Firefox 44 gets override for weak security certificate errors

Martin Brinkmann
Oct 19, 2015
Updated • Oct 19, 2015
Firefox
|
14

When you open a web page currently in the Firefox browser that is using weak cryptography, then you will be redirected to an error page stating that the connection to the page failed.

Mozilla launched the new error page in Firefox 33. Before that, Firefox offered the means to enforce a connection to the site in question.

The reason for the failure to connect is given, for instance "secure connection failed", as is an option to try to connect to the site again or to report the error.

What's not there though is an option to override it. While it is safe to block the connection in these cases, it is problematic that there is no override available.

secure connection failed firefox

If you look how Chrome or Internet Explorer handle this, you will notice that they provide overrides to enable users to connect to the site anyway.

This can be useful if you need to sign in to the web interface of a local router for instance that has not received updates in years and is still using cryptography that is considered weak nowadays.

Without an override in place, you would not be able to connect to the interface using Firefox. Mozilla implemented a fallback option in the preferences:

  1. Type about:config in Firefox's address bar and hit enter.
  2. Confirm you will be careful.
  3. Locate the preference security.tls.insecure_fallback_hosts
  4. Double-click on it and add the hostname of the site you want to add exceptions for, e.g. ghacks.net
  5. Make sure the hostname matches exactly, as www.ghacks.net and ghacks.net are different.

While that makes sense for sites that you connect to regularly, you may not want to add hostnames permanently to the configuration if you only need temporary access.

While you could edit the preference regularly to turn exceptions on or off when the need arises, it may not be comfortable depending on how often you need to make changes to the preference.

Mozilla will make things easier for Firefox users starting with Firefox 44. The organization plans to add an override to Firefox's secure connection error page.

error-cert-link-colour

As you can see on the screenshot above, the new error page will feature an advanced button that you may click on to display an option to visit the site that is considered insecure.

Please note that this is a mockup and subject to change. The planned change would allow Firefox users to bypass weak security errors to visit sites in the browser directly.

Up until now, I have used other browsers to connect to these pages instead if I only needed temporary access to them. (via Sören Hentzschel)

Now You: How do you handle insecure connection errors in Firefox?

Summary
Firefox 44 gets override weak security certificate errors
Article Name
Firefox 44 gets override weak security certificate errors
Description
Mozilla plans to improve the weak security error page in Firefox when connecting to insecure https sites by adding an override to it.
Author
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Satish Jogi said on November 23, 2016 at 6:20 pm
    Reply

    Hi Team,

    am getting secure connection failed, when i try to access the page. Please suggest me how to proceed further.

    “””” Secure Connection Failed

    The connection to the server was reset while the page was loading.

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.””

    I tried all the options(ssl) in the about:config as well i deleted the cert8 file as well. Please someone help me to fix the issue.

    1. Martin Brinkmann said on November 23, 2016 at 6:50 pm
      Reply

      Which page are you trying to access?

  2. Charles said on May 24, 2016 at 7:43 pm
    Reply

    Thanks for the information, but i think entering the hostname of each site that appears insecure is somehow stressful. The easiest way to solve the problem without having to enter each site’s hostname is to change
    security.ssl.enable_ocsp_stapling at about:config. More information can be found at http://www.easytins.com/2016/05/how-to-fix-secure-connection-failed.html

  3. Rawr said on November 2, 2015 at 8:36 pm
    Reply

    https://very.badssl.com/

    Is there something wrong with my firefox if it loads this page with a doge pic? I got no block whatsoever from it.

  4. CHEF-KOCH said on October 20, 2015 at 9:47 am
    Reply

    BTW the topic says ‘gets override for weak security certificate errors’ so besides the only small gui change this is still wrong, this certificate about:config switch is present over one year.

    Please change the topic to something like ‘FF 44 will enable the a new gui for security cert errors’, the rest is nothing but wrong.

    No offensive but facts.

  5. CHEF-KOCH said on October 20, 2015 at 9:13 am
    Reply

    @Sören Hentzschel

    The option IS FOR WHITELISTENING in case an page e.g. use RC4. and the option already did exist: http://imagizer.imageshack.com/img633/8062/UfgkGM.png same like normal FF 38 release. Just download it and you will see so my comment is okay.

    It’s not easier and it’s not new, just a tweaked option but that’s all.

  6. DonGateley said on October 19, 2015 at 9:37 pm
    Reply

    That paramter is a string. How should multiple site addresses be separated in it?

    If anybody knows, is there a way to put a parameter in a link to about:config which will cause it to open with the parameter as a search term?

    1. Martin Brinkmann said on October 19, 2015 at 9:51 pm
      Reply

      Don you separate hosts with a comma, e.g. example.com, example1.com

  7. CHEF-KOCH said on October 19, 2015 at 5:03 pm
    Reply

    The override switch (was it since they killed ssl (37/38?). The new page is just the old one with a newer look. Original ticket was from end 2014. https://bugzilla.mozilla.org/show_bug.cgi?id=1114816 + https://wiki.centos.org/TipsAndTricks/Firefox38onCentOS.
    The original article/source I saw this was this (april 2015 but related to FF 38). http://forums.mozillazine.org/viewtopic.php?f=38&t=2927051

    The only stuff I can see is ‘new’ is that there is a report button (which was/is hidden because similar to https-everywhere all broken pages will be send to Mozilla by default).

    However, it was not enabled by default after v33. Now they are implementing again as default on v44 onwards.

    1. Sören Hentzschel said on October 19, 2015 at 5:53 pm
      Reply

      Bug 1114816 is about a whitelist. It’s not the same feature as the new error page. And if it’s not a feature of Firefox 41, it’s new. So why do you say “please check your articles/sources”? Martin says: “Mozilla will make things easier for Firefox users starting with Firefox 44”. That’s absolutely correct. Mozilla make this easier for users in Firefox 44. ;-)

  8. CHEF-KOCH said on October 19, 2015 at 4:20 pm
    Reply

    Martin please check your articles/sources, this isn’t new, it exist since FF38/39 or so.

    1. Sören Hentzschel said on October 19, 2015 at 5:07 pm
      Reply

      @CHEF-KOCH:

      bug 1207137:

      Status: NEW → RESOLVED
      Last Resolved: 2 days ago
      status-firefox44: affected → fixed
      Resolution: — → FIXED
      Target Milestone: — → Firefox 44

    2. Martin Brinkmann said on October 19, 2015 at 4:48 pm
      Reply

      The override switch or the new error message when you connect to https sites with errors? Can you provide me with a source for that?

  9. I am not posting comments too quickly said on October 19, 2015 at 2:22 pm
    Reply

    I like these little Firefox articles. I reckon gHacks is the single best website for such information.

    And the adverts on gHacks today are a huge improvement. I’ve already clicked through on TWO of them because they were interesting and relevant. Well done on whatever change you made over the weekend :)

    (spellcheck still doesn’t work on these weird comment boxes thoigh).

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.