"I understand the risks" option removed from security alert page?

[Weboh]

I'm trying to connect to old.reddit.com. Apparently they didn't renew the security certificates for certain pages on it, so I get the "Untrusted Connection" page. When I've hit that page in the past, I've been able to press "technical details" and then "I understand the risks" and proceed. I don't see that option on this error page.

Was that option removed? Why? I understand the risks and want to connect anyway. My computer shouldn't tell me how to use it. I'm seeing this more often with new software and it really bugs me... /EndRant

[coffeebreak]

Apparently they didn't renew the security certificates for certain pages on it, so I get the "Untrusted Connection" page.

Which pages? Would you please provide links?

Old reddit opens with no trouble here, no expired certs.
(PM 27.9.4, Win 7 x86)

Qualys: A+

[Weboh]

Okay, it looks like the main page does open. I edited the address to my profile page in the address bar from regular reddit and got the error page. Following a link from old.reddit.com did take me there though. I still can't type in the address to get there, but following a hyperlink is fine...

Off-topic:
Though it doesn't actually take me to what the old profile page looked like...

Anyway, I understand this is a weird case. Is that option removed from that error page for other websites?

[Moonchild]

Whether you get the option to make an exception (which you should only EVER do if it's a machine YOU control or if you are 100% sure, without a doubt, that it's kosher) depends on a number of factors: scheme, whether the site is framed or not, etc. -- There are plenty of situations that adding an exception is a guaranteed bad thing or normal security practice should never, ever, make an exception to a security alert, and in those cases the exception option is not available.

[Weboh]

But in this case it was safe, as seen by the fact the page loaded if I followed a link to get to it. So, why does Pale Moon get to make the decision instead of me? Shouldn't a manual override always be an option? Shouldn't I have control over how I use the program?

[Moonchild]

But in this case it was safe

If it was, you wouldn't get a security alert in the first place.

Shouldn't a manual override always be an option?

No. It's called "best practice considerations". Should you allow a visitor to your park to remove a safety railing so they can plummit off a cliff?

[roytam1]

I'm trying to connect to old.reddit.com. Apparently they didn't renew the security certificates for certain pages on it, so I get the "Untrusted Connection" page. When I've hit that page in the past, I've been able to press "technical details" and then "I understand the risks" and proceed. I don't see that option on this error page.

Was that option removed? Why? I understand the risks and want to connect anyway. My computer shouldn't tell me how to use it. I'm seeing this more often with new software and it really bugs me... /EndRant

yeah, sometimes the lower part in alert page is missed(not showing), you may try with a new profile to see if it reappears or not in worse case.

and for HTTPS error, you may check if your computer clock is in sync.

[Weboh]

But in this case it was safe

If it was, you wouldn't get a security alert in the first place.

Then why did the same page load without any warnings a second later when I loaded it a different way? Pale Moon assumed something was going on with the page, but I, knowing better than the program, wanted to override it.

Shouldn't a manual override always be an option?

No. It's called "best practice considerations". Should you allow a visitor to your park to remove a safety railing so they can plummit off a cliff?

In that case, they wouldn't need to remove it; if they were determined, they'd find a way over it (in this case, I could simply use an alternative browser, I guess). But if a visitor jumps over the railings, ignoring the signs saying "DANGER YOU COULD KILL YOURSELF" and dies, they can't really blame you.

[TwoTankAmin]

I had the same issue. i was looking for info on an update for Windows 7 over the weekend and as usual I Googled it. My go to site for what comes up is one of the Ask Woody sites. i have been visiting it for a few years. I believe it to be a safe site.

When I surfed to it that warning came up without the option to take the risk. The risk was the site certificate had expired 2 hours or so earlier. So i felt the site was safe and this was just a mistake on their part not having updated it yet. But I had no option to proceed.

I understand the desire for Pale Moon to provide protection and security to its users, this is their decision to make. However, is is my, and other users, right to choose whether to proceed or not. Pale Moon made a bad decision for me in this case.

If you are unwilling to provide that function with the ability for a user to choose to continue, then please tell me how I can turn that feature off completely. I prefer not to have it in that case.

Thanks

[satrow]

I had the same issue. i was looking for info on an update for Windows 7 over the weekend and as usual I Googled it. My go to site for what comes up is one of the Ask Woody sites. i have been visiting it for a few years. I believe it to be a safe site.

When I surfed to it that warning came up without the option to take the risk. The risk was the site certificate had expired 2 hours or so earlier. So i felt the site was safe and this was just a mistake on their part not having updated it yet. But I had no option to proceed.

I understand the desire for Pale Moon to provide protection and security to its users, this is their decision to make. However, is is my, and other users, right to choose whether to proceed or not. Pale Moon made a bad decision for me in this case.

If you are unwilling to provide that function with the ability for a user to choose to continue, then please tell me how I can turn that feature off completely. I prefer not to have it in that case.

Thanks

That is a safe site, the issue was simply that the cert. had been auto-repurchased but there was some holdup preventing him from loading the cert. correctly (Woody eventually resorted to buying a second cert. from a different company who patched it into the system in no time).

I believe I use PM with default OCSP settings and I had no trouble bypassing the 'unsafe' site warning during the first hour of that warning coming up, about three clicks was all it took.

[TwoTankAmin]

What are OCSP settings?

[Moonchild]

Weboh: your equivalent of climbing over the railing would be to patch the code and build your own private build that allows you to jump regardless.

[TwoTankAmin]

That is a safe site, the issue was simply that the cert. had been auto-repurchased but there was some holdup preventing him from loading the cert. correctly (Woody eventually resorted to buying a second cert. from a different company who patched it into the system in no time).

I assumed something like that had happened.

