[email protected] wrote:
Ant wrote:
On 5/9/2020 7:13 AM, [email protected] wrote:
Frank-Rainer Grahl wrote:
Exactly. I looked and i think it was SiteSecurityServiceState.txt which
just needed to be edited to allow the override again.
I noticed after posting that you'd mentioned something similar (should have
read the whole thread first, but it seemed to have deteriorated into "works
for me", "me too", "doesn't work for me"...).
SiteSecurityServiceState.txt looks like the one. It might be necessary to
completely exit SeaMonkey before editing it, as I think otherwise it will
get rewritten from an in-memory version. Find the line for the affected
site and just delete it.
Bear in mind that the site had set an HSTS policy to indicate that browsers
should only ever connect securely, and that failure to do so might indicate
that the site or your connection to it has been compromised (although it's
also possible the site has broken the implicit promise to ensure you'll
always be able to connect securely, for example by letting their
certificate expire). You may be OK with this for a site which you only
view, but should be suspicious if such errors occur on your bank's site.
The real issue is websites setting an HSTS policy, and then not maintaining
their own security configuration, although a UI to bypass it (with
appropriate warnings) might be useful.
Ah, thanks. I see two of these in my profile's SiteSecurityServiceState file:
antville.org:HSTS 44 18391 1620529497904,1,1,2
videos.antville.org:HSTS 46 18391 1620529497913,1,1,2
So, do I just delete these two lines to let me in it with its risks alert
option (with SeaMonkey process not running)?
Probably just the videos.antville.org one will be enough, since that's the
site you're trying to access, although antville.org might be relevant if it
loads and resources from that domain and it wouldn't really hurt to delete
both anyway. But didn't you say they'd fixed their certificate now anyway?
If that's the case, there's no point deleting the entries, since they'll
probably be added back next time you visit the site.
Also, when did SM start using this list? I have never seen and heard of this
one before. :)
I don't know exactly. Searching my email archives (not every message on this
list, only threads I had an interest in) I find mention of HSTS and
SiteSecurityServiceState.txt in relation to SeaMonkey 2.40 back in 2016 - so
at leat that long ago.
Firefox added it in 35 so probably SeaMonkeyx 2.32.
FRG
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
