Firefox loading https when no https available
Hi,
I'm running DarkStat ( https://unix4lyfe.org/darkstat/ ) which runs non-https on a root-only port. By default it's 667.
When I try to access http://mysite.com:667 it forces https even though I manually typed it in without https. I then get the following error:
Secure Connection Failed
The connection to mysite.com:667 was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
I have read in an archived post that some changes could cause this, for instance, setting browser.urlbar.autoFill to false. This does not help.
I can probably downgrade Firefox but I'm not a huge fan of security issues.
OS: OSX 10.10 (latest w/ updates) FF: 38.0.5 (latest without plugins)
Any ideas, clues, suggestions are welcome.
All Replies (9)
There is an add-on that does this.
Type about:addons<enter> in the address bar to open your Add-ons Manager. Hot key; <Control>(Mac:<Command>)<Shift> A)
In the Add-ons Manager, on the left, select Extensions.
Start Firefox in Safe Mode {web Link} by holding down the <Shift>
(Mac Options) key, and then starting Firefox. Is the problem still there?
Clear the cache and remove cookies only from websites that cause problems.
"Clear the Cache":
- Firefox > Preferences > Advanced > Network > Cached Web Content: "Clear Now"
"Remove Cookies" from sites causing problems:
- Firefox > Preferences > Privacy > "Use custom settings for history" > Cookies: "Show Cookies"
You can remove all data stored in Firefox from a specific domain via "Forget About This Site" in the right-click context menu of an history entry ("History > Show All History" or "View > Sidebar > History") or via the about:permissions page.
Using "Forget About This Site" will remove all data stored in Firefox from that domain like bookmarks, cookies, passwords, cache, history, and exceptions, so be cautious and if you have a password or other data from that domain that you do not want to lose then make sure to backup this data or make a note.
You can't recover from this 'forget' unless you have a backup of the involved files.
It doesn't have any lasting effect, so if you revisit such a 'forgotten' website then data from that website will be saved once again.
Do you have anything on mysite.com that requires HTTPS, such as an administration portal? Such applications may send Firefox an HTTP Strict Transport Security (HSTS) header, which Firefox will interpret to mean that HTTP cannot be used for that host for any pages. Firefox will always try to change to HTTPS until the expiration of the header.
Ref: https://developer.mozilla.org/docs/We.../HTTP_strict_transport_security
Now, you would think a different port number would be treated as a different host, but if the HSTS header specifies includeSubdomains, then it may be treated as one and the same. We don't have a lot of threads on this, so I'm flagging this up as a possibility based on one user's testing some time ago.
Thanks.
@FredMcD: I have no extensions installed, so I started in safe mode; same problem.
@cor-el: Cleared cache, removed cookies, and "forgot" the site, same problem.
@jscher2000: Sorry I should have been more specific. Darkstat runs it's own daemon, it's not just a non-standard Apache or Nginx port. It's a standalone daemon that runs on another port. It has no https configuration options whatsoever, so it shouldn't be sending HSTS (which is in fact enabled on https://mysite.com).
I can replicate the issue with Safari, but with Chrome, Links and Lynx, and Opera it works like a charm.
Ishtar மூலமாக திருத்தப்பட்டது
Ishtar said
I started in safe mode; same problem.
Start your Computer in safe mode with networking. Then start Firefox. Try Safe web sites. Is the problem still there?
Booted the macbook in safe mode, started firefox in safe mode, same thing. Tried firefox in normal mode while OSX still in safe mode, same again. :(
Thanks for the tips guys, but so far nothing.
Ishtar மூலமாக திருத்தப்பட்டது
Ishtar said
Darkstat runs it's own daemon, it's not just a non-standard Apache or Nginx port. It's a standalone daemon that runs on another port. It has no https configuration options whatsoever, so it shouldn't be sending HSTS (which is in fact enabled on https://mysite.com).
Yes, that is what I suspected. Firefox follows the HSTS header and requires HTTPS for port 443, and that seems also to be applied to port 667.
You can temporarily remove the HSTS flag from Firefox using the "Forget about this site" feature described in cor-el's earlier reply before using port 667. However, it will be set again the next time you visit the site (on port 443). Please note that "forget" is very thorough and removes cookies, history, permissions, and bookmarks for the site, as well as the HSTS flag.
For my edification in knowing whether it makes a difference, can you check the Strict Transport Security header from the site (on port 443) to see whether it has includeSubdomains set? This should be visible if you open the Web Console or Browser Console (see menu > Developer, or Tools > Web Developer) and reload the page, then click the URL and scroll down to the response headers.
I think I see where you're going.
I removed "include subdomains" from HSTS in Apache (in every single vhost just in case) and created darkstat.mysite.com, then "forget this site" again.
I accessed darkstat.mysite.com:667 and it tried https on its own. So I "forget this site" again, accessed https://mysite.com and then tried to force http://darkstat.mysite.com:667 and it tried https again.
Looks like this might not be the answer :(
Anything else to suggest?
Thanks!
Ishtar மூலமாக திருத்தப்பட்டது
I'm afraid what that means is that Firefox may not be distinguishing port 667 from 443. I haven't dug into the code or searched https://bugzilla.mozilla.org/ for confirmation.