STFU Firefox
July 17, 2008 10:17 PM Subscribe
How do I tell firefox3 to stop checking ssl certs. I access many sites using self signed ssl certificates and up until now that was fine but now I have encounter two self signed certs that have the same serial number and firefox wont even let me add an exception. I cant even access the second site. How do i just tell firefox I don't care if a site is using a bad ssl cert.
...and the bug request that made it all possible! Thanks Johnathan Nightingale
posted by Deathalicious at 11:40 PM on July 17, 2008
posted by Deathalicious at 11:40 PM on July 17, 2008
Response by poster: im sorry to say but i found that page before and didnt help my problem. here is the error firefox gives me incase it will help someone
Secure Connection Failed
An error occurred during a connection to *****redacted*****.
You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information:
Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.
(Error code: sec_error_reused_issuer_and_serial)
The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
* Please contact the web site owners to inform them of this problem.
posted by DJWeezy at 11:41 PM on July 17, 2008
Secure Connection Failed
An error occurred during a connection to *****redacted*****.
You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information:
Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.
(Error code: sec_error_reused_issuer_and_serial)
The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
* Please contact the web site owners to inform them of this problem.
posted by DJWeezy at 11:41 PM on July 17, 2008
Oh man. That is annoying.
What are the chances you would be able to get the site in question to change their certiicate? Because I can see how this would be a serious issue: basically, it would mean someone could spoof the other server pretty easily.
Another possibility you might want to look into is running one Firefox 2 instance and one Firefox 3 instance if this works for you...I know there are solutions out there for OSx that allow you to do this.
posted by Deathalicious at 12:20 AM on July 18, 2008
What are the chances you would be able to get the site in question to change their certiicate? Because I can see how this would be a serious issue: basically, it would mean someone could spoof the other server pretty easily.
Another possibility you might want to look into is running one Firefox 2 instance and one Firefox 3 instance if this works for you...I know there are solutions out there for OSx that allow you to do this.
posted by Deathalicious at 12:20 AM on July 18, 2008
Response by poster: well technically both sites are mine and its just the default ssl cert generated by gentoo and im just too lazy to change it and i figure ill be the only on accessing both of them so its not a huge deal but changing the cert can be done.
posted by DJWeezy at 12:28 AM on July 18, 2008
posted by DJWeezy at 12:28 AM on July 18, 2008
Change the cert. This is "false laziness", where you spend more effort figuring out how to avoid doing the thing than you would just doing it.
posted by mendel at 5:45 AM on July 18, 2008
posted by mendel at 5:45 AM on July 18, 2008
Best answer: Use a different web browser to access the system. I realise that doesn't directly answer your question, but it is nevertheless the only practical option. In my job I look after a few dozen idential embedded devices, each with the same fixed SSL certificate. It is impossible to manage these devices with Firefox 3.
It works in IE. It even works in FF2. But in FF3, the developers decided that rather than silently overwriting the previous record of that certificate (and thus allowing you to continue), or even telling you there's a conflict and asking you how you would like to resolve it, they decided that you would simply not be allowed to access that site. No exceptions. No overrides. The only way to proceed is to delete your entire firefox certificates database each time you want to access a different one of those devices, which if you regularly deal with self-signed certs is too high a price to pay.
This was ultimately an arrogant and bad decision by the firefox developers. The attitude revealed in the bug reports people have been raising suggests it won't be changing soon.
Deathalicious: SSL is heavily used on internal networks, where encryption is desired but authenticating individual devices isn't an important consideration. It's used very heavily to control things like routers and other embedded systems. If I'm the network admin of a company with a dozen branch offices with Linksys routers, each with the same certificate that I can't change, each on the same private WAN, I'm not in any way concerned about the idea that one router might try to "spoof" the identify of another. But Firefox will "protect" me from the ability to log in to the second router because it already saw that particular certificate on the first one.
posted by standbythree at 12:18 PM on July 19, 2008 [1 favorite]
It works in IE. It even works in FF2. But in FF3, the developers decided that rather than silently overwriting the previous record of that certificate (and thus allowing you to continue), or even telling you there's a conflict and asking you how you would like to resolve it, they decided that you would simply not be allowed to access that site. No exceptions. No overrides. The only way to proceed is to delete your entire firefox certificates database each time you want to access a different one of those devices, which if you regularly deal with self-signed certs is too high a price to pay.
This was ultimately an arrogant and bad decision by the firefox developers. The attitude revealed in the bug reports people have been raising suggests it won't be changing soon.
Deathalicious: SSL is heavily used on internal networks, where encryption is desired but authenticating individual devices isn't an important consideration. It's used very heavily to control things like routers and other embedded systems. If I'm the network admin of a company with a dozen branch offices with Linksys routers, each with the same certificate that I can't change, each on the same private WAN, I'm not in any way concerned about the idea that one router might try to "spoof" the identify of another. But Firefox will "protect" me from the ability to log in to the second router because it already saw that particular certificate on the first one.
posted by standbythree at 12:18 PM on July 19, 2008 [1 favorite]
FYI I'm also having the same problem but don't have the ability to change the cert in question, as it's the cert for the web interface on my parents linksys router (and so I'm guessing it's in the firmware somewhere and not exactly changeable).
Anyone finding a solution to this that works for FF 3.01+ I'd love to hear about it.
posted by tiamat at 11:52 PM on August 12, 2008
Anyone finding a solution to this that works for FF 3.01+ I'd love to hear about it.
posted by tiamat at 11:52 PM on August 12, 2008
Anyone finding a solution to this that works for FF 3.01+ I'd love to hear about it.
The only way to win is not to play. The FF team made a decision...it has sort of changed from just an idea to an ideology. As standbythree says, just read the bug reports.
I really like FF, and I like the improvements introduced by FF 3. And, thankfully, I don't have to deal with this certificate problem myself on a regular basis. But it is really, really retarded. Especially since they've made it kinda easy to fool a user into thinking a site is secure [Warning, FF3 will not like this link].
posted by Deathalicious at 5:42 AM on August 13, 2008
The only way to win is not to play. The FF team made a decision...it has sort of changed from just an idea to an ideology. As standbythree says, just read the bug reports.
I really like FF, and I like the improvements introduced by FF 3. And, thankfully, I don't have to deal with this certificate problem myself on a regular basis. But it is really, really retarded. Especially since they've made it kinda easy to fool a user into thinking a site is secure [Warning, FF3 will not like this link].
posted by Deathalicious at 5:42 AM on August 13, 2008
This thread is closed to new comments.
posted by Deathalicious at 11:37 PM on July 17, 2008