Is there a way to disable the HSTS ( HTTP Strict Transport Security ) list built into Firefox or to allow exceptions?
HSTS is problematic in that it incorrectly assumes that all users trust the default list of CAs and makes the adding of exceptions impossible even by advanced users. For … (閱讀更多)
HSTS is problematic in that it incorrectly assumes that all users trust the default list of CAs and makes the adding of exceptions impossible even by advanced users.
For example, torproject.org is inaccessible on Firefox unless I am willing to trust DigiCert to never sign a fake certificate either by negligence or by court order of any country in witch they operate, thereby making every https: site ( not just torproject.org ) vulnerable to a MITM attack.
A user disabling CAs in the browser is not unreasonable given the ever growing list of CAs built into Firefox ( each one a potential point of failure ), the number of CAs that have been recently compromised and the very low standards required to obtain a certificate.
While I understand the desire to protect the average user who doesn't understand how certificates work and will click past warnings without reading them, this protection should not come at the expense of more security conscious users.
I would recommend an about:config setting that would allow the creation of exceptions by users who explicitly choose to do so.
So far the only kludge I have been able to come up with is to modify c:\program files\mozilla firefox\xul.dll with a hex editor and replace the sites on the list ( this is far from an ideal solution ).