Although controversial, Firefox 3’s secure connection failed warning, shown when a website’s digital certificate is invalid or self-signed, can be easily disabled.

  1. In the address bar, type about:config > click ‘Enter’.
  2. You’ll get a warning message, This might void your warranty!, click I’ll be careful, I promise!
  3. Double-click browser.ssl_override_behavior and change the value from ‘1’ to ‘2’.
  4. Restart Firefox.

Instead of disabling the notice all together, you can have a warning displayed – without having to add an exception.

  • browser.xul.error_pages.expert_bad_cert = true

Firefox’s anti-phishing warnings will still warn users if a specific site is suspicious. I’m not convinced that the secure connection failed warning really helps the average user, since they won’t know what it is. Either way, you can now get around it.

Each Tuesday, Security Musings features a topic to help educate our readers about security.  For more information about Gemini Security Solutions’ security education capabilities, contact us!

24 thoughts on “Disabling Firefox’s ‘Secure Connection Failed’ Warning

  1. Tim Donaworth says:

    I still think having something/someone out there checking the that the certs are valid is a good option. As I mentioned before the “Perspectives” add-on is a great alternative and I think it will also help build a respectable database of valid certs if that data is ever used outside the project.

    https://securitymusings.com/article/415/perspectives-firefox-extension

  2. eJoe says:

    So what I don’t get is the huge number of sites as a SysAdmin that I have to get to on my internal network that are SSL signed. Off the top of my head, iLo and DRAC both are self signed SSL required, add in any network switches which have https turned on, many NAS appliances and the like. Even HP printers can have SSL turned on for management. What I don’t like is the inability to revert to the v2 / IE6 type of “click once” to get to the page. This has become a 4 click endeavor, and is outright driving me crazy. I’m only running FF3 on 1 laptop now and will not upgrade any other machines due to this “security enhancement”

    Reminder – security requires a balance between hoops to jump and a users willingness. Complex passwords are no good if they’re on a sticky note attached to the monitor…..

  3. Anil Polat says:

    @ eJoe:

    I agree, the option should be available. But warnings about things that most people don’t understand will continue to fly right over their heads and have them miss out on plenty of legitimate sites.

  4. gemma Bennett says:

    because of this I’ve reverted to using Internet Explorer 6 as most of the military sites I want/use have expired certificates.
    Goodbye Mozilla; you can have too much of a good thing you know!!

  5. David Warner says:

    Almost every internal site I touch have expired certs. We’re just coming of a merger and it’s ugly. HR, payroll, all my source code. Even the fix above didn’t stop some of the sites (my expenses of course).

    Bye-bye Firefox.

  6. Andy L. says:

    people, wake up. read the freaking post — it’s very easy to change this

  7. kvv says:

    Thank you for the solution, it works 🙂 It has helped me a lot in my daily work, where I have a lot of SS certs.

  8. Robin says:

    The fix above hasn’t worked for me – it made no difference. This is driving me crazy – I’m also using lots of internal sites with this problem – the biggest problem I have is that I’m using Selenium to auto-test many websites, and Selenium creates a brand-new profile for each test.

    Anybody suggest how to fix?

    Any help REALLY appreciated…

  9. Jerry says:

    This didn’t work for me either + my setting was already at ‘2’
    While I appreaciate Firefox offering this it should be an option. I am unable to get to my bank, paypal,..

  10. Saundarya says:

    Awesome job, thanks so much for putting it out there! Love your blog, and posts like this really illustrate why.

  11. jimmy1409 says:

    sweet that fixed my problem, props to you whoever you are 🙂

  12. sniderman says:

    “Double-click browser.ssl_override_behavior and change the value from ‘1′ to ‘2′.”

    This value is already “2” in my browser (3.6.3), and I am getting the warning.

  13. Jules Perez says:

    Always entertaining to discover another point of view, lovely 🙂

  14. The content on this submit is really a single of the most effective material that We have ever are available across. I love your article, I’ll appear back to verify for new posts.

  15. Bob Smith says:

    You might have a problem with the calendar on your computer. I had the problem. Couldn’t figure it out. Double-clicked on my “Time” icon on the task manager. (Where you set the time on your computer.) I checked the calendar. Somehow the date had reverted back to 2004. I set the correct date on the calendar. Problem solved. Might work for you, too.

  16. ongun akay says:

    gives use a excellent webpage decent Gives gives thanks for the work to support people

  17. green tea says:

    you have a good taste.

  18. Shon Roth says:

    another waist of time and crop

  19. Nice website greatly help me locate the info we were searching for

  20. dedektif says:

    Thank you for information about Mozilla. I like Mozilla, because it makes it all work.

  21. Locksmith says:

    Relating to security models, specifically for companies, I have to go along with what you’ve said totally. You will find so quite a few alternatives in the marketplace, it’s essential for any specialist to know what is bestfor his or her situation and as well as specific complex. The ideas you are providing continue to be a terrific aid to businesses and as well as security professionals similarly. Thanks once more!

  22. Bah! says:

    The suggested “fix” doesn’t work for me either, the value was already 2.

    There was absolutely nothing wrong with the prior FF behavior.

    Give an invalid SSL warning to the user, but let them proceed if they need to. There is nothing insecure about this approach. After all, a site with an expired/self signed cert is no less safe than a site without HTTPS at all.

    The current situation is intolerable, and frankly the developers who insist on this after years of bug reports are totally moronic.

Comments are closed.