Mozilla Connect

This is also needed to work around bad design at times - like a NAS device with a web interface which when its certificate has expired still requires you to update it via that same web interface if you forgot to enable SSH access in the configuration.

I would like to point out that in the case of an otherwise correct certificate that expired less than 24 hours ago, there is absolutely no way an attacker would have access to that certificate.

Also, there is the sentence `The issue is most likely with the website, and there is nothing you can do to resolve it.`... I guess this is technically not a lie, but it's obvious that the user cannot resolve an issue with the server, the implicit question is whether the issue with the server can be worked around on the client, which it in fact can. Also, "The issue is most likely with the website" implies that you think it's actually UNLIKELY that this is actually a security threat, which makes it ever more insulting when the user finds out that it in fact *IS* possible to work around this on the client.

Anyway, I believe there are two points that need to be understood:
1. there are legitimate reasons to want to bypass this (this is, notably, a non-negotiable FACT, just bringing up a single one is enough to prove that the number is non-zero)
2. it is a very bad security practice to force a user to completely disable a security measure instead of allowing as narrow of an exception as possible (e.g an about:config having an option "allowAddingHSTSExceptionsFor: [expired]", which will allow adding exceptions, which will be per-site and possibly only apply until the browser is closed when desired) (this is, notably, also a non-negotiable FACT)

As for the second point, someone brought up a firewall, and correct me if I'm wrong, but isn't the entire point of a firewall to allow for a more granular security policy than choosing between having everything on your system directly exposed to the internet and unplugging the ethernet cable? If there was to be a parallel between this and firewall, it would be that Mozilla's stance is "If you don't want to be secure and have your system airgapped, there's always the option of connecting directly to the internet with no protection! We don't understand why anyone would want something in between"

Go to History -> Show All History

Select any link from the history which has this domain

Right click, select "Forget about this site..."

Click "Forget"

Done. You can now browse to a site that was throwing up HSTS errors.

Bypassing HSTS (HTTP Strict Transport Security) errors in Firefox is generally not recommended as it can compromise your security by allowing connections to potentially insecure sites. HSTS is a security mechanism that forces browsers to interact with websites only over HTTPS, thus protecting against certain types of attacks, such as man-in-the-middle attacks.
However, if you absolutely need to bypass an HSTS error for a specific site (e.g., for development purposes), you can do so by following these steps:

1. Clear HSTS Settings for a Specific Site:
- Type `about:preferences#privacy` in the Firefox address bar and press Enter.
- Scroll down to the "Cookies and Site Data" section and click on "Manage Data…".
- In the search bar, type the domain of the site causing the HSTS error.
- Select the site from the list and click "Remove Selected".
- Click "Save Changes" and then "Remove" to confirm.
- Close and reopen Firefox, then try accessing the site again.

2. Temporary Bypass Using Developer Tools:
- Open the site that triggers the HSTS error.
- Open the Developer Tools by pressing `Ctrl+Shift+I` (or `Cmd+Option+I` on Mac).
- Go to the "Security" tab.
- You'll see a warning related to HSTS. While you can't directly bypass HSTS from here, understanding the security issue can help you address the root cause, such as updating the SSL certificate.

3. Modify Firefox Configuration (Advanced Users Only):
- Type `about:config` in the Firefox address bar and press Enter.
- Click "Accept the Risk and Continue" to proceed.
- In the search bar, type `hsts`.
- Look for the preference named `network.stricttransportsecurity.preloadlist` and double-click it to set its value to `false`. This disables the preload list, which is generally not recommended.
- Restart Firefox.

Read More Information : https://www.cheapsslshop.com/blog/top-ways-to-fix-ssl-certificate-error

@lamasp @Lisha These actually are not solutions, because they only work for sites using the HSTS preload list. Nothing helps if the HSTS header is provided by the server.

@Lisha... none of which are actual solutions to our problem. These solutions only work if the site is already in the HSTS list, and not actively sending a HSTS header while accessing the site (and then not providing correct encryption). The latter is a common case in development, and the default behavior if a certificate becomes invalid. What would be a solution is if Firefox finally allowed us to bypass this message, similar to what Chrome and Edge are already long doing (without having to disable the whole HSTS feature).

still waiting for the add exception/continue at your own risk button

I need a temp bypass solution in FF for the Peplink InTouch feature. Why has this not been implemented yet?