Main Area and Open Discussion > General Software Discussion

Using noscript to force https ssl links in firefox

<< < (4/5) > >>

lanux128:
isn't there a way to change the default behaviour of FF to accept faulty certs? I have been wanting to change that, because right now I simply switch to Opera for these sites.

I also forgot how to set up a site as an exception to be accepted with a faulty cert. Could you tell us how to accomplish that?-brahman (April 30, 2009, 09:30 AM)
--- End quote ---

to change the settings, go to options > advanced > encryption > 'view certificates'. then from the 'certificate manager' dialog, go to 'servers' tab and remove the certs that you don't need.. hth

f0dder:
Ummm... why would you accept faulty certs globally? Isn't that a pretty stupidly insecure thing to do? Do you really visit that many sites with self-signed certs that it's a nuisance to accept certificates per site? O_o

brahman:
@lanux128:
Thanks for your help. You know why I wasn't able to find it? My dpi, resolution, and font settings are a bit unusual, so the box never showed the "Add Exception" button, which is the one I was looking for. I only needed to expand the dialogue size and there it was tucked away on the far right corner ;D!

@f0dder:
It would be. Guess I was not clear: Not accept faulty certs globally, but allow to accept them with a confirmation click (i.e. old FF2 default behaviour is wanted here) instead of going through the rigamarole. But after I found again my "Add Exception" button, I guess that won't be necessary so much any more :Thmbsup:.

Regards,

Brahman

lanux128:
Thanks for your help. You know why I wasn't able to find it? My dpi, resolution, and font settings are a bit unusual, so the box never showed the "Add Exception" button, which is the one I was looking for. I only needed to expand the dialogue size and there it was tucked away on the far right corner-brahman (May 01, 2009, 08:53 AM)
--- End quote ---

you're welcome.. it was quite of a procession for me too when i first went looking for it. :)

brahman:
There is another FF extension which forces HTTPS and has the additional feature of setting SECURE cookies. The authors have a very good paper  :up: on their site explaining a lot of details of how to secure your site and your browser. The use of secure cookies in this process is very important.

Here is the site for "Force HTTPS" extension:
https://crypto.stanford.edu/forcehttps/

and here are the changes I made to the .js file of the extension in the following folder location
..\extensions\[email protected]\defaults\preferences\forcehttps.js
in order to connect to Donationcoder securely:

Spoiler// Rewriting rules (client-side)
pref("forcehttps.rewriting.rules.^http://(([^/]+[.])?donationcoder[.]com)/",
    "https://$1/");

// Full ForceHTTPS cookie protection
pref("forcehttps.blocking.rules.(^|[.])donationcoder[.]com$", true);

// Partial ForceHTTPS cookies (only allowed client-side)
pref("forcehttps.stripcookies.rules.(^|[.])donationcoder[.]com$", true);



If anybody knows a simple way (i.e. not sniffing) of determining if a cookie has been set securely or not, I would appreciate if (s)he could share that information with me.

The use of Force HTTPS seems to be even more secure than noscript because of the secure cookie setting feature.

I have noscript permanently deactivated, because I think it is almost impossible (at least for my surfing habits) to browse the web without the use of java script. So it is too much of a nuisance for me  :huh:. FF3.5 will hopefully make the possibility of cross scripting attacks more remote, FWIU.

Regards,

Brahman

Navigation

[0] Message Index

[#] Next page

[*] Previous page