131

Sometimes and especially very often when developing a web-application Chrome doesn't allow you to visit certain sites and throwing certificate/HSTS error. I've found that typing badidea (more recently thisisunsafe) in Chrome window will tell Chrome to skip certificate validation.

Does this solution only work for a specific site, or will Chrome ignore certificate/HSTS errors for all sites after I've used this keyword?

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
sk1llfull
  • 1,505
  • 2
  • 10
  • 14

3 Answers3

123

This is specific for each site. So if you type that once, you will only get through that site and all other sites will need a similar type-through.

It is also remembered for that site and you have to click on the padlock to reset it (so you can type it again):

enter image description here

Needless to say use of this "feature" is a bad idea and is unsafe - hence the name.

You should find out why the site is showing the error and/or stop using it until they fix it. HSTS specifically adds protections for bad certs to prevent you clicking through them. The fact it's needed suggests there is something wrong with the https connection - like the site or your connection to it has been hacked.

The chrome developers also do change this periodically. They changed it recently from badidea to thisisunsafe so everyone using badidea, suddenly stopped being able to use it. You should not depend on it. As Steffen pointed out in the comments below, it is available in the code should it change again though they now base64 encode it to make it more obscure. The last time they changed they put this comment in the commit:

Rotate the interstitial bypass keyword

The security interstitial bypass keyword hasn't changed in two years and awareness of the bypass has been increased in blogs and social media. Rotate the keyword to help prevent misuse.

I think the message from the Chrome team is clear - you should not use it. It would not surprise me if they removed it completely in future.

If you are using this when using a self-signed certificate for local testing then why not just add your self-signed certificate certificate to your computer's certificate store so you get a green padlock and do not have to type this? Note Chrome insists on a SAN field in certificates now so if just using the old subject field then even adding it to the certificate store will not result in a green padlock.

If you leave the certificate untrusted then certain things do not work. Caching for example is completely ignored for untrusted certificates. As is HTTP/2 Push.

HTTPS is here to stay and we need to get used to using it properly - and not bypassing the warnings with a hack that is liable to change and doesn't work the same as a full HTTPS solution.

