July 4 2024

How to view a site with an expired or invalid HTTPS certificate protected with HSTS

Google Chrome and the hidden “this is unsafe” feature to bypass the restrictions of sites with an invalid HTTPS certificate protected with HSTS.

What is HSTS and what guarantees does it offer to a modern Web Browser?

HTTP Strict Transport Security (HSTS) is a web security policy implemented by a website to protect communications between browsers and servers. When a website implements HSTS, it instructs the browser to only communicate via secure HTTPS connections for a specified period of time. This means that even if a user tries to access the site using an HTTP URL, the browser will automatically redirect them to an HTTPS connection. This policy, in addition to guaranteeing a secure connection, prevents various types of attacks that could compromise the integrity and confidentiality of the data transmitted.

The main guarantees that HSTS offers include:

  • Protection against downgrade attacks: Prevents an attacker from being able to force a browser to use an insecure HTTP connection, reducing the possibility of man-in-the-middle (MITM) attacks that could intercept and modify data transmitted between the browser and the server.
  • Communications integrity: Ensures that all communications between the browser and the server are encrypted and cannot be intercepted or altered, thus maintaining the confidentiality and integrity of the data.
  • Elimination of security warnings: Prevents the browser from showing security warnings regarding mixed content (HTTP and HTTPS) on the site, ensuring a safer user experience without interruptions caused by security warnings.

When a browser visits a site with an expired, invalid, or mismatched HTTPS certificate, HSTS plays a crucial role. Since HSTS forces the exclusive use of HTTPS, your browser will not allow you to proceed with an insecure connection. Instead of allowing users to add a security exception and still access the site, HSTS forces the browser to block access entirely, thus protecting the user from potential risks associated with using invalid certificates. This behavior is essential to maintaining a high level of security and trust, ensuring that communications remain protected at all times and reducing the possibility that unaware users could expose their data to external threats.

Application of the HSTS directive at second level domain level.

The HSTS policy can be applied at the second level domain level, which refers to the main name of the domain, such as “domainname.it”, as opposed to subdomains or third levels such as “shop.domainname.it” or “blog. domainname.it”. When HSTS is configured for a second-level domain, it can include the “includeSubDomains” directive, which automatically extends the security policy to all subdomains. This means that if HSTS is set with “includeSubDomains” for “domainname.it”, any subdomain such as “shop.domainname.it” or “blog.domainname.it” will inherit the same security rules, forcing HTTPS connections and protecting communications against downgrade attacks and MITM.

Using the “includeSubDomains” directive means that all subdomains are forced to follow the HSTS rules of the parent domain without the possibility of being excluded individually. This inheritance ensures that all parts of the site remain secure and that communications integrity is maintained across all sections of the domain, thus reducing the risk of potential vulnerabilities. For example, if an organization decides to add new services such as an online shop (“shop.domainname.it”) or a blog (“blog.domainname.it”), these services will also have to comply with the HSTS directive with “ includeSubDomains” already set for the main domain. This unified approach ensures consistent and robust protection across the entire domain, making security management easier and providing advanced protection for users.

How Chrome prevents you from viewing a site protected with HSTS by preventing you from continuing by adding an exception

Google Chrome is one of the most popular browsers and has a strong commitment to user safety. When a website is protected by HSTS, Chrome strictly enforces the security guidelines set by the site. If the HTTPS certificate is expired, invalid, or mismatched, Chrome will display an error page with the message “Your connection is not private” and the error code “NET::ERR_CERT_INVALID”.

connection-notprivate

Details of the protection offered by Chrome:

 

  • Blocking of alerts: Chrome does not allow you to ignore the security warning and add an exception for sites with HSTS. This ensures that users cannot accidentally access potentially dangerous sites. This mechanism is crucial for maintaining a high level of security, as it prevents the possibility of ignoring security warnings, which could expose the user to threats such as data theft or MITM attacks.
  • Forced redirect: Even if a user tries to access the site via HTTP, Chrome will automatically redirect the request to HTTPS. This behavior not only ensures that all communications remain secure, but also eliminates the possibility of accidental logins via insecure HTTP, overall improving the security of user sessions.
  • Fatal error: Once the browser has received the HSTS header from a site, there are no options to disable or override this behavior via the browser's user interface. This aspect of protection is particularly important because it makes compliance with HSTS security policies mandatory and non-bypassable, even by advanced users, ensuring that security measures remain in place until the period specified by the HSTS expires.

The need to see a site with expired or mismatched HTTPS certificate.

