Dear Moz, sorry to barge in on this topic, which I presume is an existing unpopular topic.
I want to ask about Firefox security implementation, possibly HSTS? Firefox seems to implement strict-er security in comparison to Chrome. Our IT department have been making changes to implement SSO including using a SAML identity provider with Google services. >From the perspective of our ICT support it looks like Firefox doesn't work. I >can no longer use Firefox with Google, or MDN or a range of other sites. We've gone from Firefox as the recommended browser, to Chrome being recommended, and today I've got a support request open because I can't use Firefox at all. There is a risk that Firefox will become unsupported in our organisation simply because Chrome implements looser security, but at least it "works". This doesn't look like a simple problem to solve for our IT. I'm not sure of the details but we seem to be forwarding SSL certs from outside our network and then they look like they're issued by us. FF allows some sites a security exception. Others just can't. Is there some known practice or update that is required to "fix" this? MDN: Secure Connection Failed The connection to developer.mozilla.org was interrupted while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the web site owners to inform them of this problem. This Connection is Untrusted Google: You have asked Firefox to connect securely to mail.google.com, but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified. What Should I Do? If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue. This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate. Get me out of here! Technical Details mail.google.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. (Error code: sec_error_unknown_issuer) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