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • 2
    Thanks, @BazzaDP , however this works not only for specific session. I'm using self-signed certificate which is good in terms of trust. – sk1llfull Feb 09 '16 at 09:59
  • 1
    Looking at [the way it is implemented](https://chromium.googlesource.com/chromium/src/+/60.0.3108.2/components/security_interstitials/core/browser/resources/interstitial_v2.js#11), you are right. – Stefan May 23 '17 at 13:23
  • Now that it lasts after session ends, how can I recover the state? – Franklin Yu Mar 12 '18 at 14:40
  • 1
    @FranklinYu it has always persisted, but if you want to restore the warnings you can click on the Padlock and then click "Re-enable warnings for this site". – dragon788 Mar 22 '18 at 15:22
  • 10
    If they care so much about security, why does clicking on the padlock show no information whatsoever on the certificate chain in use? – LtWorf Jun 26 '18 at 09:32
  • 4
    Cause nobody looked at it except experts - who could get it from developer tools under the Security tab. Personally I thought it was worse when they put too much info in there (https://security.stackexchange.com/questions/52834/what-exactly-does-it-mean-when-chrome-reports-no-certificate-transparency-infor). But yeah I agree with you that it's nice to be able to see the full certificate for those that want to and am glad they brought it back - maybe you hadn't noticed it but now if you click on the "Certificate (valid)" wording you can see they usual system dialog box including the chain. – Barry Pollard Jun 26 '18 at 09:57
  • 1
    @BarryPollard as much as I like the good intentions of your answer I am totally in disagreement of the approach used. 1 - Chrome behaves differently from other browsers. Firefox does not impose such hideous block and lets "Developers/Users" choose. 2- you assume developers have always control over their development environments. This is not the case. Developers need to allow self-signed certificates or they will just use another browser and will not be able to test local changes on Chrome. 3 - It is inconsistent that self-signed checks allows users to override them but not for the HSTS one. – Bizmate Apr 28 '21 at 09:34
  • @Bizmate not sure what you’re disagreeing with here or that you think I’ve any influence on this :-) For production sites this is a bad idea and is a unsafe and should not be encouraged. For development sites, developers can use this hack, but it quickly gets tiresome and some features won’t work as I said. That’s the same on Firefox where things like HTTP/2 and mixed content (to name a few) do not work except when on HTTPS. Your dev instances should be as close to production as possible and HTTPS is the norm for production now. – Barry Pollard Apr 28 '21 at 17:49
  • 1
    @BarryPollard in my comment I am clearly not concerned with production. You and anyone readying could make it a better world on development enviroments where again as a developer you have no control by supporting this feature request (unfortunately already marked as wontfix) https://bugs.chromium.org/p/chromium/issues/detail?id=1200811#c7 and objection of the RFC https://tools.ietf.org/html/rfc6797#section-12.1 At the moment this leaves us unable to test on Chrome – Bizmate May 04 '21 at 10:11
  • Why not just add the self-signed cert to the trust store? Problem solved without needing to weaken the internet for everyone else. – Barry Pollard May 04 '21 at 10:47
  • Simply because adding the CA does not bypass HSTS and Chrome still blocks the site. I hope the internet will not get so weak – Bizmate May 12 '21 at 20:37
  • Add the cert to your local trust store will allow it to be recognised and avoid the HSTS error (assuming the SAN matches the URL used). – Barry Pollard May 12 '21 at 21:29
  • Today is 2021 4th October, and ``thisisunsafe`` still works :) – youkaichao Oct 04 '21 at 02:40
  • 2
    The idea that it is "dangerous" to bypass HSTS when you know you're going to only be viewing data on a site and sending no sensitive data is ludicrous. I fundamentally disagree with the whole concept of HSTS locking a user out of viewing data because of an invalid SSL cert. – Jez Apr 28 '22 at 11:53
  • So you think you should encourage the average Chrome user to ignore cert warnings regularly? Like your parents or grandparents? – Barry Pollard Apr 28 '22 at 12:47
  • 1
    @BarryPollard Where did you read that in Jez' comment? Because that's not what they wrote. Besides, last time I checked one could not make Chrome accept a site's self-signed certificate by simply adding it to the trust store, but instead had to sign the site's certificate with your own CA and add that to the trust store - which has quite bad implications if the CA key gets stolen (->MITM). One can work against this by adding NameConstraints to the CA, but that's a lot of work for such a simple task. – Alexander Stumpf Sep 19 '22 at 22:07
  • As a developer this is very useful sometimes, and worth noting that I had to hit enter after I typed the interstitial bypass keyword sequence and then reload the page. It didn't work without pressing enter/return (Brave). – Elijah Lynn Jun 12 '23 at 23:02
16

I'm a PHP developer and to be able to work on my development environment with a certificate, I was able to do the same by finding the real SSL HTTPS/HTTP Certificate and deleting it.

The steps are :

  1. In the address bar, type "chrome://net-internals/#hsts".
  2. Type the domain name in the text field below "Delete domain".
  3. Click the "Delete" button.
  4. Type the domain name in the text field below "Query domain".
  5. Click the "Query" button.
  6. Your response should be "Not found".

You can find more information at : http://classically.me/blogs/how-clear-hsts-settings-major-browsers

Although this solution is not the best, Chrome currently does not have any good solution for the moment. I have escalated this situation with their support team to help improve user experience.

Edit : you have to repeat the steps every time you will go on the production site.

aneth101
  • 509
  • 5
  • 9
5

The SSL errors are often thrown by network management software such as Cyberroam.

To answer your question,

you will have to enter badidea into Chrome every time you visit a website.

You might at times have to enter it more than once, as the site may try to pull in various resources before load, hence causing multiple SSL errors

Paulo
  • 325
  • 3
  • 16
  • If it doesn't work, see [here](https://bugs.chromium.org/p/chromium/issues/detail?id=797344) and [here](https://chromium.googlesource.com/chromium/src/+/master/components/security_interstitials/core/browser/resources/interstitial_large.js) – sanmai Feb 23 '18 at 05:18
  • You will only have to enter this for each new domain/subdomain you visit, once you have trusted a certificate (even if invalid) Chrome will remember for you. – dragon788 Mar 22 '18 at 15:23
  • 6
    Note as now mentioned in the question itself, the passphrase has changed again. As of Chrome 65 it is `thisisunsafe`. – Greg A. Woods Nov 15 '18 at 22:14
  • where do you type thisisunsafe? In the address bar? – user2026318 Nov 06 '19 at 14:38
  • 2
    @user2026318 You just type it while you're on the certificate issue page – sparkhee93 Dec 03 '19 at 16:24
  • 2
    @user2026318 There is no "place" to type it. You only need to type it "on the air". – Victor Jul 30 '21 at 02:34