Hi Daneelro3,

Thank you for your question, I understand that there is difficulty with creating a certificate that is not allowing Twitter, I have asked the security irc channel for more information for troubleshooting this and will be back shortly with more information.

Twitter uses HSTS. It would prevent adding an override. If so, what needs to happen there is for the root certificate the company is using to be installed and trusted in the certificate db. I hope this helps.

Thank you for looking into this!

I'm only barely familiar with the whole certificates and SSL business, so some questions on your suggestion for clarification:

1. Is this something I can do on my computer, or something that would have to be done on the company server?
2. Is the root certificate you speak of Twitter's or my company's?
3. Can you give (or link to) step-by-step instructions on this certificate installation?

Also, why does this happen with Firefox but not IE9? Does Mozilla view this as a security loophole in IE9?

Daneelro3,

I am not sure, I think it just has different features for certificates.

1. The certificate would be local to the certificate db in Firefox. I believe you can find that in key3.db. The tool you can use is the certificate database tool linked here: https://developer.mozilla.org/en-US/d.../NSS_Tools_certutil Its "man page" is here: https://developer.mozilla.org/en-US/d.../NSS_tools_:_certutil
2. It is your certificate, not Twitter's certificate.
3. I am not entirely sure of the steps, but I am happy to take a hack at it.

 See if the NoScript Firefox extension works as well, this was said to support the redirection nature of the HTTPS that is a result of HSTS.(I think) You might be interested in the RFC about it http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 see "Server Implementation Advice" and "UA Implementation Advice" in section 9.

And this is the issue http://mozilla.6506.n7.nabble.com/HSTS-preload-list-td271152.html

Previous work around: And then I found this: https://support.mozilla.org/en-US/que.../942924 manually changing the timeout, but I do not think this is secure. There is not a very secure way of doing this.

So in conclusion: (after talking to the #security channel :-) )HSTS is set by Twitter's servers doesn't allow users to override connections that are invalid, bot untrusted and invalid. Starting a new profile and disable HSTS preload list (which is not a wise security decision) the about:config is "network.stricttransportsecurity.preloadlist"

You could also: could use a hsts preload disabled profile, install his own CA, then MITM using a cert from that CA. Or to add the add the certificate that issued the MITM certificate to the trust db with the tool mentioned above. geekboy 11:35 the pref to toggle is network.stricttransportsecurity.preloadlist I think I asked

The Mozilla Security thread from a year ago does indeed look exactly like my issue, it's a shame apparently nothing happened on the improved support for MitM proxies.

At first I could load Twitter after disabling network.stricttransportsecurity.preloadlist and creating an exception. I'm confused about certutil: do I have to compile that from source code or what?

[EDITED 2x] However, I found a different way that worked! Following the comment on the Mozilla Security thread, I looked up how to import the certificate from the operating system's root certificate database. So I

1. ran mmc from the Windows command line,
2. strated the certification manager (File > Add/Remove Snap-in..., highlight Certificates, click Add, click OK),
3. looked at the Trusted Root Certification Authorities and found the company server that issued my intermediate certificates,
4. exported the certificate,
5. opened the Firefox certification manager and imported the certificate under Authorities (not under Websites!),
6. enabled network.stricttransportsecurity.preloadlist again.

Now I don't have to manually override for any new https sites and Twitter loads normally, too.

Thanks for leading me to the solution!