SOLVED
Home

Option to safely yet simply add exceptions for java, flash and self signed certs?

%3CLINGO-SUB%20id%3D%22lingo-sub-863486%22%20slang%3D%22en-US%22%3EOption%20to%20safely%20yet%20simply%20add%20exceptions%20for%20java%2C%20flash%20and%20self%20signed%20certs%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-863486%22%20slang%3D%22en-US%22%3E%3CP%3EHi.%26nbsp%3B%20I'm%20new%20here.%26nbsp%3B%20Kind%20of%20excited%20that%20Edge%20is%20turning%20this%20direction%2C%20I'm%20optimistic%20that%20the%20%22powers%20at%20be%22%20can%20keep%20traction%20and%20accomplish%20what%20is%20being%20asked%20for.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20a%20couple%20days%20of%20Win%2010%20and%20letting%20that%20Edge%20do%20it's%20thing%20I%20gave%20up%20and%20did%20everything%20in%20my%20power%20to%20remove%20it%20and%20not%20see%20it%20again.%26nbsp%3B%20Over%20a%20year%20later%20I%20hear%20a%20guy%20promoting%20EdgeDEV%20in%20a%20CAD%20forum%2C%20I%20respect%20his%20opinions%20so%20I%20gave%20it%20a%20try.%26nbsp%3B%20Gotta%20say%20I'm%20liking%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20my%20question%2Frequest.%26nbsp%3B%20I%20have%20various%20devices%20with%20embedded%20web%20sites%2C%20embedded%20controller%20card%20in%20servers%20for%20example%20and%20other%20devices%20that%20were%20IoT%20before%20marketing%20people%20made%20it%20a%20buzz%20word.%26nbsp%3B%20Unfortunately%20the%20security%20measures%20of%20modern%20browsers%20have%20made%20it%20impossible%20or%20very%20hard%20to%20find%20a%20method%20to%20allow%20java%20or%20flash%20or%20other%20content%20or%20even%20accept%20the%20self%20signed%20certs%20from%20these%20devices.%26nbsp%3B%20If%20that%20device%20is%20on%20my%20LAN%20behind%20a%20firewall%20I%20should%20be%20able%20to%20fairly%20quickly%20add%20it%20to%20list%20or%20save%20zones.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20make%20a%20straight%20forward%20method%20to%20trust%20specific%20IPs%20(ranges)%20or%20URLs%20to%20run%20self%20signed%20certs%2C%20and%20run%20javaws.%20and%20perhaps%20allow%20flash.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eplease%20don't%20get%20me%20wrong%2C%20I'm%20grateful%20for%20the%20the%20warnings%20and%20protection%20when%20browsing%20the%20wild%20wild%20web%2C%20but%20when%20on%20my%20own%20LAN%20I%20would%20like%20the%20ability%20to%20free%20roam%20with%20warnings%20at%20most%2C%20not%20disabled%20or%20not%20allowed%20type%20dialogs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-863546%22%20slang%3D%22en-US%22%3ERe%3A%20Option%20to%20safely%20yet%20simply%20add%20exceptions%20for%20java%2C%20flash%20and%20self%20signed%20certs%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-863546%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F410451%22%20target%3D%22_blank%22%3E%40bnemec%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239638%22%20target%3D%22_blank%22%3E%40Elliot%20Kirk%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20flags(experiments)%20that%20allow%20more%20control%2C%20especially%20for%20developers.%20You%20can%20access%20them%20in%26nbsp%3B%3CA%20href%3D%22edge%3A%2F%2Fflags%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eedge%3A%2F%2Fflags%3C%2FA%3E.%20Elliot%20might%20be%20able%20to%20give%20you%20some%20pointers%20about%20which%20flags%20to%20try%2C%20or%20if%20they%20need%20to%20add%20another%20one.%20Hope%20this%20helps.%3C%2FP%3E%3CP%3E-Cam%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-863570%22%20slang%3D%22en-US%22%3ERe%3A%20Option%20to%20safely%20yet%20simply%20add%20exceptions%20for%20java%2C%20flash%20and%20self%20signed%20certs%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-863570%22%20slang%3D%22en-US%22%3EHi%2C%20welcome%20to%20the%20forum!%3CBR%20%2F%3E%3CBR%20%2F%3EI%20think%20trusting%20certificates%20is%20outside%20of%20the%20scope%20of%20the%20browsers.%20it%20has%20something%20to%20do%20with%20Windows.%20if%20your%20computer%20trust%20the%20self%20signed%20certificate%20(i.e%20that%20certificate%20is%20placed%20inside%20the%20Trusted%20Root%20Certificate%20Store%20of%20that%20computer)%2C%20then%20all%20of%20the%20program%20on%20that%20computer%20should%20trusted%20that%20self%20signed%20certificate%2C%20including%20browsers%2C%20like%20Edge%2C%20Chrome%20etc.