Taming your browser: How to resolve the HSTS site roadblock in Chrome

Browsers can often introduce strict security measures that prevent you from accessing sites that they consider unsafe. Find out how you can resolve one of these problems with Google Chrome and an HSTS error message.

Image: JMiks / Shutterstock

I truly believe that web browser designers mean well when it comes to protecting users from harm, but their efforts to do so can sometimes seem a bit overly authoritarian, even clumsy. Errors happen; it’s part of the technology, but even the best intentions when it comes to safety can keep you from doing your job.

Case in point: I recently ran into this error in Chrome when trying to access docs.fedoraproject.org to do some research:

capture.jpg

The bug disturbingly indicated that an attacker could have set up a rogue website that attempts to impersonate this website and refers to Wi-Fi login screen issues. In this case, none of that was true, and my efforts to find the information I needed were thwarted.

The core of the problem is the statement that the website uses HSTS, which is HTTP Strict Transport Security. It is a security implementation and there is nothing wrong with HSTS, it is just that the browser may have detected a change in the site url (such as if the certificate was renewed and maybe it has a problem) or it may just be wrong about your concern here, and therefore Chrome is trying to protect the user from foul play by blocking all access whether we like it or not.

WATCH: Password Violation: Why Pop Culture And Passwords Don’t Mix (Free PDF) (TechRepublic)

It is annoying when this happens, especially when we know that the site is safe and valid. I prefer to have the option to continue with a “Hey, we warn you” notification, but in this case you are at a standstill when you view this page.

Fortunately, there is a solution beyond using an alternative browser, which is cumbersome and time-consuming.

Before describing the solution, I must warn you that you should ONLY apply it if you are 100% sure that the site is secure. If you get this error with a site that you are visiting for the first time, especially a public website, I advise you to be careful. You never want to implement a “solution” that compromises your security for convenience.

The site you are trying to access must be business related for the scope of this article; I cannot guarantee any recreational or personal websites that you may encounter with this problem, and I do not recommend this solution for those URLs.

In a “first time visit” situation, I would recommend visiting the site from a different browser but not sharing any personal or confidential information and seeing if there is an announcement about the problem or contacting the site owner to inquire about the source of the problem. You may be the only one seeing this error due to a local Chrome issue, so in that case, it’s probably safe to proceed with the solution.

In this example, I know that docs.fedoraproject.org is safe and reliable, and since I only use it to access information, never to share personal or confidential details, it is appropriate to continue.

In Chrome, access this URL for internal cleanup:

chrome: // net-internals / # hsts

You will see a screen similar to the following:

clipboard-2.jpg

This is a page to configure how Chrome interacts with HSTS and related sites. In this case, something went wrong with the domain security policy related to docs.fedoraproject.org. Maybe there was a change on your side, maybe a change in Chrome settings, maybe a Windows update triggered something, or it could just be a generic error that popped up here, but you can remove the obstacle and continue entering your URL from destination in the Domain: field under “Delete domain security policies”.

clipboard-3.jpg

Click Delete, then access the site once more. As you can see below, the operation was a total success!

clipboard-4.jpg

See also

Leave a Comment