cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
KERR
Making moves
Status: New idea

Using this test website, Firefox offers no way to proceed past the HSTS error:

https://subdomain.preloaded-hsts.badssl.com/

KERR_2-1646179948211.png

 

Vivaldi allows you to continue by clicking a proceed:

KERR_1-1646179771430.png

 

Chrome and Edge allow you to proceed by typing "thisisunsafe"

KERR_0-1646179703168.png

It would be handy to let us bypass these warnings (at our own risk), similar to how we can add exceptions to sites with invalid certs. It's not a common use case, but coming across one of these means my only option is to use Chrome/Edge/Vivaldi.

5 Comments
dveditz
Employee
Employee

Chrome and Edge do not allow you to bypass this error. Like Firefox they are following the HSTS specification that explicitly disallows this. If you were able to reach a site with a valid cert in the past and it enabled HSTS then an invalid cert is almost certainly a MITM. This must be a change Vivaldi made to the base chromium.

If you dig in the guts of Firefox you could disable the preload list with a pref change, and when Firefox is not running you could delete individual sites from the text file in your profile that stores the HSTS state. Neither option is recommended or safe, but it's possible "at [y]our own risk" as you asked.

SirMangler
New member

Please disregard dveditz's post. 'thisisunsafe'/'badidea' does exist to bypass HSTS errors on both Google Chrome and Microsoft Edge as you can learn from a quick Google search or by trying yourself.

This is still a wanted feature. A common use-case for this would be the Xbox devkit dashboard. As a developer I require a non-firefox browser to work on and this feature (or a similar workaround) would address one of the remaining requirements for me to exclusively use firefox. Thanks!

dveditz
Employee
Employee

I was specifically referring to a UI button to bypass the error as in the original poster's Vivaldi example. If you want secret incantations, there are some unsafe ways to use Firefox preferences.

firefox1337
New member

Hello @dveditz,

Would you please share them ?

We are ultimately looking for a simple bypass when we actually know what we are doing.

It's a real pain to have to deal with multiple options in about:config (which might not even work..) when you have so simple things existing in other brothers.

 

Respectfully,

dveditz
Employee
Employee

I don't know anything about connecting to an xbox dev console so I don't know the source of the problem: the solution depends on why Firefox thinks the site has HSTS.

1. Site-served HSTS
Normally, if you've never encountered a host and it serves an invalid certificate you can bypass the certificate error with no problems. Firefox has to get past the TLS certificate error before it can see the Strict-transport-security HTTP header. If you've visited the site successfully in the past and you get an error, the site certificate has been replaced with an invalid cert. This is extremely suspicious when the site has explicitly told us it will always use a valid cert.

In this situation you can use Firefox history to "Forget this site" and that will clear the HSTS setting so you can start over. If "Forget this site" seems painful because you have data saved for this site you should seriously consider NOT bypassing HSTS. Get a second opinion on why you might be getting this error when you didn't before -- it could be an attack.

Alternately, you can munge around in your profile (with firefox not running) and edit or delete the site security settings file. If Firefox is running it might overwrite your changes, and in any case it won't read your changes until it restarts. Both options are described at https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/

If the site has HSTS because a parent domain has used "include subdomains" you will have to do the above to the parent domain instead. Basically, try the History method on the original site, and if that doesn't work try the "edit the file" method and you'll probably find it's actually a parent domain.

If you use the "containers" feature hosts might show up in the security settings file multiple times.

2. "Pre-loaded" HSTS
If the host or its parent is not in your profile settings then it must be a "pre-loaded" domain. The only fix for that is to turn off enforcement of preloaded HSTS using the pref "network.stricttransportsecurity.preloadlist" . You don't need to restart Firefox for that to work if you change it in about:config.

Turning off the preload list does not turn off the HSTS feature. If you visit a site that serves an HSTS header you will still have to use one of the first methods to clear it