am running Chrome 103.0.5060.66 and intentionally MITM'ing myself with Fiddler Proxy, and it works on websites not using HSTS, but breaks on HSTS sites. How can i tell Chrome to ignore HSTS? example of a website using HSTS: https://www.century21.pt/ - example website -not- using HSTS: https://example.org - related question: how to ignore HSTS on Firefox?
Typing "thisisunsafe" on the Google Chrome warning page will bypass the warning and load the page without any alerts.
In Chromium-based browsers, run this line in the DevTools console:
sendCommand(SecurityInterstitialCommandId.CMD_PROCEED)
Per RFC 6797, a browser that has a compliant implementation of HSTS must not allow the feature to be disabled or bypassed. Section 12.1 "No User Recourse" covers this topic:
12.1. No User Recourse
Failing secure connection establishment on any warnings or errors
(per Section 8.4 ("Errors in Secure Transport Establishment")) should be done with "no user recourse". This means that the user should not be presented with a dialog giving her the option to proceed. Rather, it should be treated similarly to a server error where there is
nothing further the user can do with respect to interacting with the
target web application, other than wait and retry.Essentially, "any warnings or errors" means anything that would cause the UA implementation to announce to the user that something is not entirely correct with the connection establishment.
Not doing this, i.e., allowing user recourse such as "clicking
through warning/error dialogs", is a recipe for a man-in-the-middle
attack. If a web application issues an HSTS Policy, then it is
implicitly opting into the "no user recourse" approach, whereby all
certificate errors or warnings cause a connection termination, with
no chance to "fool" users into making the wrong decision and
compromising themselves.
Now of course, there is no requirement that a browser's developers fully conform to the RFC specification, such as the "interstitial bypass keyword" in Ramhound's link, but the implementation may be unreliable and subject to change without notification, as some users on that link pointed out.
