[thelist] Drupal/Firefox Access issue

Jeffrey Joslin lists at joslins.net
Wed Aug 20 15:23:07 CDT 2008 

Simon MacDonald wrote:
...
> I've just put up a test install of Drupal v6.3 (installed using Fantastico
> on my ISP web space). Access is fine using IE and Safari, but with Firefox
> 3,  I login as admin and get access denied.

It just occurred to me that this sounds an awful lot like it may be 
related to the controversial issue of how Firefox 3.0 now handles 
self-signed certificates.

So, are you attempting to log in via a secure (https:// ) link, via your 
own self-signed certificate (instead of a paid, cert-authority chained 
certificate)?

If you have been attempting to connect via a secure (https:// ) 
connection, have you tried connecting directly to the site in the usual 
http://site.com format?

Background: The new Firefox 3 immediately and automatically rejects 
attempts to connect to servers with self-signed certificates and 
immediately dumps the user to a scary looking "access denied" security 
warning screen similar to what you mention.  The other major browsers 
(such as IE and Safari), on the other hand, simply ask the user if 
they'd like to accept the self-signed certificate being offered to 
complete the connection, easy as clicking an "ok" button when prompted.

This has caused a major controversy out there with many calling this 
default rejection by Firefox 3 a browser-based violation of net 
neutrality concepts, forcing hosts to pay for expensive chained 
certificates just to avoid outright rejection and scary security 
messages displayed to users.

It is possible for the user to go back and manually add a security 
exception for each self-signed certificate one encounters in Firefox 3 
once reaching the site has failed and one had arrived at the security 
warning / access failure screen.

But first of all the user has to understand that is an option (and that 
it's their browser that is failing, not the server/host in question...).

 From there it is a user-initiated series of two or three steps to 
manually load the certificate in question and add it in as an exception, 
each step of which provides potential points of intimidation and/or user 
drop-off.

So back to the question above...is this happening to you via https:// 
connections, or via *all* connections attempted, even as just plain 
http://... ?

Curious.

jj

More information about the thelist mailing list