Closed sudokode closed 7 years ago
At first it was a DNS error, now it's an SSL error... This has been going on for a few days now
Well, both were expired registrations. That's understandable... This one, I'm not even sure why this is happening. It doesn't seem to affect anything else (chromium, curl), but firefox does seem to care more about SSL/TLS security. Usually there's a way to circumvent these edge cases, but this one doesn't seem to be passable, which means Mozilla thought it was bad enough to prevent any idiot (as usual) and "Advanced" users from clicking through to a potentially malicious site.
Seems there is a way to bypass this. Firefox just doesn't like it when you switch from a pinned cert to a non-pinned cert. I guess this is the "Advanced Advanced..." button. Probably best to close firefox while doing this:
grep ptpb.pw ~/.mozilla/firefox/*.default/SiteSecurityServiceState.txt
sed -i '/ptpb.pw/d' ~/.mozilla/firefox/*.default/SiteSecurityServiceState.txt
grep ptpb.pw ~/.mozilla/firefox/*.default/SiteSecurityServiceState.txt # after retrying the site
(This may be a non-issue for the devs, but it might be best to leave this open for a while in case anyone else experiences the same problem.)
Firefox just doesn't like it when you switch from a pinned cert to a non-pinned cert
Yeah, I stopped serving HPKP headers after migrating to AWS, but the original pin duration was at least a year, so it hasn't expired yet for anyone that's cached it.
Seems there is a way to bypass this
Manipulating SiteSecurityServiceState.txt
is mostly a Firefox usability issue IMO--there's no UI to clear/bypass the cached pin otherwise (aside from creating a new profile--that would work probably, but who wants to do that).
Yeah, I stopped serving HPKP headers after migrating to AWS, but the original pin duration was at least a year, so it hasn't expired yet for anyone that's cached it.
I think you could have sent a header to disable HPKP before the cert expired, but too late now...
Guys do you even security? This is exactly how HKPK was designed to work. It's not a usibility issue on FF's end that ptpb fucked up its cert management so bad that the cert pinning mechanism which it chose to enable to protect against rogue certs kicks in and protects users against the new (unpinned) cert.
k
Open https://ptpb.pw in firefox (tested on 49 and 50).