Цей вебсайт матиме обмежену функціональність, доки ми проводимо його обслуговування для поліпшення роботи. Якщо прочитана стаття не розв'язала вашу проблему і ви хочете поставити питання, наша спільнота підтримки з радістю допоможе вам на @FirefoxSupport у Twitter та /r/firefox на Reddit.

Avatar for Username

Шукати в статтях підтримки

Остерігайтеся нападів зловмисників. Mozilla ніколи не просить вас зателефонувати, надіслати номер телефону у повідомленні або поділитися з кимось особистими даними. Будь ласка, повідомте про підозрілі дії за допомогою меню “Повідомити про зловживання”

Докладніше

Ця тема перенесена в архів. Якщо вам потрібна допомога, запитайте.

Can the text in the Add Security Exception be modified?

  • 1 відповідь
  • 1 має цю проблему
  • 10 переглядів
  • Остання відповідь від dveditz

kcarlson4
kcarlson4
more options

Our company has built an application that is currently used by many banks. Recently, we have updated the application to change from a thick client to a thin client using web browsers. The web based client communicates via SignalR to a local windows service that gets installed in order to talk with a check scanner. The web application is served as an HTTPS web site and the local window service which uses SignalR also runs via HTTPS. When the local windows service is installed, a self-signed certificate is generated and installed on the local computer.

When the web client is run on a Mozilla Firefox web browser, a security exception must be manually added for the localhost URL of the SignalR service. The problem is that in the Add Security Exception dialog, the following text is displayed by Firefox: “You are about to override how Firefox identifies this site. Legitimate banks, stores, and other public sites will not ask you to do this.” Since our applications are used and hosted by banks, this message is not true in our case.

We cannot install a unique signed certificate for every client, which is why we generate a self-signed certificate. We cannot host the local windows service running as just under HTTP, because then the web client cannot communicate with the local windows service due to mixed content security violation. We know the shield in address box on Firefox can disable the protection, but this would have to be done every time.

Is there an alternative to the text in the Add Security Exception from being displayed? Or do you have another suggestion on how to get around this issue? Or can the text in the Add Security Exception dialog box be modified?

Our company has built an application that is currently used by many banks. Recently, we have updated the application to change from a thick client to a thin client using web browsers. The web based client communicates via SignalR to a local windows service that gets installed in order to talk with a check scanner. The web application is served as an HTTPS web site and the local window service which uses SignalR also runs via HTTPS. When the local windows service is installed, a self-signed certificate is generated and installed on the local computer. When the web client is run on a Mozilla Firefox web browser, a security exception must be manually added for the localhost URL of the SignalR service. The problem is that in the Add Security Exception dialog, the following text is displayed by Firefox: “You are about to override how Firefox identifies this site. Legitimate banks, stores, and other public sites will not ask you to do this.” Since our applications are used and hosted by banks, this message is not true in our case. We cannot install a unique signed certificate for every client, which is why we generate a self-signed certificate. We cannot host the local windows service running as just under HTTP, because then the web client cannot communicate with the local windows service due to mixed content security violation. We know the shield in address box on Firefox can disable the protection, but this would have to be done every time. Is there an alternative to the text in the Add Security Exception from being displayed? Or do you have another suggestion on how to get around this issue? Or can the text in the Add Security Exception dialog box be modified?

Змінено kcarlson4

Усі відповіді (1)

dveditz
dveditz
more options

You can't change that text from a web site (or the bad guys could also), but you could from an add-on. But if you had an add-on it could install the self-signed cert exception for you. For that matter the add-on could be what the web site communicates through to the device, but then this would be a Firefox-specific solution.

If the local service cert is self-signed how does the web app know it's talking to the legitimate service? How do you keep other web sites who know about your service from trying to talk to it? If you trust it simply because it required an installer to create the service running on https://localhost:8888/ (or whatever port) why not get a legitimate cert and install the same one on every client?

How do you handle this in other browsers? At least Firefox remembers exceptions so you only have to set them up once. On other browsers users will have to "click through" the bad-cert page every time they restart their browser.