Where did you install Firefox from? Help Mozilla uncover 3rd party websites that offer problematic Firefox installation by taking part in our campaign. There will be swag, and you'll be featured in our blog if you manage to report at least 10 valid reports!

Avatar for Username

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

Learn More

话题已存档。 如果需要帮助请提出新问题。

Can the text in the Add Security Exception be modified?

  • 1 个回答
  • 1 人有此问题
  • 10 次查看
  • 最后回复者为 dveditz

kcarlson4
kcarlson4
more options

Our company has built an application that is currently used by many banks. Recently, we have updated the application to change from a thick client to a thin client using web browsers. The web based client communicates via SignalR to a local windows service that gets installed in order to talk with a check scanner. The web application is served as an HTTPS web site and the local window service which uses SignalR also runs via HTTPS. When the local windows service is installed, a self-signed certificate is generated and installed on the local computer.

When the web client is run on a Mozilla Firefox web browser, a security exception must be manually added for the localhost URL of the SignalR service. The problem is that in the Add Security Exception dialog, the following text is displayed by Firefox: “You are about to override how Firefox identifies this site. Legitimate banks, stores, and other public sites will not ask you to do this.” Since our applications are used and hosted by banks, this message is not true in our case.

We cannot install a unique signed certificate for every client, which is why we generate a self-signed certificate. We cannot host the local windows service running as just under HTTP, because then the web client cannot communicate with the local windows service due to mixed content security violation. We know the shield in address box on Firefox can disable the protection, but this would have to be done every time.

Is there an alternative to the text in the Add Security Exception from being displayed? Or do you have another suggestion on how to get around this issue? Or can the text in the Add Security Exception dialog box be modified?

Our company has built an application that is currently used by many banks. Recently, we have updated the application to change from a thick client to a thin client using web browsers. The web based client communicates via SignalR to a local windows service that gets installed in order to talk with a check scanner. The web application is served as an HTTPS web site and the local window service which uses SignalR also runs via HTTPS. When the local windows service is installed, a self-signed certificate is generated and installed on the local computer. When the web client is run on a Mozilla Firefox web browser, a security exception must be manually added for the localhost URL of the SignalR service. The problem is that in the Add Security Exception dialog, the following text is displayed by Firefox: “You are about to override how Firefox identifies this site. Legitimate banks, stores, and other public sites will not ask you to do this.” Since our applications are used and hosted by banks, this message is not true in our case. We cannot install a unique signed certificate for every client, which is why we generate a self-signed certificate. We cannot host the local windows service running as just under HTTP, because then the web client cannot communicate with the local windows service due to mixed content security violation. We know the shield in address box on Firefox can disable the protection, but this would have to be done every time. Is there an alternative to the text in the Add Security Exception from being displayed? Or do you have another suggestion on how to get around this issue? Or can the text in the Add Security Exception dialog box be modified?

由kcarlson4于修改

所有回复 (1)

dveditz
dveditz
more options

You can't change that text from a web site (or the bad guys could also), but you could from an add-on. But if you had an add-on it could install the self-signed cert exception for you. For that matter the add-on could be what the web site communicates through to the device, but then this would be a Firefox-specific solution.

If the local service cert is self-signed how does the web app know it's talking to the legitimate service? How do you keep other web sites who know about your service from trying to talk to it? If you trust it simply because it required an installer to create the service running on https://localhost:8888/ (or whatever port) why not get a legitimate cert and install the same one on every client?

How do you handle this in other browsers? At least Firefox remembers exceptions so you only have to set them up once. On other browsers users will have to "click through" the bad-cert page every time they restart their browser.