Hello,
I am having trouble using TBB 3.6.6 to connect to a website that uses a self-signed certificate.
In the previous 3.6.5 version I was presented the usual warning, but after double checking the certificate fingerprint I could click the [Confirm Security Exception] button and TorBrowser would connect.
However, in the 3.6.6 version after I click the [Confirm Security Exception] button, the dialog window disappears, a spinner is shown and TorBrowser starts trying to connect. However the page will never load.
I have searched the preferences panel but could not find any option that might be useful. I read that 3.6.6 contained some changes with respect to saving intermediate certificates to disk. Could it be this has affected the use of self-signed certificates?
Any suggestion?
Thanks, Bram
Bram de Boer:
Hello,
I am having trouble using TBB 3.6.6 to connect to a website that uses a self-signed certificate.
In the previous 3.6.5 version I was presented the usual warning, but after double checking the certificate fingerprint I could click the [Confirm Security Exception] button and TorBrowser would connect.
However, in the 3.6.6 version after I click the [Confirm Security Exception] button, the dialog window disappears, a spinner is shown and TorBrowser starts trying to connect. However the page will never load.
I have searched the preferences panel but could not find any option that might be useful. I read that 3.6.6 contained some changes with respect to saving intermediate certificates to disk. Could it be this has affected the use of self-signed certificates?
Could this be the securty.nocertdb pref from #12998? If you go into about:config and change that value to false, does it change things? You may need to restart the browser..
Bram de Boer:
I am having trouble using TBB 3.6.6 to connect to a website that uses a self-signed certificate. [...]
Mike Perry:
Could this be the securty.nocertdb pref from #12998? If you go into about:config and change that value to false, does it change things? You may need to restart the browser..
Mike, thanks for the suggestion. That does indeed allow me to connect, albeit not allow me to make a permanent exception.
However, I am confused. Before trying your suggestion, I got systematic fails on two different OS X systems with TBB 3.6.6. Reverting back to TBB 3.6.5 allowed me to connect normally using both systems. Reinstalling TBB 3.6.6 resulted again in failure on both systems.
After applying the security.nocertdb=false tweak and restarting TB, both systems could successfully connect. However, after switching back to security.nocertdb=true and restarting TB, both systems could *still* successfully connect?! I have even tried deleting the entire /Applications/TorBrowser.app folder and reinstalled a fresh 3.6.6. Even then I could still connect without your suggested tweak?!
I am confused. AFAIK TorBrowser does not store "state" anywhere but in the application folder, so deleting the TorBrowser.app folder should entirely clear its state, right? Or does it make use of the OS X key chain? A problem with the webserver seems unlikely, as switching back and forth between 3.6.5 and 3.6.6 showed systematic behaviour?! Hitting a bad exit consistently from two different systems is unlikely too.
Could someone please be so kind to try to connect to a website with self-signed certificate too? Does that work with default settings?
Thanks, Bram
Bram de Boer wrote:
Hello,
I am having trouble using TBB 3.6.6 to connect to a website that uses a self-signed certificate.
In the previous 3.6.5 version I was presented the usual warning, but after double checking the certificate fingerprint I could click the [Confirm Security Exception] button and TorBrowser would connect.
However, in the 3.6.6 version after I click the [Confirm Security Exception] button, the dialog window disappears, a spinner is shown and TorBrowser starts trying to connect. However the page will never load.
Works for me with https://www.patternsinthevoid.net/. What page is not working for you?
Georg
Bram de Boer wrote:
I am having trouble using TBB 3.6.6 to connect to a website that uses a self-signed certificate. [...]
Georg Koppen wrote:
Works for me with https://www.patternsinthevoid.net/. What page is not working for you?
Georg, thanks for your help. I can access that page too (nice ascii art). The page I was having trouble with is https://nosur.com (never mind the basic-auth on that page). After tweaking the security.nocertdb switch as suggested by Mike I can consistently connect to that page now too, but I couldn't before.
Thanks, Bram
Bram de Boer wrote:
Bram de Boer wrote:
I am having trouble using TBB 3.6.6 to connect to a website that uses a self-signed certificate. [...]
Georg Koppen wrote:
Works for me with https://www.patternsinthevoid.net/. What page is not working for you?
Georg, thanks for your help. I can access that page too (nice ascii art). The page I was having trouble with is https://nosur.com (never mind the basic-auth on that page). After tweaking the security.nocertdb switch as suggested by Mike I can consistently connect to that page now too, but I couldn't before.
Glad it is working for you. I *cannot* connect to the site at the moment despite switching the pref as you did. Thus, I am currently inclined to think this is an issue with this particular website and not something related to the preference in question...
