cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
KERR
Making moves
Status: New idea

Using this test website, Firefox offers no way to proceed past the HSTS error:

https://subdomain.preloaded-hsts.badssl.com/

KERR_2-1646179948211.png

 

Vivaldi allows you to continue by clicking a proceed:

KERR_1-1646179771430.png

 

Chrome and Edge allow you to proceed by typing "thisisunsafe"

KERR_0-1646179703168.png

It would be handy to let us bypass these warnings (at our own risk), similar to how we can add exceptions to sites with invalid certs. It's not a common use case, but coming across one of these means my only option is to use Chrome/Edge/Vivaldi.

26 Comments
Sunita123
New member

dstuuyuy

BEEDELLROKEJULI
Making moves

If this can't be done on Firefox, users like me shall just use Chrome instead.

BEEDELLROKEJULI
Making moves

If users like me can't bypass this on Firefox, we'll just use Chrome instead.

BEEDELLROKEJULI
Making moves
Samual
New member

Any news on this?
Thanks.

ocdtrekkie
New member

The problem is that the HSTS spec is malicious by design: The "No User Recourse" provision is a violation of the implicit contract between a user and their web browser, that the browser is a "user agent" working on behalf of the user. Without a way to say "I know what I'm doing, load this website", the browser has decided to be controlled by the website, not by the user.

Arguably, the ideal case is someone should amend the HSTS spec to remove the malicious provision, but at minimum, Mozilla needs to stop being the literal only browser refusing to prioritize the user's rights over a server's demands. The fact *Google and Microsoft* are following users' rights better than Mozilla here is astounding.

cautionbug
Making moves

@ocdtrekkiei disagree. In this situation, the browser isn't controlled by the website, it's controlled by a failure to properly secure the connection. The website isn't saying, "Stop me from loading." Firefox is stepping in to protect the user. If you want to argue it's not the browser's job to automatically act on behalf of the user, turn off your firewall, antivirus, swap file, crash recovery, etc. because those all act automatically to protect the user.

TobiasSchn
New member

Mozilla is currently pushing away loyal users who used FireFox since years,
many of them are developers that NEED Bypass options even if something
at the remote host is insecure. Therefore:

STOP FORCE-PATRONISING USERS ON INSECURE TLS CONNECTIONS!

ALLOW BYPASS, NOW !!!

Thanks.

Samual
New member

@cautionbug 

> If you want to argue it's not the browser's job to automatically act on behalf of the user, turn off your firewall, antivirus, swap file, crash recovery, etc.

Yes, that's the point. We can turn all those things off when needed. The same should apply to HSTS.

HstsLover
New member

Currently I'm trying to read a blog post, something that doesn't require the confidentiality provided by tls, but I'm unable to because the server is on the preload list and is serving a certificate that has expired A YEAR AGO. So now, instead of going about my business after acknowledging the expiration of the certificate, I have to jump hoops by spinning up a proxy that intercepts firefox's traffic and serves the website with a certificate created on the fly by a custom CA even though I fully understand what tls is and the "risks" associated with visiting a site with an expired certificate.

Btw really smart, you can't add an exception with about:config for a single site because muh security but installing a new CA for any site (which obviously keeps the padlock happy) is in about:preferences.