HSTS Preload list and user settings for certs?

[Desiree]

How does forcing HSTS on sites on the Preload list affect, if at all, the
user's cert permissions setup for Fx? Will this interfere with my
expectations that Fx will ask me each time it tries to go to an SSL site
that uses Comodo/Comodo related or Go Daddy certs which I have as Untrusted
in all my browsers? Or will Fx (if the site is on the Preload list) override
my settings and just go there without first asking me what to do? If this
occurs, how will I be able to turn off this feature so it doesn't interfere
with my setup for what cert authorities I trust/do not trust? What version
of Fx will this be implemented in? I currently use Fx 4 and 10 ESR which do
not have this.

[Desiree]

"Desiree" <mele...@medscape.com> wrote in message
news:U5mdnelbxo-GsArN...@mozilla.org...

No one cares about this? It is in both Fx 4 and Fx 10 ESR and I am angry
because I do NOT wish to visit sites that use Comodo/Comodo related
certificates. Do all of you approve of Mozilla deliberately, without even
any warning OVERRIDING your settings and going to sites that you wish Fx to
NOT go to unless you make a security exception?

Fx 4 has problems implementing this and it throws a popup that says the site
(which is on the Preload list) cannot be connected to due a certificate
error and to try later. Then it goes ahead and loads the site which it
should not do. Fx 10 ESR simply OVERRIDES my settings in Fx Certificate
Manager and goes to the site. Sadly and shockingly, Fx 10 ESR does not even
have the decency to warn me that it is OVERRIDING MY SETTINGS and in doing
so is going to a site WITHOUT MY PERMISSION WHICH SHOULD NEVER HAPPEN.

Fx 4 is old so it can be excused for its weird behavior but Fx 10 ESR should
is current and should NEVER override my Certificate Manager settings!

I ask again. How do I turn this OFF in Fx 10 ESR? I want Fx to honor MY
certificate settings and I have Comodo/Comodo related certificates as
UNTRUSTED since December 2008. How dare Fx override my settings and, even
worse, do so with NO WARNING to me that it has decided to disobey MY
Certificate Manager settings! I see this as a serious BUG in Fx and
SeaMonkey.

[Christian Riechers]

I don't think HSTS affects the certificate handling at all. It basically
enforce the first contact to a server to be HTTPS, and not HTTP. This
will prevent potential MITM attacks. If the cert chain can't be
verified, I'd expect you still get the cert exception dialog.
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
HSTS is in FF 17 beta, so I guess it's about time to upgrade your FF 4.

--
Christian

[WaltS]

What did I miss?

What is a HSTS Preload list?

--
Fedora 17 (64-bit) KDE 4.9.2
Thunderbird Beta (17.0) Install and test it
One state should not decide an election
http://www.nationalpopularvote.com/

[Morgana]

On 08-Nov-2012 08:57, WaltS wrote:
> On 11/04/2012 10:06 PM, Desiree wrote:
>> How does forcing HSTS on sites on the Preload list affect, if at all, the
>> user's cert permissions setup for Fx? Will this interfere with my
>> expectations that Fx will ask me each time it tries to go to an SSL site
>> that uses Comodo/Comodo related or Go Daddy certs which I have as
>> Untrusted
>> in all my browsers? Or will Fx (if the site is on the Preload list)
>> override
>> my settings and just go there without first asking me what to do? If this
>> occurs, how will I be able to turn off this feature so it doesn't
>> interfere
>> with my setup for what cert authorities I trust/do not trust? What
>> version
>> of Fx will this be implemented in? I currently use Fx 4 and 10 ESR
>> which do
>> not have this.
>>
>>
>
> What did I miss?
>
> What is a HSTS Preload list?
>

https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security

--
M.

[WaltS]

Ah! Thank you. :)