How can I bypass security HSTS certificate check ?
I'm trying to connect to a website which uses HSTS, and has an expired certificate.
I would like Firefox to let me add an exception, even temporarily, in order to be able to use that website, even in an insecure way, because I only care about what is written on this website, and I utterly don't care if someone catches anything from my visit there - it's a games wiki site, not a banking site, nor a terrorist hideout, or bomb-making den, or whatever, so I really do NOT need security going there.
I deeply resent Firefox preventing me, the user, from telling it to accept it anyway and proceed. I tried adding the certificate manually to the server, in the certificates window, but, as it is expired, it didn't work. I would like Firefox to let people choose what to accept, or what NOT to accept, instead of making the choice for them...
So... is there some way to circumvent this for THIS site, only ? Because I read about a test.currentTimeOffsetSeconds setting in about:config, but I fear it would be used for all certificates, and, thus, keep accepting other expired certificates too, which I absolutely do NOT want.
I find it distressing to have to turn to another browser for such a simple thing.
All Replies (4)
I don't think there is any built-in feature for this.
Why would a site that requires HTTPS allow its certificate to expire?!
In some cases, the site only sets HSTS for some portions of the site and you do not need to access those portions right away. In those cases, clearing Firefox's record of HSTS headers could allow you to make a temporary exception when you visit a section of the site that doesn't serve that header. This thread addressed that issue: https://support.mozilla.org/questions/1126812.
Well, the website is https://www.gnomoriawiki.com/, and I highly suspect it has to do with the "Let's encrypt !" initiative.
The idea being to drown government-sponsored cypher-breaking capabilities under a lot a useless noise, to mask the interesting traffic, it would make sense, if you support this, to make people use HTTPS, even for something this benign.
Maybe because I've never connected to the server before, I do get an "Add Exception" button. Firefox doesn't honor HSTS unless it is sent over HTTP HTTPS, so perhaps that explains the difference.
Modified
Thanks, I surgically removed the "gnomoriawiki.com:HSTS" (and a bit more stuff on the line) from the SiteSecurityServiceState.txt file, started Firefox again, and then, It allowed me to add an exception, just like you said.
I still think it's counter-intuitive, and bad UI, but I'm glad you could provide me with this walkaround.