%3CBR%20%2F%3Eyou%20can%20also%20setup%20your%20personal%20CA%20to%20automatically%20take%20care%20of%20that%20and%20make%20the%20process%20easier%20like%20I%20did.%3CBR%20%2F%3E%3CBR%20%2F%3EAbout%20Adobe%20flash%2C%20it's%20set%20to%20be%20removed%20from%20all%20of%20the%20major%20browsers%20in%20the%20December%202020.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-863825%22%20slang%3D%22en-US%22%3ERe%3A%20Option%20to%20safely%20yet%20simply%20add%20exceptions%20for%20java%2C%20flash%20and%20self%20signed%20certs%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-863825%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310193%22%20target%3D%22_blank%22%3E%40HotCakeX%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20expanding%20on%20that%20for%20me.%26nbsp%3B%20TBH%20I%20don't%20know%20much%20about%20the%20inner%20workings%20of%20how%20browsers%20interact%20with%20the%20OS%20and%20other%20add%20ins.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20correct%20me%20where%20I'm%20wrong%2C%20but%20didn't%20Firefox%20provide%20a%20really%20simple%20way%20to%20add%20the%20cert%20or%20site%20to%20trusted%20list%20of%20the%20computer%20right%20from%20the%20%22Site%20not%20safe%22%20warning%20dialog%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet's%20say%20the%20site%20doesn't%20load%20due%20to%20self%20signed%20or%20old%20cert%2C%20then%20I%20could%20click%20on%20the%20lock%20icon%2C%20get%20the%20information%20and%20a%20place%20that%20says%20something%20to%20the%20effect%20of%20%22advanced%22%20or%20%22developer%22%20where%20I%20could%20choose%20to%20allow%20that%20cert%20from%20the%20site%20or%20maybe%20anything%20from%20that%20site%2C%20because%20it%20know%20it's%20a%20little%20web%20enabled%20device%20serving%20up%20a%20simple%20web%20console%20or%20interactive%20site.%26nbsp%3B%20Add%20a%20warning%20that%20says%2C%20%22Don't%20do%20this%20unless%20you%20trust%20the%20site%3B%20you%20are%20making%20your%20computer%20vulnerable%20to%20attacks%20and%20your%20antivirus%20won't%20be%20able%20to%20help%20you.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20why%20people%20are%20moving%20away%20from%20Flash%2C%20but%20not%20supporting%20it%20at%20all%20seems%20a%20little%20brash.%26nbsp%3B%20On%20the%20bright%20side%20I%20cannot%20think%20of%20many%20embedded%20systems%20with%20Flash%20code%20that%20don't%20have%20firmware%20updates%20available.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-863878%22%20slang%3D%22en-US%22%3ERe%3A%20Option%20to%20safely%20yet%20simply%20add%20exceptions%20for%20java%2C%20flash%20and%20self%20signed%20certs%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-863878%22%20slang%3D%22en-US%22%3E%3CP%3EOh%20it's%20alright%2C%20I%20don't%20use%20Firefox%20much%20but%20I%20know%20the%20universal%20and%20correct%20way%20to%20trust%20any%20Certificate%20Authority%2C%20including%20the%20self%20singed%20certificate%2C%20is%20this%20way%3A%3CBR%20%2F%3E-%20In%20Windows%20RUN%2C%20enter%20%22certlm.msc%22%20(with%20Admin%20rights)%3CBR%20%2F%3E-%20navigate%20to%20the%20Trusted%20Root%20Certificate%20Authorities%20store%20(should%20be%20the%202nd%20from%20top)%3CBR%20%2F%3E-%20right-click%20anywhere%20and%20select%20import%20then%20browse%20for%20your%20self%20signed%20certificate%20CA.%3CBR%20%2F%3E%3CBR%20%2F%3Eto%20get%20this%20certificate%20you%20need%20to%20go%20to%20the%20computer%2Fserver%20where%20you%20generated%20the%20self%20signed%20certificate%2C%20go%20to%20its%20Trusted%20Root%20Certificate%20Authorities%20store%20and%20export%20it.%20now%20when%20exporting%2C%20you%20should%20first%20decide%20if%20it's%20going%20to%20be%20used%20on%20a%20server%20or%20client.%20if%20it's%20a%20server%20then%20export%20with%20private%20key%2C%20if%20it's%20a%20client%20don't%20export%20with%20private%20key.%3CBR%20%2F%3E%3CBR%20%2F%3EYou're%20right%2C%20almost%20all%20companies%20and%20developers%20that%20provide%20support%20for%20their%20clients%20have%2Fwill%20have%20provided%20the%20update%20for%20Flash%20removal%20by%20that%20time.