> Quite often, the reason the site operator tried to use HTTPS at all > was that they're doing something that really does need security, > something they would never dream of using HTTP for. So without the > browser knowing what a site is for, letting you use misconfigured/ > vulnerable HTTPS is, on average, much riskier than letting you use > HTTP.
FWIW, in the three years since I wrote this, the situation has changed hugely. Browser vendors have encouraged sites in general to adopt HTTPS (both by offering new abilities only to HTTPS sites, and by showing increasingly-scary UI for HTTP), and pages loaded over HTTPS worldwide have increased from 38% to 76%. <https://letsencrypt.org/stats/#percent- pageloads> So it’s no longer the case that most HTTPS sites are “something they would never dream of using HTTP for”. So, it might now be more justified to let people override HTTPS misconfiguration/vulnerability blockages than it was before. But maybe other factors have changed too, such as the frequency of misconfiguration or the frequency of attacks. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1485020 Title: firefox 40 shows a non-overrideable security error when talking to a captive portal Status in firefox package in Ubuntu: New Bug description: When trying to connect to the airport wifi at the Portland Airport (https://flypdxconnect.portofportland.com:8443/guestportal/gateway?sessionId=eb0a3d0a003315a2c104ce55&portal=LOC1&action=cwa), firefox presents me with a non-overrideable security error: Secure Connection Failed An error occurred during a connection to flypdxconnect.portofportland.com:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. When the user is behind a captive portal and talking to that portal is the only way to get Internet access, it is not acceptable to enforce an SSL security policy where the user has no way of overriding it, no way of fixing the server, and no reason to care about the security of the connection to this server. As a workaround for this issue, I ran chrome. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1485020/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp

