How do I bypass "SEC_ERROR_OCSP_OLD_RESPONSE"?

[Stargate38]

I had this error on a website that I routinely access (site has been redacted for privacy reasons):

Code: Select all

Secure Connection Failed

An error occurred during a connection to [redacted].

The OCSP response contains out-of-date information.

(Error code: SEC_ERROR_OCSP_OLD_RESPONSE)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

In this thread that Moonchild mentioned "setting security.ssl.allow_unsafe_ocsp_response to true in about:config", but I couldn't find that setting. How do I bypass it?

[Isengrim]

The info in that thread is probably outdated. The allow_unsafe_ocsp_response pref doesn't seem to exist in the codebase anymore. I'm afraid I don't know more than that.

[Frasier]

@ Stargate38: Moonchild mentions another setting further on in that same thread, however I'll let you read and find it for yourself. That way you will be made aware of the issues you face by changing that other setting.

[Moonchild]

site has been redacted for privacy reasons

Well your course of action is to contact this redacted site who are likely running old web server software with this flaw, and to have them update to a fixed version.

With UXP I did not re-implement this (band-aid) preference since at the time, all mainstream web server software that previously had this flaw (mainly versions of NginX) had already fixed their software.

I've said this many times, but please don't ignore what is displayed on your very screen:

Please contact the website owners to inform them of this problem.

It's stated for a reason.

[palacs]

With this attitude you are not contributing to anyone's security. You are just simply destroying user freedom. There are many situations where one may need to bypass a security warning like this, for example testing, using legacy products on a secured internal network that can't be upgraded, or just simply the need of some download from a site with an unreachable webmaster.

I hope you'll change your mind and re-implement the possibility in UXP to bypass this warning.

[New Tobin Paradigm]

The merit of the preference at this point is debatable.. As for your "User Freedom" you, as a user, have the freedom to use something else in this case. What a ridiculous argument. Cause guess what security bypassing preferences allow? A user to bypass and disable them and leave them disabled forever because the USER does not bother to learn why they shouldn't disable a security feature. THEN they run into problems of their own doing and blame us while others throw the insecure label at us because something is possible but not recommended.

So you can take your now invalidated argument somewhere else and cry to them when you don't get your way.

[gepus]

@Stargate38

There must not exist the possibility to bypass this warning. You probably won't find any browser offering such a bypassing setting and this for a good reason.

Since I have no site at hand to test with, only a wild guess.
What happens if you disable temporary the OCSP service for that site (security.OCSP.enabled = 0) - at your very own risk of course.

If you visit that site regularly, do a favor for your own sake and inform as you have been told, the website owners about the issue.

[palacs]

as a user, have the freedom to use something else in this case

Using something else is not user freedom provided by the software being dumbed down. User freedom is about how to use something, not simply the possibility of using something or not using something. User freedom is when you can disable ESP in your car to drift around - which is of course dangerous if you don't know what you're doing. What you're talking about is the possibility of buying another car that has no ESP. Which is nonsense.

A user to bypass and disable them and leave them disabled forever because the USER does not bother to learn why they shouldn't disable a security feature.

Originally we were talking about a preference that can only be turned on via about:config. There is at least one warning message that tells the user that it's not recommended to tinker with those options. If a user doesn't know what the OCSP warning means, he will have to find out. Then he will learn about why it's there during the process of finding the right solution to make it disabled in about:config. You should not optimize a software product for dumb, ignorant users by even removing the fallback options for advanced users. By the way, the developer should consider implementing an option into the already existing security exception framework by enabling old OCSP responses for individual hosts only.

THEN they run into problems of their own doing and blame us

First, Pale Moon comes with no warranty and it's accepted by the end-user upon installation. Second, you warn the user at least twice. First time when he goes to a site with outdated SSL configured. Second when he goes to about:config.

Your argument is like of a modern corporate cybersecurity maniac saying "we should remove the download feature of EXE files because they can contain viruses and malwares and finally they would blame us for letting them get those files onto their computers". Complete idealist nonsense.

If we can add an exception for expired certificates, we should also be able to add exceptions for old OCSP responses on a per-site basis.

The developer should implement an option into the already existing security exception framework by putting a checkbox there, which can enable old OCSP responses for individual hosts only. Then the problem for lamers leaving the global option allow_unsafe_ocsp_response on, will be sorted out.

