HSTS – HTTP Strict Transport Security dealing with browser error

It would appear it has been a week for things done with the best of intentions becoming a real pain in the backside. Work with mod_headers late last week saw a number of really rather fabulous tweaks and one that didn't go so well. The HSTS error message was the hangover it left me with due to fancy EV and wildcard SSL's in place on many hosts. Fail. So - what are you going to do about it is what I would like to know?

“Privacy error: Your connection is not private” (NET::ERR_CERT_AUTHORITY_INVALID).

"subdomain.preloaded-hsts.badssl.com normally uses encryption to protect your information. When Chromium tried to connect to subdomain.preloaded-hsts.badssl.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be subdomain.preloaded-hsts.badssl.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Chromium stopped the connection before any data was exchanged.

You cannot visit subdomain.preloaded-hsts.badssl.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later."

So there we are... that is probably how you (or more likely - me, as I use this site as an extended aide memoir) found yourself here. The error message looks a little like this in your browser or an example below.

Nasty business. More so if through good intentions you have nobbled all but the first host that this domain was seen on. No. Badness. As these cannot be bypassed (kinda the point of them) - you can either 1. Wait for the specified expiry period that was set when the site was visited, or, more likely, 2. FIX THE DAMNED THING NOW.

In your address bar - chrome://net-internals/#hsts

You can see there that there is an option to QUERY DOMAIN - do this first - check the thing is there, and causing you an issue. Fill in the domain name and click on QUERY.

Assuming it is - then all you have to do is fill in the DELETE DOMAIN and click on the DELETE button - and Bob is indeed my uncle.

Now you may celebrate your loss of the immoveable error page and having to addresses boxes by IP where that is a workaround. Great success. Mine's an ale.

Leave a Reply

Your email address will not be published. Required fields are marked *