Page 1 of 1

How to fix missing "I Understand the Risks" section / "Add Exception..." button

Posted: 2021-05-06, 08:03
by CrouZ
Problem:
Certificate/security issue with a site makes you reach the "This Connection is Untrusted" page, but you cannot proceed to the site because the "I Understand the Risks" section that contains the "Add Exception..." button is missing.
2021-05-06 Pale Moon - Missing I Understand the Risks section with Add Exception button.png
Related threads:
viewtopic.php?f=29&t=10466&p=72660&hili ... on+missing
viewtopic.php?f=3&t=3437&p=19710&hilit= ... on+missing

Solutions:
Alternative 1 (small effort, some side effects). Clear all site connectivity data.
Steps:
1. Press Ctrl+Shift+Del
2. Time range to clear: "Everything"
3. Check "Site Connectivity Data"
4. Press "Clear Now"
5. Reload the site

Alternative 2 (medium effort, no side effects). Remove site specific connectivity data.
Steps:
1. Close Pale Moon
2. Open SiteSecurityServiceState.txt in your Pale Moon profile.
3. Remove the line related to the page you're having trouble with.
4. Start Pale Moon again

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Posted: 2021-05-06, 08:08
by vannilla
Real solution: contact the site administrators and tell them their site is not secure.

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Posted: 2021-05-06, 08:52
by Moonchild
It's not a fix, it's a workaround.
Website owners need to understand that if they send an HSTS header they are making a solid promise that their site security is in order and will be in order for at least as long as they make the promise for (HSTS is a long duration commitment).
If they can't make that commitment then they have no business sending HSTS headers!

The browser is rightfully denying you to make exceptions because it would be breaking a promise. Users likewise need to understand that they should never do what is outlined in the opening post, and instead do what vanilla posted (i.e. contact the website owners). You are purposefully breaking a security mechanism that is in place to protect you.

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Posted: 2021-05-08, 17:04
by Baloo
Yeah, don't maneuver around safety protocols that are there for a reason.

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Posted: 2021-05-08, 20:45
by gepus
@CrouZ

Bringing the button back for wwww.fazerfoodco.se - do it at your own risk.
browser.xul.error_pages.expert_bad_cert = true

In case you add an exception, do it at least in a private window so the exception won't be saved.

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Posted: 2021-05-09, 07:33
by jobbautista9
gepus, please don't encourage bad security practices, even if you include a "do it at your own risk" warning. Moonchild has already said why it's a very bad idea to bypass HSTS.

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Posted: 2021-05-09, 09:33
by Moonchild
gepus wrote:
2021-05-08, 20:45
browser.xul.error_pages.expert_bad_cert = true
If you're not a security expert and know exactly what you are doing and all the implications of it, you should not change that preference. Hint is in the name.

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Posted: 2021-05-09, 20:20
by Lunokhod
https://www.top-rated.online/cities/Lan ... ang+Hermes
Here the website address is given as http, not https. But trying to go to it results in the s getting added and the error. In Firefox it says the certificate expired in 2020 and lets you choose to proceed with a button, and then it doesn't take you there at all but redirects to here:
https://www.foodandco.se/
and you can get to that without any error message at all from Pale Moon, so the actual site you are trying to get to is secure and up to date, so it appears it's only a redirect from an old address that's failing in the example?

Re: How to fix missing "I Understand the Risks" section / "Add Exception..." button

Posted: 2021-05-10, 01:57
by Lunokhod
Reading more about this I see why this is like this now, because the browser can't know where the site redirects to in advance. Although it is possible to get free ssl certificates from places like letsencrypt, for businesses who employ 3rd parties to provide their website this may not be an option, so it's a problem with the system in general that a redirect from an old domain needs a valid ssl for as long as it exists.
I did find this workaround to get the redirect address from the site without visiting it though, this ssl / security test:
https://www.ssllabs.com/ssltest/
(which I'm sure Moonchild showed me something on here before) and amongst the results from the (lengthy) tests it runs is the redirect!
HTTP forwarding https://foodandco.se
And then I found this site which tests only redirects and gives a very fast answer:
https://www.redirect-checker.org/index.php
So that could be useful (although you would then have to try and determine if the redirect was safe to visit if you got this for real.)