To totally unlock this section you need to Log-in
HSTS was created in response to an HTTPS vulnerability that was discovered by computer security researcher Moxie Marlinspike. With HSTS protocol, the website forces the browsers to open the website strictly with HTTPS only.
HSTS stands for HTTP Strict Transport Security, it’s a web security policy mechanism that forces web browsers to interact with websites only via secure HTTPS connections (and never HTTP). This helps to prevent protocol downgrade attacks and cookie hijacking.
Unfortunately, some HSTS settings can inadvertently cause browser errors. For instance, if we are using Chrome (or any other Chromium-based browsers), you might run into:
"Privacy error: Your connection is not private" (NET::ERR_CERT_AUTHORITY_INVALID).
Your browser caches HSTS settings, and this can sometimes lead to erroneous errors. The error may be presented differently in different browsers, some examples are also:
DLG_FLAGS_INVALID_CA DLG_FLAGS_SEC_CERT_CN_INVALID NET::ERR_CERT_COMMON_NAME_INVALID
If you attempt to reach the same site on another browser and don’t run into the same issues, it could just be a problem with how the HSTS settings have affected your original browser. In that case, you will need to clear them.
The information below will show how to clear the HSTS (HTTP Strict Transport Security) settings cached in common browsers, like Chrome, Firefox, Safari, Brave, Microsoft Edge.
In particular, this type of action could be useful during test and development of web applications or websites regarding HSTS configuration and hardening processes on web servers (for example while changing TLS/SSL certificates and configurations).
Chrome (and Chromium-based browsers like Brave, etc.)
- Open Google Chrome
- Search for chrome://net-internals/#hsts in the address bar
- In the Query HSTS/PKP domain field, type in the domain name (example.com, for example) for which you want to delete the HSTS settings. This should return some values.
Note that this is a very sensitive search. Only enter the hostname, such as www.example.com or example.com without a protocol or path.
Then scroll down the page and enter the domain name (FQDN) that you want to clear (for example, example.com) in the Delete domain security policies and press the Delete button:
This will successfully clear the HSTS settings in Google Chrome. Restart the Chrome browser and try to access again the website/domain.
Your browser will no longer force an HTTPS connection for that site. We can test if its working properly by refreshing or navigating to the page.
Note that depending on the HSTS settings provided by the site, we may need to specify the proper subdomain. For example, the HSTS settings for staging.example.com may be separate from example.com so you may need to repeat the steps as appropriate.
Restart Chrome and see if you are able to access the domain that you previously cleared the HSTS settings for. If the issue was related to the HSTS settings, the website should be accessible.
Google Chrome/Chromium HSTS error bypass
There is also and "hidden" way to bypass error page like the below:
The procedure is the following:
- Go HERE (master branch of the Chromium project).
- Get the line (usually in the first 20-25 lines of the resource linked above) that looks like this: const BYPASS_SEQUENCE = window.atob('dGhpc2lzdW5zYWZl');
- Pull up Developer Tools (F12) and go to the console tab and paste in everything that you got after the back in previous step. (window.atob('dGhpc2lzdW5zYWZl'))
- This will give you a plaintext bypass keystroke sequence to bypass the certificate warning.
- Get focus on the cert error page and type in the keystroke exactly how it appeared in the output of the console command. For the example above, it was thisisunsafe. This code is periodically changed.
- You're in.
Firefox
The first way to clear HSTS settings in Firefox is the following:
- Close all open Firefox opened windows.
- Open the browsing history by pressing Ctrl + Shift + H (Cmd + Shift + H on MacOS).
- Go to the site/domain for which you want to clear HSTS settings.
- Now right-click on that site/domain and then click on Forget About This Site. Keep in mind that this will clear all data of the site/domain present in Firefox.
There's also a second way to clear HSTS settings for a specific site/domain and it is shown below:
- Open Firefox, click the Library icon and select History > Clear Recent History.
- In the Clear All History window, set the Time range to clear drop-down menu to Everything.
