ARGH now firefox does not only log the issue but block the page with an unignoreable ssl error.
So the firefox bug become much more critical.
but well this is one point of HPKP. if anything fails you wont get in no matter what.
and there can and will be always bugs.
I think it's a bit sad that someone who has more knowledge cannot go around these.
As the HPKP header is ignored [quote="My1, post:62, topic:4334"]
but well this is one point of HPKP. if anything fails you wont get in no matter what.and there can and will be always bugs.
[/quote]
That's right, but in his case it was no HPKP error.
One can, but it's really difficult (as it should be). AFAIK Chrome has the possibility to delete HPKP pins. It's hidden in some internal Chrome URI...
Yes, it's at chrome://net-internals/#hsts
1 Like
but in other browsers (I use firefox) I havent seen any way around this.
and I think that there should be at least an a little bit easier way than deleting the keys (for example type yes to continue) and a bad mark in the URL bar
âType yes to continueâ runs straight into the Dancing Pigs Problem which is how we got here in the first place.
Remember, Microsoft ran actual ordinary users, in a usability test lab, with their own bank credentials through a test where they were supposed to try to log into the bank with various modified Internet Explorer models and get something done.
The users stubbornly ignored interstials, ignored decor like broken lock symbols meant to indicate security problems, clicked through warning dialogs. They typed their own, real credentials into unsecured HTTP pages, pages with errors, pages that were obviously (to you or me) a MITM attempt. They didnât care, because to an ordinary user these things are just obstacles between them and getting the task of logging in done.
So thatâs why the modern features like HSTS and key pinning donât have a âClick yesâ step. Because every ordinary user will click yes, every time, no matter what. Offering them a âclick yesâ step has the effect of giving them no security whatsoever. Railing against human nature may feel good to you, but itâs futile.
3 Likes
well click yes is not completely like type yes because it takes a bit more time and maybe lets the user think but I get what you are saysing.
but does firefox have a feature to kick HSTS and/or HPKP settings out (for example to check whether some pages have HSTS tracking for me or whatever and kick that)
Firefox stores observed HSTS and HPKP headers in the SiteSecurityServiceState.txt file within your profile, manually editing that file is the only way of resetting a siteâs status.
1 Like
But if it is said on the warning page you can type in any rubbish to ignore the warning, users will do (to see their dancing pigs). As @tialaramex said such a thing is an obstacle.
It might be okay, if there are no instructions given on the warning page how to do that and the word is more compley than "yes", e.g. "IgnoreSeriousError" case-sensitive. This would be similar to how cheats work in games. Don't6 know though if Browsers should add such cheats as the user feedback is bad (the user does not see what happens) and it is really a strange UX thing to let users type in texts.
Therefore modifying keys or TXT files is a much better choice. Only experienced users can do this and all other users have no way. If such users really care they would search the web for a solution and then they may find it. In such a case they quite likely have serious reasons for skipping that warning and are at least experienced enough to find a solution.