Wednesday, January 05, 2022

How to disable HTTP Strict Transport Security (HSTS) in Firefox (English)

In some network environment, when browsing some websites with Firefox like “Google Groups“ which enables HSTS, you may get the following error message...:

This Connection is Untrusted

You have asked Firefox to connect securely to groups.google.com, but we can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.

What Should I Do?

If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.

groups.google.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.

(Error code: sec_error_unknown_issuer)

Most likely this means this network is insecure and doing the man-in-the-middle attack. However what if I still want the connection to work?


https://gangmax.me/blog/2015/06/11/how-to-disable-http-strict-transport-security-hsts-in-firefox/

There is more below.

Ниже есть продолжение.

Before I will post solution from the blogpost above (solution still works at January 2022), I want to quote from the Mozilla support. This page is referenced in the blogpost above.
HSTS is problematic in that it incorrectly assumes that all users trust the default list of CAs and makes the adding of exceptions impossible even by advanced users.

For example, torproject.org is inaccessible on Firefox unless I am willing to trust DigiCert to never sign a fake certificate either by negligence or by court order of any country in witch they operate, thereby making every https: site ( not just torproject.org ) vulnerable to a MITM [man-in-the-middle] attack.

A user disabling CAs in the browser is not unreasonable given the ever growing list of CAs built into Firefox ( each one a potential point of failure ), the number of CAs that have been recently compromised and the very low standards required to obtain a certificate.

While I understand the desire to protect the average user who doesn't understand how certificates work and will click past warnings without reading them, this protection should not come at the expense of more security conscious users.

I would recommend an about:config setting that would allow the creation of exceptions by users who explicitly choose to do so.

https://support.mozilla.org/en-US/questions/942924
In the Mozilla support link there is also solution to this, but I will quote from the blogpost above.

1. Open the “about:config” page;

2. Right click menu “New -> Integer”, add an item named “test.currentTimeOffsetSeconds” and value “11491200”, confirm;

3. Now the connection should work.

https://gangmax.me/blog/2015/06/11/how-to-disable-http-strict-transport-security-hsts-in-firefox/


No comments:

Post a Comment