[thelist] Drupal/Firefox Access issue
Jeffrey Joslin
lists at joslins.net
Wed Aug 20 15:23:07 CDT 2008
Simon MacDonald wrote:
...
> I've just put up a test install of Drupal v6.3 (installed using Fantastico
> on my ISP web space). Access is fine using IE and Safari, but with Firefox
> 3, I login as admin and get access denied.
It just occurred to me that this sounds an awful lot like it may be
related to the controversial issue of how Firefox 3.0 now handles
self-signed certificates.
So, are you attempting to log in via a secure (https:// ) link, via your
own self-signed certificate (instead of a paid, cert-authority chained
certificate)?
If you have been attempting to connect via a secure (https:// )
connection, have you tried connecting directly to the site in the usual
http://site.com format?
Background: The new Firefox 3 immediately and automatically rejects
attempts to connect to servers with self-signed certificates and
immediately dumps the user to a scary looking "access denied" security
warning screen similar to what you mention. The other major browsers
(such as IE and Safari), on the other hand, simply ask the user if
they'd like to accept the self-signed certificate being offered to
complete the connection, easy as clicking an "ok" button when prompted.
This has caused a major controversy out there with many calling this
default rejection by Firefox 3 a browser-based violation of net
neutrality concepts, forcing hosts to pay for expensive chained
certificates just to avoid outright rejection and scary security
messages displayed to users.
It is possible for the user to go back and manually add a security
exception for each self-signed certificate one encounters in Firefox 3
once reaching the site has failed and one had arrived at the security
warning / access failure screen.
But first of all the user has to understand that is an option (and that
it's their browser that is failing, not the server/host in question...).
From there it is a user-initiated series of two or three steps to
manually load the certificate in question and add it in as an exception,
each step of which provides potential points of intimidation and/or user
drop-off.
So back to the question above...is this happening to you via https://
connections, or via *all* connections attempted, even as just plain
http://... ?
Curious.
jj
More information about the thelist
mailing list