cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
KERR
Making moves
Status: New idea

Using this test website, Firefox offers no way to proceed past the HSTS error:

https://subdomain.preloaded-hsts.badssl.com/

KERR_2-1646179948211.png

 

Vivaldi allows you to continue by clicking a proceed:

KERR_1-1646179771430.png

 

Chrome and Edge allow you to proceed by typing "thisisunsafe"

KERR_0-1646179703168.png

It would be handy to let us bypass these warnings (at our own risk), similar to how we can add exceptions to sites with invalid certs. It's not a common use case, but coming across one of these means my only option is to use Chrome/Edge/Vivaldi.

46 Comments
Archprogrammer
Strollin' around

This is also needed to work around bad design at times - like a NAS device with a web interface which when its certificate has expired still requires you to update it via that same web interface if you forgot to enable SSH access in the configuration.

Mis012
New member

I would like to point out that in the case of an otherwise correct certificate that expired less than 24 hours ago, there is absolutely no way an attacker would have access to that certificate.

Also, there is the sentence `The issue is most likely with the website, and there is nothing you can do to resolve it.`... I guess this is technically not a lie, but it's obvious that the user cannot resolve an issue with the server, the implicit question is whether the issue with the server can be worked around on the client, which it in fact can. Also, "The issue is most likely with the website" implies that you think it's actually UNLIKELY that this is actually a security threat, which makes it ever more insulting when the user finds out that it in fact *IS* possible to work around this on the client.

Anyway, I believe there are two points that need to be understood:
1. there are legitimate reasons to want to bypass this (this is, notably, a non-negotiable FACT, just bringing up a single one is enough to prove that the number is non-zero)
2. it is a very bad security practice to force a user to completely disable a security measure instead of allowing as narrow of an exception as possible (e.g an about:config having an option "allowAddingHSTSExceptionsFor: [expired]", which will allow adding exceptions, which will be per-site and possibly only apply until the browser is closed when desired) (this is, notably, also a non-negotiable FACT)

As for the second point, someone brought up a firewall, and correct me if I'm wrong, but isn't the entire point of a firewall to allow for a more granular security policy than choosing between having everything on your system directly exposed to the internet and unplugging the ethernet cable? If there was to be a parallel between this and firewall, it would be that Mozilla's stance is "If you don't want to be secure and have your system airgapped, there's always the option of connecting directly to the internet with no protection! We don't understand why anyone would want something in between"

lamasp
New member

Go to History -> Show All History

Select any link from the history which has this domain

Right click, select "Forget about this site..."

Click "Forget"

Done. You can now browse to a site that was throwing up HSTS errors.

Lisha
New member

Bypassing HSTS (HTTP Strict Transport Security) errors in Firefox is generally not recommended as it can compromise your security by allowing connections to potentially insecure sites. HSTS is a security mechanism that forces browsers to interact with websites only over HTTPS, thus protecting against certain types of attacks, such as man-in-the-middle attacks.
However, if you absolutely need to bypass an HSTS error for a specific site (e.g., for development purposes), you can do so by following these steps:

1. Clear HSTS Settings for a Specific Site:
- Type `about:preferences#privacy` in the Firefox address bar and press Enter.
- Scroll down to the "Cookies and Site Data" section and click on "Manage Data…".
- In the search bar, type the domain of the site causing the HSTS error.
- Select the site from the list and click "Remove Selected".
- Click "Save Changes" and then "Remove" to confirm.
- Close and reopen Firefox, then try accessing the site again.

2. Temporary Bypass Using Developer Tools:
- Open the site that triggers the HSTS error.
- Open the Developer Tools by pressing `Ctrl+Shift+I` (or `Cmd+Option+I` on Mac).
- Go to the "Security" tab.
- You'll see a warning related to HSTS. While you can't directly bypass HSTS from here, understanding the security issue can help you address the root cause, such as updating the SSL certificate.

3. Modify Firefox Configuration (Advanced Users Only):
- Type `about:config` in the Firefox address bar and press Enter.
- Click "Accept the Risk and Continue" to proceed.
- In the search bar, type `hsts`.
- Look for the preference named `network.stricttransportsecurity.preloadlist` and double-click it to set its value to `false`. This disables the preload list, which is generally not recommended.
- Restart Firefox.

Read More Information : https://www.cheapsslshop.com/blog/top-ways-to-fix-ssl-certificate-error

ocdtrekkie
New member

@lamasp @Lisha These actually are not solutions, because they only work for sites using the HSTS preload list. Nothing helps if the HSTS header is provided by the server.

BNF0
Strollin' around

@Lisha... none of which are actual solutions to our problem. These solutions only work if the site is already in the HSTS list, and not actively sending a HSTS header while accessing the site (and then not providing correct encryption). The latter is a common case in development, and the default behavior if a certificate becomes invalid. What would be a solution is if Firefox finally allowed us to bypass this message, similar to what Chrome and Edge are already long doing (without having to disable the whole HSTS feature).

lightstar
New member

still waiting for the add exception/continue at your own risk button

z3roCoo1
New member

I need a temp bypass solution in FF for the Peplink InTouch feature. Why has this not been implemented yet?

mann_brenner
New member

I faced the same problem a few months ago and after much research and reading many blogs, I have found the solution from this article https://cheapsslweb.com/blog/how-to-disable-hsts-settings-in-chrome-firefox/. I hope this will help someone.

risa1987
New member
eden_allen
New member

You can disable HSTS in Chrome by following the steps provided below:

Process:

  • Open Chrome.
  • Type “chrome://net-internals/#hsts” in the address bar.
  • In “Query HSTS/PKP domain,”; enter the domain name of the site for which the HSTS settings are to be removed.
  • Finally, enter the domain name under this Delete domain security policy and click the Delete button.

I found the solution for firefox also from this article https://certera.com/blog/how-to-disable-hsts-in-chrome-firefox Hope this will work for you

sim642
New member

Since SiteSecurityServiceState.txt has been replaced with a proprietary binary file, I've found the safest (!) way to do this to be hex editing that binary file. I've spelled out the steps here for anyone that needs it: https://sim642.eu/blog/2024/08/10/firefox-hsts-bypass/.

Suggesting users to "Forget this site" or delete SiteSecurityServiceState.bin is a choice between their data (worse) and their security (worst).

BNF0
Strollin' around

Why is there still nothing happening with this topic, even after 2 years? Mozilla, be open! Be better!

mtrantalainen
New member

The site is *literally* configured to use encrypted connection with an option "Please, do not allow connection to the site unless a valid TLS certificate is provided." (also called HSTS) and when the site has invalid TLS certificate you think the browser should connect anyway? Despite the fact that the server has explicitly declared that the content on the site is too important to access without a valid certificate??

The only thing that Firefox should provide is to add button "Reload the certificate" but as far as I know, Firefox already does this if you reload the page. This allows the site to start working immediately the TLS certificate has been fixed on the server.

Server administrators shouldn't be using HSTS unless they actually want to enforce a valid TLS certificate.

mtrantalainen
New member

And to people still wondering why Firefox doesn't "fix" this issue, Firefox is simply following the standard which expliclitly says that the user shall not have an option to skip the security. See the bug report

https://bugzilla.mozilla.org/show_bug.cgi?id=1528738

and the actual RFC 6797 section 12.1, No User Recourse for details:

https://datatracker.ietf.org/doc/html/rfc6797#section-12.1

If you're the server administrator of a site hitting this issue, just fix your server!