%3CBR%20%2F%3Ethough%20there%20are%20some%203rd%20party%20emulators%20for%20Flash%20but%20since%20it%20won't%20be%20getting%20any%20more%20security%20updates%20from%20Adobe%2C%20the%20security%20risk%20is%20fairly%20high.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-865373%22%20slang%3D%22en-US%22%3ERe%3A%20Option%20to%20safely%20yet%20simply%20add%20exceptions%20for%20java%2C%20flash%20and%20self%20signed%20certs%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-865373%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F410451%22%20target%3D%22_blank%22%3E%40bnemec%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20an%20emulator%20that%20is%20being%20created%2C%20because%20games%20run%20better%20on%20flash%20than%20other%20codes.%20I%20threw%20the%20idea%20out%20there%20of%20it%20being%20supported%20and%20was%20surprised%20to%20see%20the%20negative%20views%20of%20flash%20in%20general.%20I%20agree%20with%20you%20that%20it%20shouldn't%20be%20thrown%20out%20completely%2C%20because%20there%20are%20some%20things%20on%20the%20web%20that%20will%20be%20lost%2C%20and%20an%20emulator%20that%20is%20easy%20on%20the%20battery%2C%20has%20a%20sandbox%20for%20security%2C%20and%20quickly%20loads%20seems%20like%20a%20solution.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-867321%22%20slang%3D%22en-US%22%3ERe%3A%20Option%20to%20safely%20yet%20simply%20add%20exceptions%20for%20java%2C%20flash%20and%20self%20signed%20certs%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-867321%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F343543%22%20target%3D%22_blank%22%3E%40cjc2112%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20I%20read%20the%20way%20you%20phrased%20it%20I%20thought%20about%20how%20my%20stance%20on%20work%20site%20safety%20applies%20to%20internet%20safety%2C%20it%20seems%20over%20the%20years%20OSHA%20has%20moved%20to%20enforce%20policies%20that%20attempt%20to%20remove%20all%20risks%20from%20the%20work%20site%20(which%20is%20inherently%20impossible)%20and%20spend%20less%20time%20focusing%20on%20teaching%20workers%20how%20to%20identify%20risks%20while%20working%20and%20address%20them%20based%20on%20severity%20and%20probability.%26nbsp%3B%20That%20identification%20and%20mitigation%20has%20been%20removed%20from%20the%20work%20site%20and%20placed%20the%20desk%20of%20foreman%20or%20even%20worse%20someone%20hired%20to%20do%20nothing%20other%20than%20handle%20safety%20efforts.%26nbsp%3B%20This%20trend%20has%20more%20or%20less%20implied%20that%20the%20common%20worker%20is%20not%20capable%20of%20being%20trained%20to%20identify%20risks%20themselves%20but%20someone%20in%20an%20office%20somewhere%20else%20that%20has%20likely%20never%20run%20the%20equipment%20and%20tools%20should%20do%20that%20for%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat's%20my%20rambling%20point%3F%26nbsp%3B%20Padded%20rooms%20reek%20of%20ignorance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20saying%20all%20people%20that%20browse%20the%20web%20should%20be%20able%20to%20identify%20malicious%20lines%20of%20code%20hidden%20in%20web-pages.%26nbsp%3B%20I%20fear%20the%20trend%20is%20to%20the%20opposite%20extreme%20of%20removing%20functionality%20in%20the%20name%20of%20safety%20at%20all%20costs.%26nbsp%3B%20I%20know%20there%20is%20a%20lot%20of%20work%20being%20done%20to%20keep%20high%20performance%20AND%20maintain%20a%20safe%20browsing%20environment%3B%20never-the-less%20compromises%20are%20being%20made.%26nbsp%3B%20Developers%20have%20the%20technology%20and%20know%20how%20to%20produce%20a%20safe%20browsing%20environment%2C%20it%20is%20not%20their%20responsibility%20to%20force%20that%20environment%20on%20users.%26nbsp%3B%26nbsp%3B%26nbsp%3B%20The%20end%20user%20must%20be%20held%20responsible%20for%20their%20browsing%20security%3B%20the%20software%20should%20just%20provide%20that%20ability%2C%20not%20enforce%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20my%20opinion%2C%20sorry%20for%20getting%20wordy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi.  I'm new here.  Kind of excited that Edge is turning this direction, I'm optimistic that the "powers at be" can keep traction and accomplish what is being asked for. 

