cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
KERR
Making moves
Status: New idea

Using this test website, Firefox offers no way to proceed past the HSTS error:

https://subdomain.preloaded-hsts.badssl.com/

KERR_2-1646179948211.png

 

Vivaldi allows you to continue by clicking a proceed:

KERR_1-1646179771430.png

 

Chrome and Edge allow you to proceed by typing "thisisunsafe"

KERR_0-1646179703168.png

It would be handy to let us bypass these warnings (at our own risk), similar to how we can add exceptions to sites with invalid certs. It's not a common use case, but coming across one of these means my only option is to use Chrome/Edge/Vivaldi.

47 Comments
ocdtrekkie
New member

The problem is that the HSTS spec is malicious by design: The "No User Recourse" provision is a violation of the implicit contract between a user and their web browser, that the browser is a "user agent" working on behalf of the user. Without a way to say "I know what I'm doing, load this website", the browser has decided to be controlled by the website, not by the user.

Arguably, the ideal case is someone should amend the HSTS spec to remove the malicious provision, but at minimum, Mozilla needs to stop being the literal only browser refusing to prioritize the user's rights over a server's demands. The fact *Google and Microsoft* are following users' rights better than Mozilla here is astounding.

cautionbug
Making moves

@ocdtrekkiei disagree. In this situation, the browser isn't controlled by the website, it's controlled by a failure to properly secure the connection. The website isn't saying, "Stop me from loading." Firefox is stepping in to protect the user. If you want to argue it's not the browser's job to automatically act on behalf of the user, turn off your firewall, antivirus, swap file, crash recovery, etc. because those all act automatically to protect the user.

TobiasSchn
New member

Mozilla is currently pushing away loyal users who used FireFox since years,
many of them are developers that NEED Bypass options even if something
at the remote host is insecure. Therefore:

STOP FORCE-PATRONISING USERS ON INSECURE TLS CONNECTIONS!

ALLOW BYPASS, NOW !!!

Thanks.

Samual
New member

@cautionbug 

> If you want to argue it's not the browser's job to automatically act on behalf of the user, turn off your firewall, antivirus, swap file, crash recovery, etc.

Yes, that's the point. We can turn all those things off when needed. The same should apply to HSTS.

HstsLover
New member

Currently I'm trying to read a blog post, something that doesn't require the confidentiality provided by tls, but I'm unable to because the server is on the preload list and is serving a certificate that has expired A YEAR AGO. So now, instead of going about my business after acknowledging the expiration of the certificate, I have to jump hoops by spinning up a proxy that intercepts firefox's traffic and serves the website with a certificate created on the fly by a custom CA even though I fully understand what tls is and the "risks" associated with visiting a site with an expired certificate.

Btw really smart, you can't add an exception with about:config for a single site because muh security but installing a new CA for any site (which obviously keeps the padlock happy) is in about:preferences.

ocdtrekkie
New member

Yeah, this is definitely one of those cases where a bad and malicious spec is actually making people less safe, and ultimately causing them to go use a different web browser sometimes just to view plain HTML pages they know and trust the content of. This needs to get fixed, and it needs to stop getting ignored or punted by Mozilla staff.

firefox1337
New member

They won't do anything mate; They don't understand nor listen and are very stubborn (just read the comments).

I'm still using and liking Firefox but it's saddening to watch the devs not seeing the big picture and the risk of disabling security for the whole browser instead of just one website for just once.

 

I still have a bit of hope though, if one of them is reading all our messages about this subject.

hellohi
New member

>> If you want to argue it's not the browser's job to automatically act on behalf of the user, turn off your firewall, antivirus, swap file, crash recovery, etc.

>Yes, that's the point. We can turn all those things off when needed. The same should apply to HSTS.

You quite literally can, by following the directions given on the fifth reply to this post

industrial6
New member

Is there really no way to disable this, even temporarily?! I am a sysadmin and I NEED to be able to override things from time to time.
No wonder devs and coders are switching to Edge....
I refuse to give up Firefox, but you folks sure are making others want to.

dveditz
Employee
Employee

@industrial6: yes, back on the first page there were a couple of ways given to disable this temporarily

https://connect.mozilla.org/t5/ideas/allow-firefox-to-bypass-hsts-errors/idi-p/163#M15411

(note: since that answer the profile storage has migrated from SiteSecurityServiceState.txt to SiteSecurityServiceState.bin and you won't be able to delete individual lines. That option will require blowing away HSTS information for all domains.)

cch
New member

There was a time when FF was considered a developer-friendly browser.  Now it has morphed into a "nanny" browser.

Between the HSTS labyrinth and Zendesk's perpetually broken support for FF, I'm moving on after 13 years.

prettymuchlike
New member

This is unacceptable. I've used Firefox for 20 years.

I know it is a security risk. I don't care. Let me bypass HSTS on a case-by-case basis.

Don't make my permanently change security settings in `about:config` which I will inevitably forget about, leaving my browser permanently less secure.

Let me bypass HSTS on a case-by-case-basis.

 

BNF0
Strollin' around

If even Google/Microsoft are more user friendly than Firefox, then something has gone very wrong. The point of free software and the philosophy Mozilla is advocating is that I, as the user, control my software, not that the software controls me. Its perfectly fine that the browser protects me - but let me disable those protections on a granular basis if I know what I'm doing! Don't babysit your users!

To Mozilla: that's again one more step to antagonize your users, many of whom came from Chrome because they wanted more control and follow the free software philosophy. This whole thread here, together with the answers from @dveditz (especially the second answer, saying that Chrome doesn't support that feature!) made me quite angry. Please, please, give us a feature in about:config which we can activate and then bypass HSTS headers with a click (or a secret 'thisisunsafe' or something similar).

elsamha
New member

Many firefox users are power users, which can be argued that they understand the security implications already. I'd like still to have the option to bypass it using a flag or something maybe with a powerful disclaimer.

 

JustusSchaefer
New member

I can completely understand, that this is Standard behavior for HSTS.

But please make it an option to still be able accessing HSTS sites without a valid cert in about:config or something like that.

Many of our lab environments and some customers have a Server that has HSTS enabled by default and aren't able to implement let's encrypt or afford a proper certificate.

Or maybe a text file, where you can add all the sites where HSTS should be ignored, would be an option.

For now, I always have to open chrome, to being able accessing this websites.