[New Tobin Paradigm]

It isn't a warning. It is an error. Errors should not be bypassed. RESOLVED WONTFIX.

[palacs]

The underlying SSL library can establish the connection even with old OCSP rensponse. So it's definitely not an error. It should be a warning like the one we display for an expired certificate, which the user should be able to bypass by adding an exception.

[gepus]

It should be a warning like the one we display for an expired certificate, which the user should be able to bypass by adding an exception.

How often do you encounter such situations?
Name please a maintained browser which offers such a questionable feature.

You can disable OCSP from the UI.

[Kingpin]

The merit of the preference at this point is debatable.. As for your "User Freedom" you, as a user, have the freedom to use something else in this case. What a ridiculous argument. Cause guess what security bypassing preferences allow? A user to bypass and disable them and leave them disabled forever because the USER does not bother to learn why they shouldn't disable a security feature. THEN they run into problems of their own doing and blame us while others throw the insecure label at us because something is possible but not recommended.

So you can take your now invalidated argument somewhere else and cry to them when you don't get your way.

I don't know much about OP's specific situation but has it actually happened that someone blamed you for his own decision? If an user decided to turn off a security feature while knowing what it does, and still complains, then just tell him off. Hopefully PM won't go the road Firefox did...

[vannilla]

I don't know much about OP's specific situation but has it actually happened that someone blamed you for his own decision? If an user decided to turn off a security feature while knowing what it does, and still complains, then just tell him off. Hopefully PM won't go the road Firefox did...

Even if the users themselves might not complain, there is a consistent faction whose aim is to discredit Pale Moon for whatever reason.
So a situation like that is enough for them to start a defamation campaign.
Why do you think Moonchild had to write viewtopic.php?f=4&t=21626 otherwise?
I know the reason to not have that preference is stronger than public relationship, but still.

[JSB2000]

With this attitude you are not contributing to anyone's security. You are just simply destroying user freedom.

Try this: When you encounter a situation like this, imagine the developer(s) getting in your face and screaming "Not with MY browser you won't!"

Hopefully that will give you the shock of reality necessary to do what you need to do. For example:

There are many situations where one may need to bypass a security warning like this, for example testing, using legacy products on a secured internal network that can't be upgraded, or just simply the need of some download from a site with an unreachable webmaster.

Solution: Accept that the developer(s) are not going to accommodate you. So, let's see: Their current/future software won't do what you need. But...wait...their previous one(s) did, right? So, do what I do: Grab a copy of those old versions and use them just for what doesn't work in the current one. Most can be used side by side with your main "locked down and sealed for your protection" version.

Problem solved. Developer(s) get to satisfy the net-nanny in them. You get the job done with the version of their software that actually works for the task you need doing.

[Kingpin]

Even if the users themselves might not complain, there is a consistent faction whose aim is to discredit Pale Moon for whatever reason.
So a situation like that is enough for them to start a defamation campaign.
Why do you think Moonchild had to write viewtopic.php?f=4&t=21626 otherwise?
I know the reason to not have that preference is stronger than public relationship, but still.

Where do the quotes in that thread come from? Anyway, that some people whine isn't a problem. That's something every software in the world suffers from. And I doubt a "rumor control" will prevent them.

[Moonchild]

I'm sorry but practical considerations to (temporarily) bypass standards due to issues with mainstream server software are not in any way a level of freedom you, as a user, can or should demand. Ignoring this error response is dangerous as it can be used to bypass necessary checks for forged stapled responses (which must be stapled by the CA and time-stamped within a reasonable moment from the request to have current revocation status for the certificate offered).

RFC 6066 detailing stapled responses in section 8 says:

Clients requesting an OCSP response and receiving an OCSP response in
a "CertificateStatus" message MUST check the OCSP response and abort
the handshake if the response is not satisfactory with
bad_certificate_status_response(113) alert. This alert is always
fatal.

Bypassing this would make the browser non-compliant with one of the core RFCs for secure internet traffic (TLS extensions).

[Fedor2]

Moderator note: derailing off-topic remark hidden.

By the way i dumped away skype because of that security, and then liked discord for allowing to be non secure.

So solid and sharp items are to be strongly prohibited yes, only the mattress wall allowed.