- Next, expand the Details menu and uncheck every option except for Site Preferences.
Click the Clear Now button to clear all site preferences including the HSTS settings, then reboot Firefox and go back to the website at the next startup.
The latest available method in Firefox to clear HSTS entries begin by locating your Firefox profile folder through your operating system’s file explorer. You can find this folder through Firefox by navigating to about:support (or going to C:\Users\{YOURUSERNAME}\AppData\Roaming\Mozilla\Firefox\Profiles\)
Halfway down the page, in the Application Basics section, you will see Profile Folder. Click Open Folder.
Now close Firefox so that the browser does not overwrite any settings we are about to change.
In your Profile folder find and open the file SiteSecurityServiceState.txt. This file contains cached HSTS and HPKP (Key Pinning, a separate HTTPS mechanism) settings for domains you have visited. It may be very disorganized. It is highly recommended to open it with a good text editor like Notepad++ instead of simple Notepad.
Search for the domain you want to clear the HSTS settings for and delete it from the file. Each entry beings with the domain name. Delete the entirety of the entry from the beginning of the desired domain name to the next listed domain. As an alternative, you can rename the existing file from a .txt to a .bak (in order to save the existing file, just in case) and allow Firefox to create an entirely new file on next start up.
Here is an example of a simple HSTS listing:
www.example.com:HSTS 0 17312 1527362896190,1,0
As mentioned, the formatting for this file can be messy. Below is a sample of a dummy profile.
If you do not want to have HTST enabled on your browser (not recommended) the path to follow is: launch Firefox and type “about:config” in the address bar at the top. Next, click on I accept the risk! button to enter the Advanced settings menu.
Double click on security.mixed_content.block_display_content and set it to true.
Clearing HSTS in Internet Explorer
For legacy reasons, let's see also how to clear HTST entries in Internet Explorer.
Open Registry Editor on your PC: open Run box and type regedit and hit Enter. Now, browse the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
Now, on Edit menu, browse to New and click on Key. Type FEATURE_DISABLE_HSTS and press Enter. Click on FEATURE_DISABLE_HSTS.
Again, on Edit menu, click on New and click on DWORD value. Type iexplore.exe. Browse Edit menu and click Modify. In the Value data box, type 1 and click Ok to save the changes.
Browse the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\
On Edit menu, click on New and click Key. You need to type FEATURE_DISABLE_HSTS and hit Enter. Click on FEATURE_DISABLE_HSTS.
On Edit menu, browse New and click on DWORD value then, Type iexplore.exe. Again, Click on Edit menu and click Modify. You need to enter value in Value data box, type 1 and hit Ok.
Finally, exit from Registry Editor.
Safari
To clear HSTS settings in Safari (MacOS): first, we need to lose Safari, then delete the ~/Library/Cookies/HSTS.plist file and finally reopen Safari.
This will purge the HSTS settings for all sites visited.
Microsoft Edge
In Microsoft Edge, the quickest way to delete HSTS entries is the following:
- Go into Microsoft Edge settings and go in Privacy, search and services.
- Click "Choose what to clear"
- Make sure at least "Cached Data and files" is ticked and click Clear
- Restart Microsoft Edge
Why HTTPS is important
Accessing a website via HTTP is a risky practice. Hackers (or crackers) can intercept your connection to read and steal sensitive data in MitM attacks. Hackers (or crackers) sometimes execute SSL/stripping attacks using a tool called SSLstrip to force browsers to load websites via the insecure HTTP connection.
SSLstrip strips the connection between a user and the server of its secure HTTPS protocol to deploy a man-in-the-middle attack. Whenever the user tries to open a website with HTTPS, the hacker intercepts that request and continues to establish an HTTPS connection between himself and the server instead. So, while the connection between the website visitor and the hacker remains in HTTP, and the hacker and website’s server in HTTPS.
Here, the hacker acts as a bridge between the user and server. They can steal all the user data as it remains in plaintext in HTTP channel. But the server doesn’t get a clue about it as it is establishing an HTTPS connection from its end.