cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
KERR
Making moves
Status: New idea

Using this test website, Firefox offers no way to proceed past the HSTS error:

https://subdomain.preloaded-hsts.badssl.com/

KERR_2-1646179948211.png

 

Vivaldi allows you to continue by clicking a proceed:

KERR_1-1646179771430.png

 

Chrome and Edge allow you to proceed by typing "thisisunsafe"

KERR_0-1646179703168.png

It would be handy to let us bypass these warnings (at our own risk), similar to how we can add exceptions to sites with invalid certs. It's not a common use case, but coming across one of these means my only option is to use Chrome/Edge/Vivaldi.

32 Comments
Archprogrammer
Strollin' around

This is also needed to work around bad design at times - like a NAS device with a web interface which when its certificate has expired still requires you to update it via that same web interface if you forgot to enable SSH access in the configuration.

Mis012
New member

I would like to point out that in the case of an otherwise correct certificate that expired less than 24 hours ago, there is absolutely no way an attacker would have access to that certificate.

Also, there is the sentence `The issue is most likely with the website, and there is nothing you can do to resolve it.`... I guess this is technically not a lie, but it's obvious that the user cannot resolve an issue with the server, the implicit question is whether the issue with the server can be worked around on the client, which it in fact can. Also, "The issue is most likely with the website" implies that you think it's actually UNLIKELY that this is actually a security threat, which makes it ever more insulting when the user finds out that it in fact *IS* possible to work around this on the client.

Anyway, I believe there are two points that need to be understood:
1. there are legitimate reasons to want to bypass this (this is, notably, a non-negotiable FACT, just bringing up a single one is enough to prove that the number is non-zero)
2. it is a very bad security practice to force a user to completely disable a security measure instead of allowing as narrow of an exception as possible (e.g an about:config having an option "allowAddingHSTSExceptionsFor: [expired]", which will allow adding exceptions, which will be per-site and possibly only apply until the browser is closed when desired) (this is, notably, also a non-negotiable FACT)

As for the second point, someone brought up a firewall, and correct me if I'm wrong, but isn't the entire point of a firewall to allow for a more granular security policy than choosing between having everything on your system directly exposed to the internet and unplugging the ethernet cable? If there was to be a parallel between this and firewall, it would be that Mozilla's stance is "If you don't want to be secure and have your system airgapped, there's always the option of connecting directly to the internet with no protection! We don't understand why anyone would want something in between"