HTTP nowhere mode hijacks legit Firefox warning pages.

[M83tUt3]

Type: code issue

Using the "block all unencrypted requests" feature on Firefox, I often see that the addon redirects me to the "HTTPS Everywhere noticed you were navigating to a non-HTTPS page, and tried to send you to the HTTPS version instead..." message on pages that would've otherwise displayed certain Firefox warnings. This happens for example: 1) On any non existing site. Put some bogus in the address bar with HTTP nowhere enabled and instead of FF showing the "Server Not Found" page, the addon redirects you. 2) On sites using self signed certificates, where Firefox would usually warn you and give you the option to (temporarily) accept the certificate.

I imagine it happens on any occasion where Firefox would display such a warning page.

The problem with this behaviour is that when HTTPS everywhere redirects me, I have no clue if the site indeed does not support HTTPS, or if it's just non-existant, uses a self-signed certificate, or has any other issue that would cause Firefox to warn me before actually loading the site.

[Bisaloo]

Thank you for your report!

I agree that (if possible) HTTPS Everywhere should not display an error on non-existing pages. This qualifies as a bug IMO.

For the rest, see #8239 for background info on this decision.

[M83tUt3]

I see, you've had plenty discussion about it already. This is probably not the place to start a new one but I'll have to say, as a BAUR user I was well aware that the option could cause failures to load a page. I agree that the addon displaying an error when the site has no support for HTTPS is a good thing, but by also erroring out on pages using self signed certs for example, it does more harm than good imo. If it could redirect only when HTTPS is simply not available rather then there being some other issue, that would be perfect of course.

[zoracon]

Thanks for filing this. A good work around for this is taking a second look at the kind of messages we filter for when we receive requests with common SSL misconfigs. I will look into this one ASAP

[zoracon]

@M83tUt3 As a temp solution as I get some fixes up in a PR, you can also disable HTTPSE for that URL, then navigating to the HTTPS version to add the cert.

[M83tUt3]

Great that work's being done to fix this! I usually just temporarily disable EASE and reload the page to see what's up, but indeed, whitelisting would work too.

[scarlion1]

I noticed this happens with Firefox 60.4.0esr with BAUR enabled. Sometimes I can push the 'back' button and the normal Firefox warning page appears, allowing me to add an exception for the site and accept the invalid certificate. In Chromium with BAUR enabled, I still see the normal Chromium warning page "Your connection is not private" which allowed me to add an exception for the site.

[zoracon]

Closed by #17234 And self signed cert pages should be available now as well.

[scarlion1]

I'm using Version: 2019.1.31 and still having this problem... for example going to www.txt2day.com with EASE enabled generates the "HTTPS Everywhere noticed you were navigating to a non-HTTPS page, and tried to send you to the HTTPS version instead." page. If I hit the back button then I'm presented with the Firefox warning page allowing me to add an exception and still use HTTPS.

[zoracon]

I'm using Version: 2019.1.31 and still having this problem... for example going to www.txt2day.com with EASE enabled generates the "HTTPS Everywhere noticed you were navigating to a non-HTTPS page, and tried to send you to the HTTPS version instead." page. If I hit the back button then I'm presented with the Firefox warning page allowing me to add an exception and still use HTTPS.

@scarf Hi, could you give browser version and O.S.? Trying to narrow this down

Not replicating this on Firefox Quantum 65 on Ubuntu 18.04.

@Bisaloo when you have a moment, are you able to replicate this?

[Bisaloo]

I can't replicate either with FF Nightly and HTTPS Everywhere 2019.1.31

[scarlion1]

Hi @zoracon we are using Firefox 60.5.2esr on Ubuntu 16.04. Thank you