Learned a cute little trick on github today and figured I’d share in case there are others like me who didn’t know this.
If you are using a chrome/chromium based browser and hit a site with an expired certificate, you can click anywhere in the whitespace of the error page, type “thisisunsafe” (all one word), hit enter, and be brought to the page.
Right now https://nitter.net is having certificate issue so you can test it there.
Anyway, obviously be careful because bypassing a warning about an expired certificate is potentially dangerous.
@abucci@anthony.buc.ci Thanks tip and reminder 👌 I always forget the special keyword to type on those rare occasions you need to bypass the bad/invalid cert. And yes I can confirm nitter.net is having cert issues, I actually confirmed this earlier today but forgot to mention to you…
@abucci@anthony.buc.ci Bypassing a warning about an expired certificate is basically never actually dangerous. I have yet to see a maliciously used expired certificate in the wild.
Unfortunately, I feel that right now the people who decide on how to run PKI are so far removed from the real world and practical concerns, it’s straight up comical. 81% of organizations have had outages caused by expired certificates, something that has almost no real world security benefit. https://betanews.com/2022/03/22/81-percent-of-organizations-have-outages-caused-by-expired-certificates/
@abucci@anthony.buc.ci I literally had to fix an outage this weekend caused by a weird certificate. Not external facing, but the security risk caused by it was nonexistent, and yet, it was implemented as a requirement and caused random unexpected breakage when it expired itself.
@ocdtrekkie@twtxt.net I am part of the 81%.
@lyse@lyse.isobeef.org Damn technology! 😛
@abucci@anthony.buc.ci I think TLS is fine. I think PKI is a crock of garbage, because most participants in PKI are garbage, and Google has complete capture of it and makes decisions that work best for it, and not the real world.
Ultimately what I think should happen for certificate expiration is browsers should soft-warn for like a week or two after expiry, with like a yellow address bar, as opposed to trying to block navigation. The risk of an expired cert just doesn’t justify browser behavior.
@lyse@lyse.isobeef.org We tricked rocks into thinking, and this how they get back at us for it, because thinking is a horrible curse.
and
😅
@abucci@anthony.buc.ci Whether warning before or after the date is somewhat immaterial, except it slides the sysadmin window even narrower, for no good reason. Google’s already aggressively forced everyone to a 12 month deadline. Not everything supports Let’s Encrypt. And so every year we have a window where I have to rush around and update all the certs before the expiration date, but if I start the process too soon, then I am doing it every eleven months, because of that absolute 12 month cap.
And again, there’s nothing inherently less secure about a 13 month old cert than a 12 month old cert. About 99% of certificate behavior is security theater and Google flexing it’s ability to force everyone to do what it says.
@abucci@anthony.buc.ci you can also simply click “advanced” and choose to ignore manually if you don’t remember the keywords.
I’m surprised Firefox doesn’t let you even open it at all, has anyone managed to bypass a failed certificate there?
@abucci@anthony.buc.ci mmh, interesting…