1

am running Chrome 103.0.5060.66 and intentionally MITM'ing myself with Fiddler Proxy, and it works on websites not using HSTS, but breaks on HSTS sites. How can i tell Chrome to ignore HSTS? example of a website using HSTS: https://www.century21.pt/ - example website -not- using HSTS: https://example.org - related question: how to ignore HSTS on Firefox?

enter image description here

hanshenrik
  • 1,117
  • 1
  • 15
  • 31
  • Clear the browser cache, then all HSTS pinnings are deleted. Afterwards make sure HSTS headers are stripped from the communication. AFAIR Fiddler does this by default, not sure about Mitmproxy. – Robert Jul 06 '22 at 16:28
  • 8
    Try typing `thisisunsafe` or `IknowwhatI'mdoing` while browsing that page. The page at that point should reload and the website is displayed. There is no way to NOT get that error website sine the host is configured for HSTS. This has in the past worked as recently as 1 year ago. [The string has also changed over the years.](https://www.reddit.com/r/sysadmin/comments/swarsy/did_you_know_that_you_can_type_this_is_unsafe_in/) – Ramhound Jul 06 '22 at 16:28
  • You can determine the current phrase by looking at the source code [here](https://chromium.googlesource.com/chromium/src/+/refs/heads/main/components/security_interstitials/core/browser/resources/interstitial_large.js#19). I am unable to look at the source code myself. – Ramhound Jul 06 '22 at 16:32
  • 2
    Does this answer your question? [How to configure Chrome to ignore SSL warning on specific URLs?](https://superuser.com/questions/930329/how-to-configure-chrome-to-ignore-ssl-warning-on-specific-urls) – Ramhound Jul 06 '22 at 16:34
  • @Ramhound damn you're right! "thisisunsafe" lets me in! you should add that as an answer – hanshenrik Jul 07 '22 at 19:29
  • @hanshenrik - There is already an existing question with an answer that suggests that solution. I try to avoid submitting a new answer when one already exists. – Ramhound Jul 07 '22 at 21:07
  • @Ramhound well i'm not convinced that "how to ignore HSTS *ERRORS*" is a duplicate of "how to ignore SSL *WARNINGS*", even though the solution is the same, and they're definitely related questions =/ – hanshenrik Jul 07 '22 at 21:08
  • It’s about the answer not the question. If the answer, answers your question, then it’s a duplicate – Ramhound Jul 07 '22 at 21:10

1 Answers1

1

Per RFC 6797, a browser that has a compliant implementation of HSTS must not allow the feature to be disabled or bypassed. Section 12.1 "No User Recourse" covers this topic:

12.1. No User Recourse

Failing secure connection establishment on any warnings or errors
(per Section 8.4 ("Errors in Secure Transport Establishment")) should be done with "no user recourse". This means that the user should not be presented with a dialog giving her the option to proceed. Rather, it should be treated similarly to a server error where there is
nothing further the user can do with respect to interacting with the
target web application, other than wait and retry.

Essentially, "any warnings or errors" means anything that would cause the UA implementation to announce to the user that something is not entirely correct with the connection establishment.

Not doing this, i.e., allowing user recourse such as "clicking
through warning/error dialogs", is a recipe for a man-in-the-middle
attack. If a web application issues an HSTS Policy, then it is
implicitly opting into the "no user recourse" approach, whereby all
certificate errors or warnings cause a connection termination, with
no chance to "fool" users into making the wrong decision and
compromising themselves.

Now of course, there is no requirement that a browser's developers fully conform to the RFC specification, such as the "interstitial bypass keyword" in Ramhound's link, but the implementation may be unreliable and subject to change without notification, as some users on that link pointed out.

Frank Thomas
  • 35,097
  • 3
  • 77
  • 98
  • that explains why, it seems, older versions of firefox had a `security.mixed_content.use_hstsc=false` setting to ignore HSTS, but modern versions of firefox don't (afaik) – hanshenrik Jul 06 '22 at 16:42
  • Indeed, though it appears that Mixed Content Usage for HSTS is addressed, but not fully defined in the RFC under section 12.4. https://datatracker.ietf.org/doc/html/rfc6797#section-12.4 – Frank Thomas Jul 06 '22 at 16:58
  • dang, turns out Chrome does implement a bypass for this prompt, despite RFC6797. for more info see the comment of the top post =/ – hanshenrik Jul 07 '22 at 21:10
  • it says `giving her the option to proceed` meaning it is a limitation only for females, but Im a white male with a girlfriend, it should show me a dialog giving me option to proceed! – George Shalvashvili Jul 01 '23 at 15:44