how to ignore HSTS on Chrome?

Question

am running Chrome 103.0.5060.66 and intentionally MITM'ing myself with Fiddler Proxy, and it works on websites not using HSTS, but breaks on HSTS sites. How can i tell Chrome to ignore HSTS? example of a website using HSTS: https://www.century21.pt/ - example website -not- using HSTS: https://example.org - related question: how to ignore HSTS on Firefox?

Clear the browser cache, then all HSTS pinnings are deleted. Afterwards make sure HSTS headers are stripped from the communication. AFAIR Fiddler does this by default, not sure about Mitmproxy. — Robert, Jul 06 '22 at 16:28
Try typing thisisunsafe or IknowwhatI'mdoing while browsing that page. The page at that point should reload and the website is displayed. There is no way to NOT get that error website sine the host is configured for HSTS. This has in the past worked as recently as 1 year ago. The string has also changed over the years. — Ramhound, Jul 06 '22 at 16:28
You can determine the current phrase by looking at the source code here. I am unable to look at the source code myself. — Ramhound, Jul 06 '22 at 16:32
Does this answer your question? How to configure Chrome to ignore SSL warning on specific URLs? — Ramhound, Jul 06 '22 at 16:34
@Ramhound damn you're right! "thisisunsafe" lets me in! you should add that as an answer — hanshenrik, Jul 07 '22 at 19:29
@hanshenrik - There is already an existing question with an answer that suggests that solution. I try to avoid submitting a new answer when one already exists. — Ramhound, Jul 07 '22 at 21:07
@Ramhound well i'm not convinced that "how to ignore HSTS ERRORS" is a duplicate of "how to ignore SSL WARNINGS", even though the solution is the same, and they're definitely related questions =/ — hanshenrik, Jul 07 '22 at 21:08
It’s about the answer not the question. If the answer, answers your question, then it’s a duplicate — Ramhound, Jul 07 '22 at 21:10

Frank Thomas · Answer 1 · 2022-07-06T16:41:38.693

Per RFC 6797, a browser that has a compliant implementation of HSTS must not allow the feature to be disabled or bypassed. Section 12.1 "No User Recourse" covers this topic:

12.1. No User Recourse

Failing secure connection establishment on any warnings or errors
(per Section 8.4 ("Errors in Secure Transport Establishment")) should be done with "no user recourse". This means that the user should not be presented with a dialog giving her the option to proceed. Rather, it should be treated similarly to a server error where there is
nothing further the user can do with respect to interacting with the
target web application, other than wait and retry.

Essentially, "any warnings or errors" means anything that would cause the UA implementation to announce to the user that something is not entirely correct with the connection establishment.

Not doing this, i.e., allowing user recourse such as "clicking
through warning/error dialogs", is a recipe for a man-in-the-middle
attack. If a web application issues an HSTS Policy, then it is
implicitly opting into the "no user recourse" approach, whereby all
certificate errors or warnings cause a connection termination, with
no chance to "fool" users into making the wrong decision and
compromising themselves.

Now of course, there is no requirement that a browser's developers fully conform to the RFC specification, such as the "interstitial bypass keyword" in Ramhound's link, but the implementation may be unreliable and subject to change without notification, as some users on that link pointed out.

that explains why, it seems, older versions of firefox had a security.mixed_content.use_hstsc=false setting to ignore HSTS, but modern versions of firefox don't (afaik) — hanshenrik, Jul 06 '22 at 16:42
Indeed, though it appears that Mixed Content Usage for HSTS is addressed, but not fully defined in the RFC under section 12.4. https://datatracker.ietf.org/doc/html/rfc6797#section-12.4 — Frank Thomas, Jul 06 '22 at 16:58
dang, turns out Chrome does implement a bypass for this prompt, despite RFC6797. for more info see the comment of the top post =/ — hanshenrik, Jul 07 '22 at 21:10
it says giving her the option to proceed meaning it is a limitation only for females, but Im a white male with a girlfriend, it should show me a dialog giving me option to proceed! — George Shalvashvili, Jul 01 '23 at 15:44

how to ignore HSTS on Chrome?

1 Answers1

Linked