Ignore HSTS preloading in browsers

Question

Google Chrome (and other browsers) do a great job preventing the user from viewing non-TLS sites or sites with invalid certificates by using HSTS preloading. So good actually that I can't find a way to open the site in Google Chrome at all.

chrome://net-internals/#hsts allows you to temporarily remove HSTS for a domain, but only if it's not preloaded.

As an admin and security guy, I sometimes have to look at sites over http even though they use HSTS preloading. What is the best way to do this? I primarily use Chrome, but would also appreciate instructions for Firefox, Edge and Safari.

Answer 1

The best options are to use an HTTP client other than a browser (e.g. curl), or use an intercepting proxy (such as Fiddler, Burp Suite, etc.). Only browsers enforce HSTS (at least, by default). You could also almost certainly locate the preload list in your browser somewhere - it's basically got to be a file, plausibly one you can just grep/findstr.exe for - and edit out the relevant domain (though it might go back with the next browser update).

More breakdown of those options:

• Non-browser HTTP clients are really convenient if what you want is to just look at the response to a simple request, or even a complicated one that you aren't manually tinkering with a lot. They'll let you see the response - body and headers both, if you request them - in a machine-readable way that greatly simplifies scripting (I assume you want this for ongoing testing of whether a site is doing things like redirecting to HTTPS correctly, so I suspect automation is desirable). There's lot of tools, though they all have syntactical differences; some of the most common are curl or wget (at least one of which should be present on any non-toy *nix system) or Powershell's Invoke-WebRequest. For example, on Windows, (Invoke-WebRequest http://bing.com/ -MaximumRed 0 -ErrorAct Silent).RawContent will make an HTTP (not HTTPS) request to an HSTS-preloaded domain and show you the full HTTP response. If you just want the headers, you can use .Headers instead of .RawContent and that will give you a formatted name-value list. The syntax varies for other clients but they all should have comparable functionality. If you prefer GUI tools, there's also options such as Postman.
• Intercepting proxies are software that you install locally and then configure your browser to use as the proxy server; this allows you to read and modify outbound requests and their inbound responses. For HTTPS interception to work, the proxy software generates a unique TLS root certificate - which you must install as trusted in your OS/browser - and then use the corresponding private key (also uniquely generated per install) to sign certificates for each site your browser requests over HTTPS. In most cases, this just works, and you will be presented with the intercepted HTTPS traffic, decrypted to HTTP; you can then choose to forward on the response as HTTP rather than HTTPS, so you can see what the server says in response to an insecure HTTP request. However, note that if there's any data that the browser would only send in an HTTPS request - such as cookies that have the Secure flag set - those will nonetheless be present, since as far as the browser knows you're making an HTTPS request (and indeed, the connection between the browser and the proxy is secure, just not from the proxy to the webserver). Browsers may not trust custom-added root certificates to sign certificates for HSTS sites, though; if that happens, you may need to type "thisisunsafe" or a similar string into the error page (there's no text box, just type it); see how to ignore HSTS on Chrome? for more information. Finally, some sites may be "pinned" such that they won't accept unfamiliar certificates (or at least unfamiliar public keys or certificate authorities) at all; this is very rare and probably not relevant for a third-party site, as no modern browser supports arbitrary sites doing pinning and only the browser maker can create such pins.
• Manually editing the HSTS preload list is not something I've ever tried, but should be possible. The HSTS preload list is now quite long - to the point that it takes up a significant portion of a browser's install footprint - and can be found online at https://raw.githubusercontent.com/chromium/chromium/master/net/http/transport_security_state_static.json (warning: 16.6 MB file!). It should be present - most likely with that name, and probably under at least a similar path - somewhere in your Chrome install directory. If so, you should be able to just open and edit the file to remove the preload in question from your system; it's perfectly readable JSON.

Answer 2

If you are the admin of the sites that you'd like to browse over HTTP, then it could help to lower the max-age in the Strict-Transport-Security header. That property defines how long HSTS is in effect in the browser.

Nginx example:

add_header Strict-Transport-Security "max-age=1800;";

Answer 3

In Chrome (and I guess Edge/Chrome based Browsers) you can just Type thisisunsafe on your keyboard when the HSTS warning is there. This will skip the warning for the browsing session and reload the site.