Ant wrote:
On 5/9/2020 7:13 AM, mozilla-lists.mbou...@spamgourmet.com wrote:
Frank-Rainer Grahl wrote:
Exactly. I looked and i think it was SiteSecurityServiceState.txt
which just needed to be edited to allow the override again.
I noticed after posting that you'd mentioned something similar (should
have read the whole thread first, but it seemed to have deteriorated
into "works for me", "me too", "doesn't work for me"...).
SiteSecurityServiceState.txt looks like the one. It might be
necessary to completely exit SeaMonkey before editing it, as I think
otherwise it will get rewritten from an in-memory version. Find the
line for the affected site and just delete it.
Bear in mind that the site had set an HSTS policy to indicate that
browsers should only ever connect securely, and that failure to do so
might indicate that the site or your connection to it has been
compromised (although it's also possible the site has broken the
implicit promise to ensure you'll always be able to connect securely,
for example by letting their certificate expire). You may be OK with
this for a site which you only view, but should be suspicious if such
errors occur on your bank's site.
The real issue is websites setting an HSTS policy, and then not
maintaining their own security configuration, although a UI to bypass
it (with appropriate warnings) might be useful.
Ah, thanks. I see two of these in my profile's SiteSecurityServiceState
file:
antville.org:HSTS 44 18391 1620529497904,1,1,2
videos.antville.org:HSTS 46 18391 1620529497913,1,1,2
So, do I just delete these two lines to let me in it with its risks
alert option (with SeaMonkey process not running)?
Probably just the videos.antville.org one will be enough, since that's
the site you're trying to access, although antville.org might be
relevant if it loads and resources from that domain and it wouldn't
really hurt to delete both anyway. But didn't you say they'd fixed
their certificate now anyway? If that's the case, there's no point
deleting the entries, since they'll probably be added back next time you
visit the site.
Also, when did SM start using this list? I have never seen and heard of
this one before. :)
I don't know exactly. Searching my email archives (not every message on
this list, only threads I had an interest in) I find mention of HSTS and
SiteSecurityServiceState.txt in relation to SeaMonkey 2.40 back in 2016
- so at leat that long ago.
--
Mark.
_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey
