Difference between revisions of "Firefox notes"

From Noah.org
Jump to navigationJump to search
m
Line 40: Line 40:
 
</pre>
 
</pre>
  
The [http://blog.johnath.com/2008/08/05/ssl-question-corner/ author responds] to the mass outcry against the new Firefox 3 UI for certificate warnings. Apparently he still disagrees. The annoying thing is that he doesn't get it. Most of the people who have been complaining about this this are IT professionals and we understand the risk. We don't need a lecture on "Certificate Security for Dummies". We just want a "Expert" option somewhere in Firefox three to turn off this stupid "feature".
+
The [http://blog.johnath.com/2008/08/05/ssl-question-corner/ author responds] to the mass outcry against the new Firefox 3 UI for certificate warnings. Apparently he disagrees... with everybody. The people who have been complaining about this this are IT professionals and we understand the risk. We don't need a lecture on "Certificate Security for Dummies". We just want a "Expert" option somewhere in Firefox three to turn off this stupid "feature".
 +
 
 +
For example, take these guys:
 +
 
 +
    https://savannah.gnu.org/bugs/?group=coreutils
 +
 
 +
(yeah, it's a cacert.org cert, so not quite as terrifying as a self-signed cert)
 +
 
 +
=== Manually circumventing self-signed certificate safety ===
  
 
There is a work around to set "expert" mode using the "about:config" interface. This makes the process a tiny bit less painful. This will still require two clicks where one click would do. Luckily, someone has created a Firefox 3 Add-on that fixes even this and makes accepting a certificate exception be a one-click process. Check out [https://addons.mozilla.org/en-US/firefox/addon/6843 MitM Me]. Unfortunately, the "MitM Me" Add-on is listed as "experimental" so you have to sign-up for a Mozilla account and login before you can download it.  
 
There is a work around to set "expert" mode using the "about:config" interface. This makes the process a tiny bit less painful. This will still require two clicks where one click would do. Luckily, someone has created a Firefox 3 Add-on that fixes even this and makes accepting a certificate exception be a one-click process. Check out [https://addons.mozilla.org/en-US/firefox/addon/6843 MitM Me]. Unfortunately, the "MitM Me" Add-on is listed as "experimental" so you have to sign-up for a Mozilla account and login before you can download it.  

Revision as of 16:45, 3 February 2009

Type about:config into the address bar or get Configuration Mania.

about:config

Search for these options and modify or toggle them:

about:robots
security.dialog_enable_delay = 0
browser.tabs.closeButtons = 3 # put tab close button on toolbar
browser.sessionstore.max_tabs_undo = 30
browser.search.openintab = True # Searches in search bar open in new tab instead of current window 
browser.urlbar.clickSelectsAll = True # I can't decide which way I like better...
layout.spellcheckDefault = 2 # Spellcheck one-line text fields as well as standard text area fields

view_source.editor.external = True
view_source.editor.path = /usr/bin/gvim

These options may need to be created:

content.switch.threshold = 1000000

Interesting... I need to research these more:

network.protocol-handler

Firefox 3 self-signed SSL cert handling was thought up by a dork

Error code: sec_error_untrusted_issuer

The author responds to the mass outcry against the new Firefox 3 UI for certificate warnings. Apparently he disagrees... with everybody. The people who have been complaining about this this are IT professionals and we understand the risk. We don't need a lecture on "Certificate Security for Dummies". We just want a "Expert" option somewhere in Firefox three to turn off this stupid "feature".

For example, take these guys:

   https://savannah.gnu.org/bugs/?group=coreutils

(yeah, it's a cacert.org cert, so not quite as terrifying as a self-signed cert)

Manually circumventing self-signed certificate safety

There is a work around to set "expert" mode using the "about:config" interface. This makes the process a tiny bit less painful. This will still require two clicks where one click would do. Luckily, someone has created a Firefox 3 Add-on that fixes even this and makes accepting a certificate exception be a one-click process. Check out MitM Me. Unfortunately, the "MitM Me" Add-on is listed as "experimental" so you have to sign-up for a Mozilla account and login before you can download it.

Even "MitM Me" is not perfect, but this time because it's a little too insecure. You do get a warning page with a button to add an exception, but the problem is that you don't have a way to inspect the certificate. That's still good enough for me in most cases because the only time I'm going to want to actually inspect the certificate is when I'm debugging one of my own sites. If I'm going to my bank's site and I get this warning then I'm already not going to login; I'm going to close the browser no matter what the certificate says.

If you don't want to install the "MitM Me" Add-on there here are the "about:config" settings that you need to set to at least turn this into a two-click process:

browser.xul.error_pages.expert_bad_cert = true
browser.ssl_override_behavior = 2
browser.xul.error_pages.enabled = true   # this is the default, so it is probably already set true.

These settings are documented here: