Firefox

17857 readers

1 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 5 years ago

MODERATORS

On .LAN domains, how to stop firefox switching to https (when it's not available) and stop complaining about self-signed certificates when it is available ? (lemmy.ml)

submitted 10 months ago* (last edited 10 months ago) by interdimensionalmeme@lemmy.ml to c/firefox@lemmy.ml

22 comments fedilink hide all child comments

I'm just so annoyed of fighting this all the time.

If I can't figure this out I'm going to disable all https redirecting and all certificate errors off so I can have some peace

EDIT: I do not wish to manage certificates I do not want to setup private key infrastructure I don't want to use real internet domain names I don't want to manually install certificates into browsers after fishing them out of my ephemeral virtual machines

I just want to, add exception for *.lan for https auto redirect and auto-accept self-signed certificates as valid. This is not much to ask.

you are viewing a single comment's thread
view the rest of the comments

[–] ulterno@lemmy.kde.social 0 points 10 months ago (2 children)

For the certificate errors, just add a root CA of your own making.
Disabling auto-https, no idea. Maybe fix the source?

[–] Carighan@lemmy.world 3 points 10 months ago (1 children)

Yeah I was about to say, just do https? It's not like getting a certificate is still a big deal in modern times, hasn't in years.

[–] ulterno@lemmy.kde.social 0 points 10 months ago

My router doesn't have an HTTPS control page.
Sometimes frustrating.

[–] ReversalHatchery@beehaw.org 1 points 10 months ago* (last edited 10 months ago) (1 children)

does not sound like a good idea. your own CA can sign certs for any other sites too, and it's dangerous.

I would say it's even more dangerous of you just think "nah, it'll be fine"

[+] lud@lemm.ee 2 points 10 months ago* (last edited 1 month ago) (3 children)

[deleted]

[–] ReversalHatchery@beehaw.org 1 points 10 months ago* (last edited 10 months ago)

forgot this part

P.S. I'm guessing OP doesn't actually have a CA and is just using simple self signed certificates without any private CA that has signed them.

I assume that too, however the person I responded to recommended using a full fledged CA cert.

[–] ReversalHatchery@beehaw.org 1 points 10 months ago (1 children)

but it's their CA so why would they do that?

I don't mean them specifically, but that to me managing access to such a CA cert's keys is security nightmare, because if I somehow get an infection, and it finds the cert file and the private key, it'll be much easier for it to make itself more persistent than I want it.

But if you don't trust your own CA what's the point of having a CA?

That's the point. I don't recommend having one. I recommend self signed certs that are

limited to a lan (sub)domain or a wildcard of it
you verified by the fingerprint (firefox can show this)
you only allowed for those of your internal services for the cert was intended

Or if you don't want to deal with self signed certs, buy a domain and do lets encrypt with the DNS challenge.
That's also more secure, but can be more of a hassle, though I guess it depends on preference.

But then I would use this latter one too if I had opened any services to the internet, but I didn't because I don't need to.

[–] ulterno@lemmy.kde.social 0 points 10 months ago

P.S. I’m guessing OP doesn’t actually have a CA and is just using simple self signed certificates without any private CA that has signed them.

You're right. I'm talking about making a certificate using gpg and storing it on your system. Then adding it to the root CA list and signing all your Local SSH stuff with it.