WARNING New Firefox feature WILL break SQRL


PHolder

Well-known member
May 19, 2018
1,225
205
Firefox recently implemented (and even promoted) a new feature for HTTPS Only mode. This feature stupidly applies to localhost connections, which will break the SQRL client connection.

@Steve should probably mention this on the podcast. Other people should report feedback to Firefox to let them know they're applying "security" to a connection which is already secure. They need to fix it or allow an exception checkbox, or something. (In Firefox, under help, there is an option to send feedback.)

Here's an info graphic if you need one:


2020Nov21_DeadSQRL.png
 

shanedk

Well-known member
May 20, 2018
421
113
Bug #1220810 is supposed to fix this. It hardcodes localhost to the loopback addresses. In the process, it makes localhost addresses Secure Context so it won't enforce HTTPS-Only on them. Apparently, there's still a bug with *.localhost subdomains, but that shouldn't affect SQRL.
 

PHolder

Well-known member
May 19, 2018
1,225
205
Thanks for the info @shanedk . Here's hoping they actually do manage to get it fixed. I am fast losing faith in Mozilla to do anything like the right thing any more. :cautious:
 

Russell

Member
Apr 28, 2019
12
0
When I first set up SQRL I had the same problem using EFF's HTTPS Everywhere. I ended up having to tell HTTPS Everywhere to ignore this site in order for SQRL to do it's thing.
 
Oct 30, 2020
7
2
Would it be out of the question to use a self-signed certificate so that the localhost:25519 connection *can* be done with SSL? obviously it wouldn't have authentication, but would that allow firefox to make the connection, or will it still throw up a warning? (like to curl -k, which uses https but blindly accepts the certificate its given).
 

PHolder

Well-known member
May 19, 2018
1,225
205
Would it be out of the question to use a self-signed certificate
In a word or two: Yes, it would be a bad idea to do that.

The longer reason why it's a bad idea: The only way to use a self-signed certificate is if the key is installed in the clear. (Yes you can encrypt it, but then you need to store the encryption password in the clear. It is a physical impossibility to have something encrypted with a password that isn't ultimately in the clear.)
 

Petro

New member
Dec 14, 2020
3
0
Bug #1220810 is supposed to fix this. It hardcodes localhost to the loopback addresses. In the process, it makes localhost addresses Secure Context so it won't enforce HTTPS-Only on them. Apparently, there's still a bug with *.localhost subdomains, but that shouldn't affect SQRL.
I'm brand new to SQRL. Trying out the demo page, I ran into this problem using Firefox 83. Just in case anyone else winds up here, it seems this bug gets fixed in Firefox 84. For now, disabling https-only gets around the problem.

1608024366374.png
 

PHolder

Well-known member
May 19, 2018
1,225
205
I am running Firefox 84 and nothing has changed, near as I can tell... it's still broken.
 

PHolder

Well-known member
May 19, 2018
1,225
205
Are you directly linking to the Emby server (i.e. manually entering a URL into the browser)? SQRL uses Javascript to access the port 25519 localhost URL and I assume it is some part of that this causing the problem. If you capture the URL and manually enter it, it will cause SQRL to prompt you for login (which was something think you probably experienced.) There is something deeper here that may need additional fixing by Mozilla, but we first need to get a handle on what exactly broke.
 

shanedk

Well-known member
May 20, 2018
421
113
Yes, I can confirm that HTTPS-only mode breaks logins with 84. But it's not because of the localhost issue, which seems to be working fine (I get the green text on Steve's client).

Rather, it's sending back the CPS link to the browser and Firefox chokes on it, for some reason. It works fine if you turn off HTTPS-Only mode.
 

Vela Nanashi

Well-known member
May 19, 2018
720
124
Maybe https only does not like redirects between http and https sites, at all, and blocks those, or maybe just in one direction?

Since SQRL does: site -> SQRL client -> site, so most likely https -> http (localhost) -> https, so one of those arrows break for whatever reason.
 

Petro

New member
Dec 14, 2020
3
0
Are you directly linking to the Emby server (i.e. manually entering a URL into the browser)?
Usually I select "Configure Emby" from the server app. It then opens a browser page with that URL.
I don't know the mechanism of how exactly the app opens the browser page.
 

PHolder

Well-known member
May 19, 2018
1,225
205
mechanism of how exactly the app opens the browser page.
Okay, but it's probably NOT Javascript, so that was what I was wondering. I suspect there is something particular going on related to Javascript or something.
 

PHolder

Well-known member
May 19, 2018
1,225
205
Yes, it doesn't appear like they intend to fix the issue, near as I can tell. I can't be personally bothered to fight that fight with them, I've had my bug reports buried too many times before.
 

Russell

Member
Apr 28, 2019
12
0
Strangely enough though, Brave browser with 'upgrade connections to HTTPS' enabled, works fine. However, I have encountered a few sites where it loads the http version of the site, yet Firefox will 'upgrade the site' to the https version. I guess that Brave's https upgrading system isn't as robust as FF's??????