E2:7B:4B U

It now seams as though Firefox chooses to ignore exceptions made in cert_override.txt for HSTS sites, but will still honor them if they are made in cert8.db. This seams like an odd behavior to me.

I will do some more experimenting.

As for section 12.1 of the HSTS specification, I believe this is a good idea for most users and should be on by default, but advanced users should still have the ability to disable it via about:config but not through the normal options menu. In my opinion this approach would be just as much in compliance with the specification as allowing exceptions via cert8.db.

Modified by strange

dumdidadida 172 solutions 1436 answers

Chosen Solution

This seems to work: right-click > New Integer (name test.currentTimeOffsetSeconds and value e.g. 11491200 or greater) in about:config. You may also have to Clear Now the Cache and Active Logins with Time range to clear set to Everything via Tools (Alt + T) > Clear Recent History.

about:config Entries

The Config Descriptions add-on adds helpful source comments in about:config.

Reference

Attachment

Modified by dumdidadida

Question owner

dumdidadida: Thanks again. Setting test.currentTimeOffsetSeconds worked for me. Although comment 6 makes me a little nervous.

"Potentially, we will be able to use this same pref for testing certificate expiration stuff and other things in the future."

dumdidadida 172 solutions 1436 answers

You're welcome :) I don't know what it could be. But one thing is that it'll be in the open :) and we (users) can always propose changes/amendments to Mozilla in consonance with the current standards. Please note that it is also possible to CC yourself on this and other lists to keep up to date on the developments.