Disabling Firefox’s ‘Secure Connection Failed’ Warning
Although controversial, Firefox 3’s secure connection failed warning, shown when a website’s digital certificate is invalid or self-signed, can be easily disabled.
- In the address bar, type about:config > click ‘Enter’.
- You’ll get a warning message, This might void your warranty!, click I’ll be careful, I promise!
- Double-click browser.ssl_override_behavior and change the value from ‘1’ to ‘2’.
- Restart Firefox.
Instead of disabling the notice all together, you can have a warning displayed – without having to add an exception.
- browser.xul.error_pages.expert_bad_cert = true
Firefox’s anti-phishing warnings will still warn users if a specific site is suspicious. I’m not convinced that the secure connection failed warning really helps the average user, since they won’t know what it is. Either way, you can now get around it.
Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!
24 thoughts on “Disabling Firefox’s ‘Secure Connection Failed’ Warning”
I still think having something/someone out there checking the that the certs are valid is a good option. As I mentioned before the “Perspectives” add-on is a great alternative and I think it will also help build a respectable database of valid certs if that data is ever used outside the project.
http://securitymusings.com/article/415/perspectives-firefox-extension
So what I don’t get is the huge number of sites as a SysAdmin that I have to get to on my internal network that are SSL signed. Off the top of my head, iLo and DRAC both are self signed SSL required, add in any network switches which have https turned on, many NAS appliances and the like. Even HP printers can have SSL turned on for management. What I don’t like is the inability to revert to the v2 / IE6 type of “click once” to get to the page. This has become a 4 click endeavor, and is outright driving me crazy. I’m only running FF3 on 1 laptop now and will not upgrade any other machines due to this “security enhancement”
Reminder – security requires a balance between hoops to jump and a users willingness. Complex passwords are no good if they’re on a sticky note attached to the monitor…..
@ eJoe:
I agree, the option should be available. But warnings about things that most people don’t understand will continue to fly right over their heads and have them miss out on plenty of legitimate sites.
because of this I’ve reverted to using Internet Explorer 6 as most of the military sites I want/use have expired certificates.
Goodbye Mozilla; you can have too much of a good thing you know!!
Almost every internal site I touch have expired certs. We’re just coming of a merger and it’s ugly. HR, payroll, all my source code. Even the fix above didn’t stop some of the sites (my expenses of course).
Bye-bye Firefox.
people, wake up. read the freaking post — it’s very easy to change this
Thank you for the solution, it works 🙂 It has helped me a lot in my daily work, where I have a lot of SS certs.
The fix above hasn’t worked for me – it made no difference. This is driving me crazy – I’m also using lots of internal sites with this problem – the biggest problem I have is that I’m using Selenium to auto-test many websites, and Selenium creates a brand-new profile for each test.
Anybody suggest how to fix?
Any help REALLY appreciated…
This didn’t work for me either + my setting was already at ‘2’
While I appreaciate Firefox offering this it should be an option. I am unable to get to my bank, paypal,..
Awesome job, thanks so much for putting it out there! Love your blog, and posts like this really illustrate why.
sweet that fixed my problem, props to you whoever you are 🙂
“Double-click browser.ssl_override_behavior and change the value from ‘1′ to ‘2′.”
This value is already “2” in my browser (3.6.3), and I am getting the warning.
Always entertaining to discover another point of view, lovely 🙂
The content on this submit is really a single of the most effective material that We have ever are available across. I love your article, I’ll appear back to verify for new posts.
You might have a problem with the calendar on your computer. I had the problem. Couldn’t figure it out. Double-clicked on my “Time” icon on the task manager. (Where you set the time on your computer.) I checked the calendar. Somehow the date had reverted back to 2004. I set the correct date on the calendar. Problem solved. Might work for you, too.
gives use a excellent webpage decent Gives gives thanks for the work to support people
you have a good taste.
another waist of time and crop
Nice website greatly help me locate the info we were searching for
Thank you for information about Mozilla. I like Mozilla, because it makes it all work.
Relating to security models, specifically for companies, I have to go along with what you’ve said totally. You will find so quite a few alternatives in the marketplace, it’s essential for any specialist to know what is bestfor his or her situation and as well as specific complex. The ideas you are providing continue to be a terrific aid to businesses and as well as security professionals similarly. Thanks once more!
The suggested “fix” doesn’t work for me either, the value was already 2.
There was absolutely nothing wrong with the prior FF behavior.
Give an invalid SSL warning to the user, but let them proceed if they need to. There is nothing insecure about this approach. After all, a site with an expired/self signed cert is no less safe than a site without HTTPS at all.
The current situation is intolerable, and frankly the developers who insist on this after years of bug reports are totally moronic.
Comments are closed.