Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How can I bypass security HSTS certificate check ?

  • 4 replies
  • 18 have this problem
  • Last reply by Kzwix

more options

I'm trying to connect to a website which uses HSTS, and has an expired certificate.

I would like Firefox to let me add an exception, even temporarily, in order to be able to use that website, even in an insecure way, because I only care about what is written on this website, and I utterly don't care if someone catches anything from my visit there - it's a games wiki site, not a banking site, nor a terrorist hideout, or bomb-making den, or whatever, so I really do NOT need security going there.

I deeply resent Firefox preventing me, the user, from telling it to accept it anyway and proceed. I tried adding the certificate manually to the server, in the certificates window, but, as it is expired, it didn't work. I would like Firefox to let people choose what to accept, or what NOT to accept, instead of making the choice for them...

So... is there some way to circumvent this for THIS site, only ? Because I read about a test.currentTimeOffsetSeconds setting in about:config, but I fear it would be used for all certificates, and, thus, keep accepting other expired certificates too, which I absolutely do NOT want.

I find it distressing to have to turn to another browser for such a simple thing.

All Replies (4)

more options

I don't think there is any built-in feature for this.

Why would a site that requires HTTPS allow its certificate to expire?!

In some cases, the site only sets HSTS for some portions of the site and you do not need to access those portions right away. In those cases, clearing Firefox's record of HSTS headers could allow you to make a temporary exception when you visit a section of the site that doesn't serve that header. This thread addressed that issue:

more options

Well, the website is, and I highly suspect it has to do with the "Let's encrypt !" initiative.

The idea being to drown government-sponsored cypher-breaking capabilities under a lot a useless noise, to mask the interesting traffic, it would make sense, if you support this, to make people use HTTPS, even for something this benign.

more options

Maybe because I've never connected to the server before, I do get an "Add Exception" button. Firefox doesn't honor HSTS unless it is sent over HTTP HTTPS, so perhaps that explains the difference.

Modified by jscher2000

more options

Thanks, I surgically removed the "" (and a bit more stuff on the line) from the SiteSecurityServiceState.txt file, started Firefox again, and then, It allowed me to add an exception, just like you said.

I still think it's counter-intuitive, and bad UI, but I'm glad you could provide me with this walkaround.