Continuing to the site in this case is not climbing over the railing, it is a perfectly valid reason why the "I understand the risks" option is not out of bounds. I needed that info and could not get it and there was no risk at that time. Had I been able to use such an option, I would have. Most times I see the warning I cannot say it isn't valid and I will heed it. Basically the railing was put where the drop was under 1 foot (30.5 cm) in the case of Woody.

And that is why users should have a choice. If they behave foolishly, then they have only one person to blame.

[Weboh]

Can't you see our reasoning for why always allowing a manual override would be a good idea? There is a good reason for it: The browser can make false alarms. A program like Norton has a lot more resources behind it than you do for detecting shady things, yet they make false alarms from time to time. The developers know that and allow you to override the default.

I don't mind the measure being in place; it's good to know a site may be shady and make me think twice about going there. But I, not the browser, should have the final say

[satrow]

What are OCSP settings?

Certificate Validation, some are readily found via Pale Moon Commander, others might be changed via about:config.

Note that I'm still using the temp. cert for AskWoody, bypassed via the option on the default PM cert. warning. It's possible *something* your side has changed that default.

[yami_]

The browser can make false alarms. A program like Norton has a lot more resources behind it than you do for detecting shady things, yet they make false alarms from time to time. The developers know that and allow you to override the default.

Identifying computer viruses is very different to performing TLS connections. If a TLS implementation can generate a false alarm, then it is broken.

But I, not the browser, should have the final say

Many TLS errors can not be overridden, because no way exists to override them. For example:

• SSL_ERROR_NO_CYPHER_OVERLAP
• SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE
• SSL_ERROR_UNSUPPORTED_VERSION
• SSL_ERROR_UNKNOWN_CIPHER_SUITE
• SSL_ERROR_NO_CIPHERS_SUPPORTED

Sometimes the server will refuse to connect. No override exists for this.

[TwoTankAmin]

Unfortunately. I do not use Pale Moon commander. I used to have but had no clue how to use most of it, so I deleted it. I almost never go into about:config any more. I used to do that occasionally, but I discovered it caused me more problems than it solved. I basically use Pale Moon as close to how it downloads as possible these days. I still use the same 6 extensions I have had since Firefox as well. Well that is not quite true, I had to switch to ABL in place of my original ad blocker from FF.

I am the poster boy for the Pale Moon users who have minimal digital skills.

[Moonchild]

To complete this topic, also: the behavior has not changed recently in any way that I am aware of.

Some dangerous situations (like framed secure connections) don't allow overrides even though it would technically be possible -- because there would be no way to verify the secure connection in the UI, for example -- and other types of errors as yami pointed out simply cannot be overridden.

It has been like this for a very long time. This is nothing new.

Being able to add exceptions is already a concession made to practical use, and should only be done if you know exactly what is going on and why the connection errored. Unfortunately this necessity to cater to broken cert chains in some situation is abused by people who just want to connect at all costs right then and there, without knowing the details. Unless you control the target server yourself, have some other unwavering trust in the machine you are connecting to, or have verified the cert's fingerprint with the server owner, you should not even be looking at the exception window.

[Scribe]

I had this issue with AskWoody and there was no option to add an exception, so knowing that it was a safe site with a slightly out of date certificate, in about:config I changed network.stricttransportsecurity.enabled to False by double clicking on it. You then need to restart PM. After doing that I had the option to add an exception, but if you do it, I STRONGLY SUGGEST unticking the box - as I did, 'Permanently store this exception,' that way, it will only apply to one visit of the site, but if absolutely necessary you can repeat it.

[aveinc]

I too have this problem. OS is Mac OSX 10.13; PM 27.6.2.

The specific site system I am using is a raspberry pi being used exclusively as a printserver on the inside of a non-connected internet used for r&d purposes. As such is has non-routable addresses and no connection. I installed and built raspberian (raspberry pi's version of debian linux) with full sha-256 key checking, so I'm as sure as I can be that the OS is clean. default passwords were changed and the usual security stuff was set/corrected.

The raspberian linux uses CUPS as a print server which was downloaded using apt-get. It demands an https connection but uses an OPENSSL generated cert. Of course this is not registered outside of this network and I will not pay the rates "trusted" CA want for a simple small r&d network. One there is no need. Two, after the Thawte/Verisign data breach, I have no guarantee their certs are any better than a privately generated key. Three, I could care less if the outside world doesn't trust my certs on my private network, but darn sure do care that my browsers on my internal machines can do the work I need them to do.

Here's my problem: I can access CUPS using PM as follows:

https://10.0.12.51:631/
And the cups screen pops right up. All is well. I click on the printer link the old "Untrusted Connection" pops up, with the option "I understand the risks." Click on that it gets to the add exception screen. So far so good.
click the add exception screen and it brings up the override screen referring to the site https://10.0.12.51:631/printers and gives the message:
"This site provides verified valid information. There is no need to add an exception." The confirm is greyed out leaving only the cancel option and PM will not allow me to access the screen.

The cert flag is "could not verify because the issuer is unknown." which of course it wouldn't be known as it is privately generated.

So, on the one hand PM lets me access the site after override, but not subsequent web pages on the CUPS server and won't let me override for reason that the cert is "valid."

Now, that's gotta be a bug doesn't it?

I'm with the crowd that says I, not the browser, should be the judge of whether or not a site I'm trying to use is ok to access. But, I'd like to know how to get past this roadblock on this particular network which is isolated from the rest of the internet and always will be.

If on the other hand I were to access a highly risky site filled with trackers and snoop code, like say, google.com, and it came up with an https cert error, then I'd probably decide not to override. I think you need to consider that people who want to use software like PM are probably technically a little more savvy than the average safari/chrome/firefox crew, and we generally do know what we are doing and why. But I could be wrong.