When you use badidea or thisisunsafe to bypass a Chrome certificate HSTS error does it only apply for the current site

Question

Sometimes and especially very often when developing a web-application Chrome doesn t allow you to visit certain sites and throwing certificate HSTS error  I ve found that typing badidea  more recently thisisunsafe  in Chrome window will tell Chrome to skip certificate validation   Does this solution only work for a specific site  or will Chrome ignore certificate HSTS errors for all sites after I ve used this keyword

User · Answer

The SSL errors are often thrown by network management software such as Cyberroam.

To answer your question,

you will have to enter badidea into Chrome every time you visit a website.

You might at times have to enter it more than once, as the site may try to pull in various resources before load, hence causing multiple SSL errors

User · Answer

This is specific for each site  So if you type that once  you will only get through that site and all other sites will need a similar type-through   It is also remembered for that site and you have to click on the padlock to reset it  so you can type it again      Needless to say use of this  feature  is a bad idea and is unsafe - hence the name   You should find out why the site is showing the error and or stop using it until they fix it  HSTS specifically adds protections for bad certs to prevent you clicking through them  The fact it s needed suggests there is something wrong with the https connection - like the site or your connection to it has been hacked   The chrome developers also do change this periodically  They changed it recently from badidea to thisisunsafe so everyone using badidea  suddenly stopped being able to use it  You should not depend on it  As Steffen pointed out in the comments below  it is available in the code should it change again though they now base64 encode it to make it more obscure  The last time they changed they put this comment in the commit      Rotate the interstitial bypass keyword      The security interstitial bypass keyword hasn t changed in two years   and awareness of the bypass has been increased in blogs and social   media  Rotate the keyword to help prevent misuse    I think the message from the Chrome team is clear - you should not use it  It would not surprise me if they removed it completely in future   If you are using this when using a self-signed certificate for local testing then why not just add your self-signed certificate certificate to your computer s certificate store so you get a green padlock and do not have to type this  Note Chrome insists on a SAN field in certificates now so if just using the old subject field then even adding it to the certificate store will not result in a green padlock   If you leave the certificate untrusted then certain things do not work  Caching for example is completely ignored for untrusted certificates  As is HTTP 2 Push   HTTPS is here to stay and we need to get used to using it properly - and not bypassing the warnings with a hack that is liable to change and doesn t work the same as a full HTTPS solution

User · Answer

I m a PHP developer and to be able to work on my development environment with a certificate  I was able to do the same by finding the real SSL HTTPS HTTP Certificate and deleting it   The steps are      In the address bar  type  chrome   net-internals  hsts    Type the domain name in the text field below  Delete domain   Click the  Delete  button  Type the domain name in the text field below  Query domain   Click the  Query  button  Your response should be  Not found     You can find more information at    http   classically me blogs how-clear-hsts-settings-major-browsers  Although this solution is not the best  Chrome currently does not have any good solution for the moment  I have escalated this situation with their support team to help improve user experience   Edit   you have to repeat the steps every time you will go on the production site

[google-chrome] When you use 'badidea' or 'thisisunsafe' to bypass a Chrome certificate/HSTS error, does it only apply for the current site?

Examples related to google-chrome

Examples related to security

Examples related to ssl

Examples related to certificate