Sykje yn Support

Mij stipescams. Wy sille jo nea freegje in telefoannûmer te beljen, der in sms nei ta te stjoeren of persoanlike gegevens te dielen. Meld fertochte aktiviteit mei de opsje ‘Misbrûk melde’.

Mear ynfo

Dizze konversaasje is argivearre. Stel in nije fraach as jo help nedich hawwe.

How can I bypass security HSTS certificate check ?

  • 4 antwurd
  • 18 hawwe dit probleem
  • 1 werjefte
  • Lêste antwurd fan Kzwix

more options

I'm trying to connect to a website which uses HSTS, and has an expired certificate.

I would like Firefox to let me add an exception, even temporarily, in order to be able to use that website, even in an insecure way, because I only care about what is written on this website, and I utterly don't care if someone catches anything from my visit there - it's a games wiki site, not a banking site, nor a terrorist hideout, or bomb-making den, or whatever, so I really do NOT need security going there.


I deeply resent Firefox preventing me, the user, from telling it to accept it anyway and proceed. I tried adding the certificate manually to the server, in the certificates window, but, as it is expired, it didn't work. I would like Firefox to let people choose what to accept, or what NOT to accept, instead of making the choice for them...

So... is there some way to circumvent this for THIS site, only ? Because I read about a test.currentTimeOffsetSeconds setting in about:config, but I fear it would be used for all certificates, and, thus, keep accepting other expired certificates too, which I absolutely do NOT want.


I find it distressing to have to turn to another browser for such a simple thing.

I'm trying to connect to a website which uses HSTS, and has an expired certificate. I would like Firefox to let me add an exception, even temporarily, in order to be able to use that website, even in an insecure way, because I only care about what is written on this website, and I utterly don't care if someone catches anything from my visit there - it's a games wiki site, not a banking site, nor a terrorist hideout, or bomb-making den, or whatever, so I really do NOT need security going there. I deeply resent Firefox preventing me, the user, from telling it to accept it anyway and proceed. I tried adding the certificate manually to the server, in the certificates window, but, as it is expired, it didn't work. I would like Firefox to let people choose what to accept, or what NOT to accept, instead of making the choice for them... So... is there some way to circumvent this for THIS site, only ? Because I read about a test.currentTimeOffsetSeconds setting in about:config, but I fear it would be used for all certificates, and, thus, keep accepting other expired certificates too, which I absolutely do NOT want. I find it distressing to have to turn to another browser for such a simple thing.

Alle antwurden (4)

more options

I don't think there is any built-in feature for this.

Why would a site that requires HTTPS allow its certificate to expire?!

In some cases, the site only sets HSTS for some portions of the site and you do not need to access those portions right away. In those cases, clearing Firefox's record of HSTS headers could allow you to make a temporary exception when you visit a section of the site that doesn't serve that header. This thread addressed that issue: https://support.mozilla.org/questions/1126812.

more options

Well, the website is https://www.gnomoriawiki.com/, and I highly suspect it has to do with the "Let's encrypt !" initiative.

The idea being to drown government-sponsored cypher-breaking capabilities under a lot a useless noise, to mask the interesting traffic, it would make sense, if you support this, to make people use HTTPS, even for something this benign.

more options

Maybe because I've never connected to the server before, I do get an "Add Exception" button. Firefox doesn't honor HSTS unless it is sent over HTTP HTTPS, so perhaps that explains the difference.

Bewurke troch jscher2000 - Support Volunteer op

more options

Thanks, I surgically removed the "gnomoriawiki.com:HSTS" (and a bit more stuff on the line) from the SiteSecurityServiceState.txt file, started Firefox again, and then, It allowed me to add an exception, just like you said.

I still think it's counter-intuitive, and bad UI, but I'm glad you could provide me with this walkaround.