Georg
Bram de Boer wrote:
The page I was having trouble with is https://nosur.com [...]
Georg Koppen wrote:
I *cannot* connect to the site at the moment despite switching the pref as you did.
Thanks for trying. And can you access the website with TBB 3.6.5? If so, that confirms the behaviour I have been seeing.
I have found one difference between 3.6.5 and 3.6.6 that still consistently occurs; perhaps by-design?
- Preferences > Privacy > Use custom settings for history - Untick "Always use private browsing mode". TB will now restart - Visit website with self-signed certificate - Tick "Permanently store this exception" - Clicking [Confirm Security Exception] won't have any effect. The button animates the click but nothing happens?!
This occurs with both https://www.patternsinthevoid.net and https://nosur.com. I have successfully used the flow described above with all previous TBB versions. Afterwards I immediately re-enable the "Always use private browsing mode" option and then have the permanent exception for the website.
Was this behaviour changed by design? If so, it might be user-friendlier to just disable the checkbox, rather than having a non-functional button. What is the recommended way to add a permanent exception (if at all, because that would obviously make the user uniquely fingerprintable).
Thanks, Bram
Bram de Boer wrote:
Bram de Boer wrote:
The page I was having trouble with is https://nosur.com [...]
Georg Koppen wrote:
I *cannot* connect to the site at the moment despite switching the pref as you did.
Thanks for trying. And can you access the website with TBB 3.6.5? If so, that confirms the behaviour I have been seeing.
I have found one difference between 3.6.5 and 3.6.6 that still consistently occurs; perhaps by-design?
- Preferences > Privacy > Use custom settings for history
- Untick "Always use private browsing mode". TB will now restart
- Visit website with self-signed certificate
- Tick "Permanently store this exception"
- Clicking [Confirm Security Exception] won't have any effect. The
button animates the click but nothing happens?!
This occurs with both https://www.patternsinthevoid.net and https://nosur.com. I have successfully used the flow described above with all previous TBB versions. Afterwards I immediately re-enable the "Always use private browsing mode" option and then have the permanent exception for the website.
Was this behaviour changed by design? If so, it might be user-friendlier to just disable the checkbox, rather than having a non-functional button.
That is part of the patch behind the "security.nocertdb" preference. I.e. if you set it to "false" your workaround is still supposed to work. That said it might be smarter to bind that preference to the private browsing mode (as the "Permanently store this exception"-checkbox already is) than messing with the checkbox itself. Do you mind opening a ticket at https://trac.torproject.org?
What is the recommended way to add a permanent exception (if at all, because that would obviously make the user uniquely fingerprintable).
There is no recommended way :) but as I said above switching "security.nocertdb" to "false" should help.
Georg
Georg Koppen:
Bram de Boer wrote:
Bram de Boer wrote:
The page I was having trouble with is https://nosur.com [...]
Georg Koppen wrote:
I *cannot* connect to the site at the moment despite switching the pref as you did.
Thanks for trying. And can you access the website with TBB 3.6.5? If so, that confirms the behaviour I have been seeing.
I have found one difference between 3.6.5 and 3.6.6 that still consistently occurs; perhaps by-design?
- Preferences > Privacy > Use custom settings for history
- Untick "Always use private browsing mode". TB will now restart
- Visit website with self-signed certificate
- Tick "Permanently store this exception"
- Clicking [Confirm Security Exception] won't have any effect. The
button animates the click but nothing happens?!
This occurs with both https://www.patternsinthevoid.net and https://nosur.com. I have successfully used the flow described above with all previous TBB versions. Afterwards I immediately re-enable the "Always use private browsing mode" option and then have the permanent exception for the website.
Was this behaviour changed by design? If so, it might be user-friendlier to just disable the checkbox, rather than having a non-functional button.
That is part of the patch behind the "security.nocertdb" preference. I.e. if you set it to "false" your workaround is still supposed to work. That said it might be smarter to bind that preference to the private browsing mode (as the "Permanently store this exception"-checkbox already is) than messing with the checkbox itself. Do you mind opening a ticket at https://trac.torproject.org?
What is the recommended way to add a permanent exception (if at all, because that would obviously make the user uniquely fingerprintable).
There is no recommended way :) but as I said above switching "security.nocertdb" to "false" should help.
For me, it was only broken if disk history is enabled. Otherwise the dialog worked.
I just filed https://trac.torproject.org/projects/tor/ticket/13366 for this, and fixed it by switching the pref to false automatically when disk history storage is enabled in Torbutton.
-
Bram de Boer -
Georg Koppen -
Mike Perry