Thursday, January 21, 2016

Can't see Instagram in Firefox?

Trouble was, that Instagram and embedded Instagram pictures recently stopped loading in Firefox.
This also affects other Gecko-based browsers.
> If you want to skip the story, jump to solution.

While I also use NoScript on desktop Firefox, and on Firefox for Android, all the necessary instagram domains were allowed.

On the desktop, I'm mostly using Firefox 39.0.3, because it plays well with Flash. (There were no issues like that with other browsers.) First I thought, that this was because I wasn't using the latest Firefox. As this Firefox version plays well with Flash, I didn't want to upgrade to the latest version, because with the latest Firefox, Flash playback on YouTube is jerky since Firefox 40.

But the Instagram issue repeated, when I was also using the latest Firefox for Android. Initially I thought, that this was the fault of Instagram, and since I don't use Instagram or Facebook, I didn't think much beyond that. And for a month or so, I couln't resolve it.

But when Instagram showed in a different computer in the latest desktop Firefox (43.0.4) with the same extensions installed, I began to investigate again.

When reloading a random Instagram page while also watching the Firefox Browser Console, I found an error, which, in pasted form, looks like this:
05:16:59.308 An error occurred during a connection to

Peer attempted old style (potentially vulnerable) handshake.

(Error code: ssl_error_unsafe_negotiation)
After some searching, I found the solution in a game forum.

SSL safe negotiation setting

Turned out, that when perusing the Privacy Settings extension of Firefox, I had turned all the settings to most secure, and among them turned on security.ssl.require_safe_negotiation. After I turned that off, Instagram showed again.

If you don't have the Privacy Settings extension installed, go to about:config and type in or paste security.ssl.require_safe_negotiation . The boolean setting value for it should be false. If not (if it's true), then double-click the setting or press enter on it to set it to false. Or right-click for context menu to Toggle.

Otherwise, the Privacy Settings extension is awesome, and I recommend it to everyone.

Whereas people who manage, should implement new-style SSL/TLS handshakes to keep their corner of the web safe.

So this was the issue that affected me.


If, on the other hand, the above is not an issue, then you might be having NoScript installed to defend your browser from malware, and among other things, it's blocking Instagram domains, which means they're not in the whitelist. Jump to domains.

NoScript has a blue "S" button that shows the status of whether a page is completely blocked, half-blocked (content from other domains has been blocked, which is most common), or completely allowed.

That button is usually visible in the location bar, or accessible through Firefox's hamburger menu. (If the blue 'S' is not there either, click the green Customize button in the hamburger menu to see if the NoScript button is listed in the 'Additional Tools and Features' section.)

One can change NoScript domain permissions thus:
* Hover the pointer over the blue "S" button, which launches a menu with a list of domains. If the NoScript menu is very long, it has small up and down arrows for scrolling.
* To whitelist a domain, click on "Allow domainname.tld". Alternately, domains can be blocked by clicking on "Block domainname.tld". This can be done in one go for several domains.
* Once the cursor hovers away from the menu, NoScript will automatically reload the affected page (or pages in other tabs). If a page or pages don't reload (per custom settings), they can be reloaded manually.

For Instagram, the following domain names must be allowed:
The above are all third-level domains, because they contain three name components separated by periods/dots.

By default, NoScript shows only base second-level domains, such as without the www and a dot. For most common users with NoScript, allowing and is sufficient.

No comments: