0

I'm having MitM, and some stupid websites like Hacker News which have managed to install an HSTS policy prior to MitM can no longer be accessed from SeaMonkey/Firefox.

Without HSTS being installed, there's always an option to proceed anyways, but with HSTS, there's no more of any such option (so much for the browser being a User-Agent!).

How do I make my Firefox / SeaMonkey User-Agent to ignore either all HSTS or the individual ones, or uninstall all/some of them, or any other way to access a site that has stopped working, without indiscriminately deleting all history/data of any such site?

cnst
  • 2,435
  • 6
  • 28
  • 45
  • Maybe this works (I'm not using FF): https://support.mozilla.org/de/questions/919498 – GiantTree Jun 01 '16 at 21:55
  • @GiantTree, no, that is not an option, because it also removes all cookies, passwords and the whole thing about the site – cnst Jun 01 '16 at 22:01
  • Well, you should also make sure the website in question does not have HSTS preload configurations set (meaning they are in a static list of HSTS-only sites). HSTS is made to mitigate exactly your setup: a MitM. I noticed in Chrome, even though you can delete HSTS entries from the DB, it doesn't care and still forces HSTS (like its defined in its RFC, *enforce encryption*). – GiantTree Jun 01 '16 at 22:06
  • @GiantTree, well, I agree, and Chrome is certainly a great example of not being a *user's* agent; however, I don't believe hacker news is in any of these lists on my box. – cnst Jun 01 '16 at 22:19
  • Apparently because of compliance with the RFC (secure cookies and confidentiality of user data) there is no way around wiping the sites records (cookies, localstorage etc). There are ways to trick the browser into thinking the directive is expired but this again may require a cache wipe. – GiantTree Jun 01 '16 at 22:38

0 Answers0