 

After a couple days of Win 10 and letting that Edge do it's thing I gave up and did everything in my power to remove it and not see it again.  Over a year later I hear a guy promoting EdgeDEV in a CAD forum, I respect his opinions so I gave it a try.  Gotta say I'm liking it.

 

To my question/request.  I have various devices with embedded web sites, embedded controller card in servers for example and other devices that were IoT before marketing people made it a buzz word.  Unfortunately the security measures of modern browsers have made it impossible or very hard to find a method to allow java or flash or other content or even accept the self signed certs from these devices.  If that device is on my LAN behind a firewall I should be able to fairly quickly add it to list or save zones. 

 

Please make a straight forward method to trust specific IPs (ranges) or URLs to run self signed certs, and run javaws. and perhaps allow flash. 

 

please don't get me wrong, I'm grateful for the the warnings and protection when browsing the wild wild web, but when on my own LAN I would like the ability to free roam with warnings at most, not disabled or not allowed type dialogs.

6 Replies
Highlighted

@bnemec @Elliot Kirk 

There are flags(experiments) that allow more control, especially for developers. You can access them in edge://flags. Elliot might be able to give you some pointers about which flags to try, or if they need to add another one. Hope this helps.

-Cam

Highlighted
Hi, welcome to the forum!

I think trusting certificates is outside of the scope of the browsers. it has something to do with Windows. if your computer trust the self signed certificate (i.e that certificate is placed inside the Trusted Root Certificate Store of that computer), then all of the program on that computer should trusted that self signed certificate, including browsers, like Edge, Chrome etc.
you can also setup your personal CA to automatically take care of that and make the process easier like I did.

About Adobe flash, it's set to be removed from all of the major browsers in the December 2020.
Highlighted

@HotCakeX 

Thank you for expanding on that for me.  TBH I don't know much about the inner workings of how browsers interact with the OS and other add ins.

 

Please correct me where I'm wrong, but didn't Firefox provide a really simple way to add the cert or site to trusted list of the computer right from the "Site not safe" warning dialog?

 

Let's say the site doesn't load due to self signed or old cert, then I could click on the lock icon, get the information and a place that says something to the effect of "advanced" or "developer" where I could choose to allow that cert from the site or maybe anything from that site, because it know it's a little web enabled device serving up a simple web console or interactive site.  Add a warning that says, "Don't do this unless you trust the site; you are making your computer vulnerable to attacks and your antivirus won't be able to help you."

 

I understand why people are moving away from Flash, but not supporting it at all seems a little brash.  On the bright side I cannot think of many embedded systems with Flash code that don't have firmware updates available.

Highlighted
Solution

Oh it's alright, I don't use Firefox much but I know the universal and correct way to trust any Certificate Authority, including the self singed certificate, is this way:
- In Windows RUN, enter "certlm.msc" (with Admin rights)
- navigate to the Trusted Root Certificate Authorities store (should be the 2nd from top)
- right-click anywhere and select import then browse for your self signed certificate CA.

to get this certificate you need to go to the computer/server where you generated the self signed certificate, go to its Trusted Root Certificate Authorities store and export it. now when exporting, you should first decide if it's going to be used on a server or client. if it's a server then export with private key, if it's a client don't export with private key.

You're right, almost all companies and developers that provide support for their clients have/will have provided the update for Flash removal by that time.
though there are some 3rd party emulators for Flash but since it won't be getting any more security updates from Adobe, the security risk is fairly high.

Highlighted

@bnemec 

There is an emulator that is being created, because games run better on flash than other codes. I threw the idea out there of it being supported and was surprised to see the negative views of flash in general. I agree with you that it shouldn't be thrown out completely, because there are some things on the web that will be lost, and an emulator that is easy on the battery, has a sandbox for security, and quickly loads seems like a solution.

Highlighted

@cjc2112 

As I read the way you phrased it I thought about how my stance on work site safety applies to internet safety, it seems over the years OSHA has moved to enforce policies that attempt to remove all risks from the work site (which is inherently impossible) and spend less time focusing on teaching workers how to identify risks while working and address them based on severity and probability.  That identification and mitigation has been removed from the work site and placed the desk of foreman or even worse someone hired to do nothing other than handle safety efforts.  This trend has more or less implied that the common worker is not capable of being trained to identify risks themselves but someone in an office somewhere else that has likely never run the equipment and tools should do that for them.

 

What's my rambling point?  Padded rooms reek of ignorance.

 

I'm not saying all people that browse the web should be able to identify malicious lines of code hidden in web-pages.  I fear the trend is to the opposite extreme of removing functionality in the name of safety at all costs.  I know there is a lot of work being done to keep high performance AND maintain a safe browsing environment; never-the-less compromises are being made.  Developers have the technology and know how to produce a safe browsing environment, it is not their responsibility to force that environment on users.    The end user must be held responsible for their browsing security; the software should just provide that ability, not enforce it.

 

Just my opinion, sorry for getting wordy.

 

Related Conversations