cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
KERR
Making moves
Status: New idea

Using this test website, Firefox offers no way to proceed past the HSTS error:

https://subdomain.preloaded-hsts.badssl.com/

KERR_2-1646179948211.png

 

Vivaldi allows you to continue by clicking a proceed:

KERR_1-1646179771430.png

 

Chrome and Edge allow you to proceed by typing "thisisunsafe"

KERR_0-1646179703168.png

It would be handy to let us bypass these warnings (at our own risk), similar to how we can add exceptions to sites with invalid certs. It's not a common use case, but coming across one of these means my only option is to use Chrome/Edge/Vivaldi.

52 Comments
dveditz
Employee
Employee

Chrome and Edge do not allow you to bypass this error. Like Firefox they are following the HSTS specification that explicitly disallows this. If you were able to reach a site with a valid cert in the past and it enabled HSTS then an invalid cert is almost certainly a MITM. This must be a change Vivaldi made to the base chromium.

If you dig in the guts of Firefox you could disable the preload list with a pref change, and when Firefox is not running you could delete individual sites from the text file in your profile that stores the HSTS state. Neither option is recommended or safe, but it's possible "at [y]our own risk" as you asked.

SirMangler
New member

Please disregard dveditz's post. 'thisisunsafe'/'badidea' does exist to bypass HSTS errors on both Google Chrome and Microsoft Edge as you can learn from a quick Google search or by trying yourself.

This is still a wanted feature. A common use-case for this would be the Xbox devkit dashboard. As a developer I require a non-firefox browser to work on and this feature (or a similar workaround) would address one of the remaining requirements for me to exclusively use firefox. Thanks!

dveditz
Employee
Employee

I was specifically referring to a UI button to bypass the error as in the original poster's Vivaldi example. If you want secret incantations, there are some unsafe ways to use Firefox preferences.

firefox1337
New member

Hello @dveditz,

Would you please share them ?

We are ultimately looking for a simple bypass when we actually know what we are doing.

It's a real pain to have to deal with multiple options in about:config (which might not even work..) when you have so simple things existing in other brothers.

 

Respectfully,

dveditz
Employee
Employee

I don't know anything about connecting to an xbox dev console so I don't know the source of the problem: the solution depends on why Firefox thinks the site has HSTS.

1. Site-served HSTS
Normally, if you've never encountered a host and it serves an invalid certificate you can bypass the certificate error with no problems. Firefox has to get past the TLS certificate error before it can see the Strict-transport-security HTTP header. If you've visited the site successfully in the past and you get an error, the site certificate has been replaced with an invalid cert. This is extremely suspicious when the site has explicitly told us it will always use a valid cert.

In this situation you can use Firefox history to "Forget this site" and that will clear the HSTS setting so you can start over. If "Forget this site" seems painful because you have data saved for this site you should seriously consider NOT bypassing HSTS. Get a second opinion on why you might be getting this error when you didn't before -- it could be an attack.

Alternately, you can munge around in your profile (with firefox not running) and edit or delete the site security settings file. If Firefox is running it might overwrite your changes, and in any case it won't read your changes until it restarts. Both options are described at https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/

If the site has HSTS because a parent domain has used "include subdomains" you will have to do the above to the parent domain instead. Basically, try the History method on the original site, and if that doesn't work try the "edit the file" method and you'll probably find it's actually a parent domain.

If you use the "containers" feature hosts might show up in the security settings file multiple times.

2. "Pre-loaded" HSTS
If the host or its parent is not in your profile settings then it must be a "pre-loaded" domain. The only fix for that is to turn off enforcement of preloaded HSTS using the pref "network.stricttransportsecurity.preloadlist" . You don't need to restart Firefox for that to work if you change it in about:config.

Turning off the preload list does not turn off the HSTS feature. If you visit a site that serves an HSTS header you will still have to use one of the first methods to clear it

shalva
Making moves

Come on. Why make it so hard? What if people just want to use proxy. You know there is Charles, there is MITM Proxy and so many more.

This is just terible UX not a security feature

firefox1337
New member

I think we just have to admit they just don't want to implement anything in the "sake" of security..

The "thisisunsafe" feature of Chrome is good. If you need to dev or do admin stuff; sadly, just consider using something else than Firefox.

Anyway, thank you @dveditz for you previous answer! I knew those things but like, I guess, many of us, we were looking for something easier and quicker that would jeopardize the whole security of the browser.

shalva
Making moves

I have some predictions for this. First there was no encription, then encription and now encription that can not be turned off. I believe next would be AUOUB(Automatic uninstallation of unsecure browsers), just think about it guys, if you have 200 IQ you will know that you can not call a browser secure if it allows you to access websites insecurely via other browsers. Therefore Firefox is very insecure, I can just run Chrome with flag `--ignore-certificate-errors` and can do anything.

Now back to AUOUB standard, I predict there will be a possibility to disable it only if 2 conditions are met: 1. User is not cared or loved by any gods. 2. User knows how encription works and can do it by hand.

For the first condition, user should test all gods which are documented on Wikipedia. Other gods can be skipped, I mean, imagine being god and not be on Wikipedia, how weak it would be. There are about 4.2K gods, one by one they should be checked. Once first condition is confirmed then user should encrypt and decrypt at least one request, min 1 MiB, and it should be checked if it is correct.

Regarding technical details, it will be a ChatGTP like AI, which already know all about gods and encription. It will materialize from users' monitors, go thru polarizing filter and appear as an anime waifu. She will guide the user through all the rituals neccecary for confirming that user is not cared or loved by any gods. Then she will provide the user with data to encrypt  and decrypt by hand on a paper in order to confirm the user know how encription works. Only then AUOUB will be disabled.

These are my predictions, I might have missed something or you might think Im crazy but by 2050 this will be everyday occurrence, a common sense.

jccasanas
New member

this error is just pushing everyone to stop using firefox as a primary broswer , actuall I will uninstall it and use other several broswer that aren't that picky! , same thing is happeing to some apps usen many annoying control to log ing, that should be left to the user choice

UInIQ
New member

Or, and I'm just going out on a limb here, Mozilla recklessly assumes that we, as developers, are capable of undertaking a minor nuisance process (that doesn't need to happen every time you visit the site or anything) because:

A. we're bloody developers, and

B. we make up the VAST minority of users, as compared to those civilians who fall in a range of innocently-ignorant to abjectly-asinine to supremely-stupid (and AS developers, you know precisely who I'm speaking of and where your example(s) lie within that range), and it's the bozos like that who, upon learning of such technical incantations, simply apply them like a Dark Ages farmer did a lucky protective charm.

Disagree with me? Hop onto StackOverflow and search "thisisunsafe". Take a look at how often that advice is given as a "fix" to a problem in which is most certainly IS NOT. Good UI/UX is epitomized by "don't make me think", and "keep the number of steps to my goal as few as possible." It can be argued, therefore, that by making these bypasses necessitate thought and several steps that they, while being bad UX for developer-minority are GREAT UX (albeit, a negative pattern) for the user-majority. Hell, the most critical of all design principles is that one designs for their target demo, NOT themselves.

Sunita123
New member

dstuuyuy

BEEDELLROKEJULI
Making moves

If this can't be done on Firefox, users like me shall just use Chrome instead.

BEEDELLROKEJULI
Making moves

If users like me can't bypass this on Firefox, we'll just use Chrome instead.

BEEDELLROKEJULI
Making moves
Samual
New member

Any news on this?
Thanks.