How to fix missing "I Understand the Risks" section / "Add Exception..." button

Post your tutorials for using UXP applications or performing related tasks here.
Note: Not for "how do I...?" Questions!
Forum rules
Tutorials and Howtos should only relate to developed software, and not to third party applications. e.g.: Don't post a generic Howto for configuring a firewall.
If you have a question how to do something, you should use one of the support boards, not this board. It is meant for people to document and post instructions.
User avatar
CrouZ
Newbie
Newbie
Posts: 3
Joined: 2019-07-05, 10:39

How to fix missing "I Understand the Risks" section / "Add Exception..." button

Unread post by CrouZ » 2021-05-06, 08:03

Problem:
Certificate/security issue with a site makes you reach the "This Connection is Untrusted" page, but you cannot proceed to the site because the "I Understand the Risks" section that contains the "Add Exception..." button is missing.
2021-05-06 Pale Moon - Missing I Understand the Risks section with Add Exception button.png
Related threads:
viewtopic.php?f=29&t=10466&p=72660&hili ... on+missing
viewtopic.php?f=3&t=3437&p=19710&hilit= ... on+missing

Solutions:
Alternative 1 (small effort, some side effects). Clear all site connectivity data.
Steps:
1. Press Ctrl+Shift+Del
2. Time range to clear: "Everything"
3. Check "Site Connectivity Data"
4. Press "Clear Now"
5. Reload the site

Alternative 2 (medium effort, no side effects). Remove site specific connectivity data.
Steps:
1. Close Pale Moon
2. Open SiteSecurityServiceState.txt in your Pale Moon profile.
3. Remove the line related to the page you're having trouble with.
4. Start Pale Moon again

vannilla
Board Warrior
Board Warrior
Posts: 1815
Joined: 2018-05-05, 13:29

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Unread post by vannilla » 2021-05-06, 08:08

Real solution: contact the site administrators and tell them their site is not secure.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 31056
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Unread post by Moonchild » 2021-05-06, 08:52

It's not a fix, it's a workaround.
Website owners need to understand that if they send an HSTS header they are making a solid promise that their site security is in order and will be in order for at least as long as they make the promise for (HSTS is a long duration commitment).
If they can't make that commitment then they have no business sending HSTS headers!

The browser is rightfully denying you to make exceptions because it would be breaking a promise. Users likewise need to understand that they should never do what is outlined in the opening post, and instead do what vanilla posted (i.e. contact the website owners). You are purposefully breaking a security mechanism that is in place to protect you.
"Remember, only you can prevent Earth's destruction by spelling Pale Moon with a space." -- Athenian200
Image

User avatar
Baloo
Forum staff
Forum staff
Posts: 120
Joined: 2017-08-24, 15:02

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Unread post by Baloo » 2021-05-08, 17:04

Yeah, don't maneuver around safety protocols that are there for a reason.
Image
Image

User avatar
gepus
Astronaut
Astronaut
Posts: 594
Joined: 2017-12-14, 12:59

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Unread post by gepus » 2021-05-08, 20:45

@CrouZ

Bringing the button back for wwww.fazerfoodco.se - do it at your own risk.
browser.xul.error_pages.expert_bad_cert = true

In case you add an exception, do it at least in a private window so the exception won't be saved.

User avatar
jobbautista9
Lunatic
Lunatic
Posts: 370
Joined: 2020-11-03, 06:47
Location: Philippines
Contact:

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Unread post by jobbautista9 » 2021-05-09, 07:33

gepus, please don't encourage bad security practices, even if you include a "do it at your own risk" warning. Moonchild has already said why it's a very bad idea to bypass HSTS.
Cyndaquil is the debeste starter.

Developer of Ambassador in Window Menu, BrowserTickTock, CacheSwitch, Chrome Navigator, Cite4Wiki, Clickity Touch 'n Push, ColorPili, EditDatContent, EditDatTitle, Esrever, Go Menu, User Agent Status, Website Navigation Bar, and Yet Another about:config Helper.

My PGP public key (My copy on rw.rs)

Avatar by u/sprouthesprout of r/twitchplayspokemon.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 31056
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Unread post by Moonchild » 2021-05-09, 09:33

gepus wrote:
2021-05-08, 20:45
browser.xul.error_pages.expert_bad_cert = true
If you're not a security expert and know exactly what you are doing and all the implications of it, you should not change that preference. Hint is in the name.
"Remember, only you can prevent Earth's destruction by spelling Pale Moon with a space." -- Athenian200
Image

User avatar
Lunokhod
Lunatic
Lunatic
Posts: 468
Joined: 2017-04-20, 21:25
Contact:

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Unread post by Lunokhod » 2021-05-09, 20:20

https://www.top-rated.online/cities/Lan ... ang+Hermes
Here the website address is given as http, not https. But trying to go to it results in the s getting added and the error. In Firefox it says the certificate expired in 2020 and lets you choose to proceed with a button, and then it doesn't take you there at all but redirects to here:
https://www.foodandco.se/
and you can get to that without any error message at all from Pale Moon, so the actual site you are trying to get to is secure and up to date, so it appears it's only a redirect from an old address that's failing in the example?
Wait, it's all Ohio? Always has been...

User avatar
Lunokhod
Lunatic
Lunatic
Posts: 468
Joined: 2017-04-20, 21:25
Contact:

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Unread post by Lunokhod » 2021-05-10, 01:57

Reading more about this I see why this is like this now, because the browser can't know where the site redirects to in advance. Although it is possible to get free ssl certificates from places like letsencrypt, for businesses who employ 3rd parties to provide their website this may not be an option, so it's a problem with the system in general that a redirect from an old domain needs a valid ssl for as long as it exists.
I did find this workaround to get the redirect address from the site without visiting it though, this ssl / security test:
https://www.ssllabs.com/ssltest/
(which I'm sure Moonchild showed me something on here before) and amongst the results from the (lengthy) tests it runs is the redirect!
HTTP forwarding https://foodandco.se
And then I found this site which tests only redirects and gives a very fast answer:
https://www.redirect-checker.org/index.php
So that could be useful (although you would then have to try and determine if the redirect was safe to visit if you got this for real.)
Wait, it's all Ohio? Always has been...

Locked