Firefox regularly displays warning pages when a site does not have a valid SSL certificate or still uses the HTTP protocol. This blocking protects the data transmitted between the browser and the server, but it can also prevent access to local interfaces, network devices, or sites whose certificate has simply expired. Understanding the mechanisms behind these alerts allows for an informed decision before forcing access.
Blocking outdated encryption algorithms in Firefox
Firefox error messages are not limited to sites without a certificate. Recent versions of the browser include a strengthened block for certain outdated encryption algorithms, such as SHA-1. A site may therefore have an SSL certificate while remaining inaccessible if that certificate relies on technology that Mozilla considers vulnerable.
See also : How to Easily Access Your Online Academic Mail?
This tightening is based on the recommendations of Mozilla’s root certificate authority and has intensified over the years. In this specific case, the user will not always see the “Accept the risk and continue” button: Firefox sometimes categorically refuses the connection. The only sustainable solution is to renew the certificate on the server side.
Before making any changes in the browser settings, it is worth checking if the problem originates from the site itself. Major web hosts (OVHcloud, IONOS, o2switch) have widely implemented the automatic activation of Let’s Encrypt certificates. If you are the site administrator, this procedure allows you to allow Firefox to access an unsecured site permanently, without intervention on the browser side.
Further reading : How to Easily Access Cherbourg's Zimbra Mail: Complete Guide
Firefox’s HTTPS-only mode: operation and limitations
Since Firefox 91, the browser offers a HTTPS-only mode that can be activated separately for each profile and private window. When active, Firefox attempts to convert all HTTP connections to HTTPS. If the site does not support HTTPS, an alert page is displayed instead of the content.
This mode is configured in the browser’s security settings. Three options are available:
- Enable HTTPS-only mode in all windows, forcing encrypted connections everywhere
- Enable it only in private browsing windows, leaving regular windows more permissive
- Completely disable it, reverting to Firefox’s default behavior without automatic upgrades
The vast majority of sites now support HTTPS. However, some local interfaces (routers, NAS, IP cameras) operate exclusively over HTTP. For these devices, HTTPS-only mode becomes a concrete obstacle to daily use.
Disabling the mode for a specific site
Firefox allows adding exceptions without changing the global settings. On the alert page, a button offers to continue in HTTP for that specific site. The exception is then remembered, and the site in question no longer triggers the warning on subsequent visits.
To manage these exceptions later, you need to go through the browser settings, under “Privacy & Security,” and scroll down to the section dedicated to HTTPS-only mode. The sites added as exceptions are listed there and can be removed at any time.
SEC_ERROR page: manually accepting the risk
When Firefox blocks a site due to a certificate issue (expired, self-signed, non-matching domain name), the browser displays an error code such as SEC_ERROR_EXPIRED_CERTIFICATE or SEC_ERROR_UNKNOWN_ISSUER. These codes indicate the exact nature of the problem.
On this error page, Firefox sometimes offers an “Advanced” button followed by “Accept the risk and continue.” By clicking on it, you add a permanent security exception for this certificate. The browser will no longer block this site as long as the certificate remains unchanged.
Two precautions to keep in mind:
- A self-signed certificate on a local device (home server, network printer) presents a limited risk if you are on your own network
- An expired certificate on a public site may signal a deeper issue, such as a compromise or abandonment of maintenance
- If the error code mentions HSTS (HTTP Strict Transport Security), the exception button does not appear at all, as the HSTS policy prohibits any bypass on the browser side
The HSTS case: an unbypassable block
Some sites enforce an HSTS policy via HTTP headers. This directive instructs the browser to never accept an unencrypted connection, even if the user explicitly requests it. Firefox strictly adheres to this instruction.
In the face of an HSTS block, the only option is to resolve the issue on the server side. If the certificate has expired, it must be renewed. If the HSTS configuration was mistakenly activated on a test server, it can be removed in the Apache or Nginx configuration.
about:config setting for unsecured connections
Firefox has an advanced configuration interface accessible by typing about:config in the address bar. Among the available settings, security.enterprise_roots.enabled allows the browser to use certificates installed in the system store of the computer, which can resolve some blocks in a professional environment.
Another setting, dom.security.https_only_mode, controls the activation of HTTPS-only mode. Setting it to “false” disables this mode without going through the graphical interface. This manipulation is reserved for users who understand the implications for data protection while browsing the web.
Resetting certificate exceptions
If you have accepted a risk by mistake and wish to restore the security warning, Firefox allows you to remove recorded exceptions. In the settings, under “Privacy & Security,” the “View Certificates” button opens the manager. The “Servers” tab lists all active exceptions, with the option to remove them individually.
The issue of unsecured sites in Firefox decreases each year as hosts widely adopt free certificates. For residual cases (local devices, test sites, internal applications), the browser’s exception mechanisms offer graduated solutions. Checking the source of the block before bypassing it remains the best approach to preserve the security of personal data.