In website development and maintenance contexts, it is very common for professionals to have to access versions of the site with invalid HTTPS certificates. This need emerges in various situations that require the intervention of developers, web designers and IT technicians to ensure the correct functioning and integrity of web projects.

Here are some common situations:

  • Development and Testing: When developing new features, developers can work on staging environments with self-signed or expired certificates. These environments are essential for testing new implementations without affecting the production site.
  • Website migration: When migrating a site from one server to another, there may be transition periods where certificates have not yet been updated, causing you to need to access sites with temporarily invalid certificates.
  • Onboarding: New developers or members of the technical support team may need access to versions of the site with certificate issues to diagnose and resolve any anomalies, thus ensuring that the site functions correctly once the problems have been resolved.

In all these situations, the ability to temporarily ignore security warnings is crucial to ensuring business continuity without significant disruption. Ignoring these warnings in a controlled environment allows developers and engineers to do their jobs effectively, fixing issues and making necessary improvements without compromising the security of the production site.

How to bypass this restriction via the hidden “this is unsafe” directive in Google Chrome

Context and warnings

This procedure it was reported to us by Pierpaolo Pittari, after we encountered difficulties during staging and onboarding in viewing sites with expired SSL certificates that were subject to the HSTS Directive. After exhausting research, Pierpaolo communicated this functionality to us in the morning. It seemed more like an Easter egg than a real developer feature, but it turned out to be the solution that all developers will need at some point. Before describing how to bypass HSTS restriction in Chrome, it is important to point out that this procedure should be used with extreme caution. Ignoring security warnings can expose your system to potential security risks. This method should only be used in controlled environments and for legitimate purposes, such as those mentioned above.

Walkthrough

Google Chrome has a hidden feature that allows you to bypass the “Your connection is not private” warning for sites with invalid HTTPS certificates. This feature can be activated by typing a specific phrase on the error page.

Here are the detailed steps to use the “this is unsafe” directive:

  1. Accessing site with certificate error:
    • Open Google Chrome and try to access the site with the expired or invalid HTTPS certificate. You will see an error page with the message “Your connection is not private”.
  2. View the source code of the error page (optional):
    • While not necessary, you can view the source code of the error page to confirm the presence of the “this is unsafe” directive. Press Ctrl + U (o Cmd + U on Mac) to open the source code.
  3. Enable the hidden directive:
    • With the error page open, type “this is unsafe” (without quotes) directly on the keyboard. Note that there will not be a visible input field; simply type the sentence as if you were typing normally.
  4. Bypass the error:
    • After typing “this is unsafe”, Chrome will bypass the security warning and load the website despite the invalid HTTPS certificate.

This procedure takes advantage of a hidden Chrome feature designed primarily for development and debugging purposes. However, as reiterated above, the use of this feature should be limited to controlled situations to avoid potential security risks.

For those who want to see how it works in detail, we found this YouTube video online which illustrates the procedure described above very well.

Reference sources

The “this is unsafe” directive has been discussed in various online contexts, including industry blogs and discussion forums. Some useful references include:

These resources provide further details about the hidden directive and discuss the security implications of its use.

Conclusion

Implementing HSTS is a critical security measure to protect web communications, ensuring that all data transmitted between your browser and server is encrypted and cannot be intercepted or altered. This security policy is crucial to preventing man-in-the-middle (MITM) attacks and other threats by forcing the use of HTTPS connections and making access via HTTP impossible. HSTS thus offers robust and consistent protection for users, significantly improving the overall security of a website.

However, there are special situations in website development, maintenance and migration contexts where it may be necessary to temporarily bypass these restrictions to ensure continuity of work. For example, when developing new features, migrating websites, or onboarding new team members, developers and engineers may need to access site versions with expired or invalid HTTPS certificates. In these cases, the ability to temporarily ignore security warnings can be crucial to testing and troubleshooting without significant disruption.

Google Chrome offers a solution through the hidden “this is unsafe” directive, which allows you to bypass security warnings and access sites with invalid certificates. This feature, while extremely useful, should be used with extreme caution. Ignoring security warnings exposes your system to potential risks by allowing access to sites that may be vulnerable or compromised. Therefore, this procedure should only be employed in controlled environments and for legitimate purposes, such as those described, to avoid compromising system security.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.

0256569681

Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.

INFORMATION

Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.

JUST A MOMENT !

Would you like to see how your WooCommerce runs on our systems without having to migrate anything? 

Enter the address of your WooCommerce site and you will get a navigable demonstration, without having to do absolutely anything and completely free.

No thanks, my customers prefer the slow site.
Back to top