{"id":5228,"date":"2025-04-02T10:07:10","date_gmt":"2025-04-02T14:07:10","guid":{"rendered":"https:\/\/ikriv.com\/blog\/?p=5228"},"modified":"2025-09-01T00:35:54","modified_gmt":"2025-09-01T04:35:54","slug":"chrome-thisisunsafe","status":"publish","type":"post","link":"https:\/\/ikriv.com\/blog\/?p=5228","title":{"rendered":"Chrome: thisisunsafe!"},"content":{"rendered":"<p><b>TL;DR<\/b> Under certain circumstances you won&#8217;t be able to access an HTTPS site with invalid certificate from Chrome, unless you type a magic cheat code &#8220;<code>thisisunsafe<\/code>&#8220;. <\/p>\n<p>I was debugging a web site from the local network with a self-signed certificate. I couldn&#8217;t use letsencrypt, because the site is not available externally.<\/p>\n<p>I received this error when trying to access it:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ikriv.com\/blog\/wp-content\/uploads\/2025\/04\/hsts.png\" alt=\"\" width=\"596\" class=\"alignnone size-full wp-image-5231\" \/><\/p>\n<p>Apparently Chrome completely (well, almost completely) blocks down access to misconfigured sites that use <a href=\"https:\/\/en.wikipedia.org\/wiki\/HTTP_Strict_Transport_Security\">HTTP Strict Transport Security<\/a>, a.k.a. HSTS. For websites that don&#8217;t require HSTS, chrome would show <code>\"Proceed to {website} (unsafe)<\/code> link in the &#8220;advanced&#8221; section, but for the websites with HSTS it says <code>you cannot visit {website} right now<\/code>, and there is no link to click on.<\/p>\n<p>Yet, you still can proceed to the website by putting any item on the error page into focus, typing &#8220;thisisunsafe&#8221; (without quotes), and pressing ENTER. <\/p>\n<p>For either kind of site, you can remove the exception by clicking on the &#8220;not secure&#8221; plaque at the top left and choosing &#8220;Turn on warnings&#8221;.<\/p>\n<p>Chrome uses <a href=\"https:\/\/www.chromium.org\/hsts\/\">a complex algorithm<\/a> to determine whether a web site requires HSTS. A web site may require it explicitly via a header, or it can be on a static preload list, or it can be deemed HSTS based on some dynamic rules. I never designated <code>beta.ikriv.com<\/code> as an HSTS web site, Chrome just decided that it is, on its own. It looks like ip-based URLs, e.g. <code>https:\/\/192.168.0.10\/something<\/code> are NOT considered HSTS by default.<\/p>\n<p>I am not sure what to think of it. On the one hand, protecting the Internet against bad certificates is good. On the other hand, I am afraid that if every application follows Chrome footsteps (everyone wants to be like Google, right?), we will be forced to remember a ton of cheat codes like this, and it would not be nice.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>TL;DR Under certain circumstances you won&#8217;t be able to access an HTTPS site with invalid certificate from Chrome, unless you type a magic cheat code &#8220;thisisunsafe&#8220;. I was debugging a <a href=\"https:\/\/ikriv.com\/blog\/?p=5228\" class=\"more-link\">[&hellip;]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"Layout":"","footnotes":""},"categories":[4],"tags":[],"class_list":["entry","author-ikriv","post-5228","post","type-post","status-publish","format-standard","category-hack"],"_links":{"self":[{"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5228","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5228"}],"version-history":[{"count":6,"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5228\/revisions"}],"predecessor-version":[{"id":5356,"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5228\/revisions\/5356"}],"wp:attachment":[{"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5228"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5228"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5228"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}