Firefox security warning when downloading PDFs: How do I disable this?
Hi. Starting somewhat recently, Firefox has been getting in the way of me downloading certain PDFs which I know to be fine but which it thinks are insecure or a security hazard. I'd like to disable this security "feature" permanently. How can I do this? Thanks!
Chosen solution
Hi Kiki. Thanks again for the response.
Since I personally can't stand the thought that a solution can't be found on this website, I will report that I've found the solution at:
https://www.techradar.com/news/firefox-is-ready-to-protect-against-potentially-dangerous-downloads
Simply, one goes to about:config and sets block_download_insecure to false. Easy.
Folks who are considering doing that, however, should know that they're taking the guard off the table saw. It *can* now hurt you, so do this disabling at your own considerable risk. The goals of this protection are noble and worth pursuing, but there are still issues.
While I struggled with this, I discovered that most of the issues I encountered arose because of mis-configured websites that sent downloads over unsecured channels. Webmasters really need to get their acts together to fix this silly ridiculousness. It opens everyone up to a security issue which is potentially VERY damaging.
Thank you again, Kiki and others, for bothering to respond.
Read this answer in context 👍 1All Replies (20)
Please explain the problem in detail. What happens? What is/are the exact error message(s) ?
Please provide a public link (no password) that we can
check out. No Personal Information Please !
Hi. There are no error messages as what's happening is clearly intentional. When I click on certain PDFs I just get a warning that Firefox won't download the attachment because it claims there's a problem which there actually never is. I can't reproduce the error because I can't, at the moment, find a PDF Firefox finds problematic, but it happens frequently enough. I'm then presented with the option to download anyway, but that adds a very irritating step. I'd like to do away with the security check completely.
Knowing the exact error message would be helpful to solve the problem.
There is security software like Avast, Kaspersky, BitDefender and ESET that
intercept secure connection certificates and send their own.
https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can
https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites
https://support.mozilla.org/en-US/kb/secure-connection-failed-firefox-did-not-connect
https://support.mozilla.org/en-US/kb/websites-dont-load-troubleshoot-and-fix-errors
Hi Greenhorn,
It's a new feature that we introduced in Firefox 93 called the Download protection. Please check out this article to learn more about the feature.
Thank you, Kiki.
Hi Kiki. Thanks for posting that. It's helpful to have more information. Unfortunately, unless I've missed something, the author of that article hasn't finished it yet as apparently the author hasn't gotten to writing the part about how to disable it. Do you know how to do this?
Thanks again to both FredMcD and Kiki for taking the time to care about my issue.
Unfortunately, I'm not aware if there's any way to disable the feature. Also, it's highly recommended to keep this feature on to keep you safe online.
Hi Kiki. Thanks for writing back. The recommendations my brain makes to/for me supersede all other recommendations. My brain recommends to me, specifically, that I disable it. :-} There must be some way; otherwise, I'd consider that a significant developer oversight.
Further to this, it strikes me that if Firefox is going to another location to gather information on the safety of a download (is it?), that represents a privacy leak. I don't want my browser querying other servers when I try to download something --- not for any reason.
For the record, it's been possible in the past to disable similar features:
Greenhorn said
Further to this, it strikes me that if Firefox is going to another location to gather information on the safety of a download (is it?), that represents a privacy leak.
You don't have to worry about that. Only checksums are downloaded from our server, file is compared on your machine. Firefox is not going anywhere.
Hi. Thanks for the response. But Firefox is still going to another server, isn't it? Whether it's yours or anyone else's is immaterial. That's potentially a leak right there, no?
If you read this article, you will see how the malware detection works in Firefox:
When you download an application file, Firefox will verify the signature. If it is signed, Firefox then compares the signature with a list of known safe publishers. For files that are not identified by the lists as “safe” (allowed) or as “malware” (blocked), Firefox asks Google’s Safe Browsing service if the software is safe by sending it some of the download’s metadata. Note this online check will only be performed in Firefox on Windows for those downloaded files that don’t have a known good publisher. Most of the common and safe software for Windows is signed and so this final check won’t always need to happen.
So is that specifically for apps, or for all files?
That's the case with apps. In your case with PDF download, it's very likely that you download the file from an insecure HTTP address.
See also: https://blog.mozilla.org/security/2021/10/05/firefox-93-protects-against-insecure-downloads/
It's regardless very frustrating to not have an option to disable this. Regarding apps, going to *any* third party with *any* information is problematic to me. The mention of Google makes me shudder. I appreciate all of you who took the time to write about this. Thanks for caring. I always reflect on the generosity people who write back express when taking the time to help someone.
The ability to customize the experience should be central to Firefox. It's what drew me to it I guess now well over a decade ago. I further have never had an issue managing my security through my own channels. It's noble that Firefox wants to institute these type of features, to be sure. But that doesn't mean they fit everyone.
I wonder where the folks at Tor stand on this feature. If it's disabled there, it will say a lot.
All this saddens me. If anyone learns of any way to switch this off, I'd appreciate your sharing it here.
I'm sorry to let you down, Greenhorn.
There's probably workaround for that through the about:preference page if you search on the web. However, going about that is not recommended, especially if you're not familiar with the advanced customization setting (see Firefox Advanced Customization and Configuration Options). We don't create UI to switch off this feature since we believe that it's the best for Firefox users.
We understand your concern for the third party usage. However, Google Safe Browsing is a trusted technology that allows us to protect our users. Build similar technology by ourselves will take tons of time and resources that we can't afford.
Hi Kiki,
It is very much a disappointment to not be able to switch this off. I get relentless false positives making this "feature" far more of a problem than a solution. It's like a poorly-implemented guard on a table saw: All the user ends up doing is ripping the guard off because it causes so much frustration as to make the saw unworkable. Does that make the saw safer? Probably not, but it does get the job done and, for the person who took it off, if she's aware, it's probably not significantly less safe. Done appropriately poorly, the guard itself can actually make the saw *less* safe.
- Nothing* is worse than a poorly implemented safety "feature".
This really needs to be addressed. It's an angering waste of time to click a bunch of times to access downloads which one knows are safe.
I'm quite happy, thanks, to use stuff in about:config as I have been for over a decade. It would be considerate and an important statement that you respect your users to provide information on how to turn this "feature" off. I hope I won't have to deal with disappointment here, too.
Regarding google, nobody should be forced to have to have anything to do with this entity if they don't want to.
Thanks.
I understand the frustation and was sorry for not being able to help much in this case.
Chosen Solution
Hi Kiki. Thanks again for the response.
Since I personally can't stand the thought that a solution can't be found on this website, I will report that I've found the solution at:
https://www.techradar.com/news/firefox-is-ready-to-protect-against-potentially-dangerous-downloads
Simply, one goes to about:config and sets block_download_insecure to false. Easy.
Folks who are considering doing that, however, should know that they're taking the guard off the table saw. It *can* now hurt you, so do this disabling at your own considerable risk. The goals of this protection are noble and worth pursuing, but there are still issues.
While I struggled with this, I discovered that most of the issues I encountered arose because of mis-configured websites that sent downloads over unsecured channels. Webmasters really need to get their acts together to fix this silly ridiculousness. It opens everyone up to a security issue which is potentially VERY damaging.
Thank you again, Kiki and others, for bothering to respond.
Hello Greenhorn.
Thank you for showing a solution. The official solution can be found at about:preferences#privacy, scroll down to security.
I understand your want for privacy from Google. I can assure you that your data is secure. If you want even more security (and the explanation of why you are secure), go here to see my explanation, and instructions on setting up the proxy through brave's servers.
Modified