Can the text in the Add Security Exception be modified?
Our company has built an application that is currently used by many banks. Recently, we have updated the application to change from a thick client to a thin client using web browsers. The web based client communicates via SignalR to a local windows service that gets installed in order to talk with a check scanner. The web application is served as an HTTPS web site and the local window service which uses SignalR also runs via HTTPS. When the local windows service is installed, a self-signed certificate is generated and installed on the local computer.
When the web client is run on a Mozilla Firefox web browser, a security exception must be manually added for the localhost URL of the SignalR service. The problem is that in the Add Security Exception dialog, the following text is displayed by Firefox: “You are about to override how Firefox identifies this site. Legitimate banks, stores, and other public sites will not ask you to do this.” Since our applications are used and hosted by banks, this message is not true in our case.
We cannot install a unique signed certificate for every client, which is why we generate a self-signed certificate. We cannot host the local windows service running as just under HTTP, because then the web client cannot communicate with the local windows service due to mixed content security violation. We know the shield in address box on Firefox can disable the protection, but this would have to be done every time.
Is there an alternative to the text in the Add Security Exception from being displayed? Or do you have another suggestion on how to get around this issue? Or can the text in the Add Security Exception dialog box be modified?
Ilungisiwe
All Replies (1)
You can't change that text from a web site (or the bad guys could also), but you could from an add-on. But if you had an add-on it could install the self-signed cert exception for you. For that matter the add-on could be what the web site communicates through to the device, but then this would be a Firefox-specific solution.
If the local service cert is self-signed how does the web app know it's talking to the legitimate service? How do you keep other web sites who know about your service from trying to talk to it? If you trust it simply because it required an installer to create the service running on https://localhost:8888/ (or whatever port) why not get a legitimate cert and install the same one on every client?
How do you handle this in other browsers? At least Firefox remembers exceptions so you only have to set them up once. On other browsers users will have to "click through" the bad-cert page every time they restart their browser.