HSTS-enabled web sites do not interoperate with the xul-ext in firefox/iceweasel 4.0
"HSTS":https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec has "a section":https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-01#section-7.3 that suggests that browsers should not let users override security warnings.
Apparently, Iceweasel/Firefox 4.0 interprets this section so strictly that certificate exceptions set by browser plugins are not honored.
This means that the monkeysphere xul-ext cannot grant access to OpenPGP-certified web sites within an HSTS domain for users of firefox 4.0, as far as i can tell. You can "try it out":https://micah.riseup.net
I'm not sure how to resolve this. Some options might be:
-
convince mozilla that this interpretation of HSTS is too strict
-
convince the "IETF's websec working group":https://datatracker.ietf.org/wg/websec/charter/ that HSTS should decouple the "always use TLS" semantics from the "do not allow security exceptions" semantics
-
find some other mechanism within firefox/iceweasel to use for the xul extension
I would be curious to know what the developers of other certificate management extensions like "Certificate Patrol":https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/ or "Perspectives":http://www.networknotary.org/firefox.html are doing about this situation.
(from redmine: created on 2011-03-25)