Taming your browser: How to resolve the HSTS site roadblock in Chrome

I genuinely believe web browser designers mean well when it comes to protecting users from harm, but their efforts to do so can sometimes seem a bit overly authoritarian, even ham-handed. Mistakes happen; it’s part of technology, but even the best intentions when it comes to security can prevent you from doing your job.

Case in point: I recently came across this error in Chrome trying to access docs.fedoraproject.org to do some research:

The error ominously stated an attacker might have set up a fake website which is trying to impersonate this website and references Wi-Fi sign-in screen problems. In this case neither of that was true, and my efforts to find some information I needed were stymied.  

The core of the issue is the statement that the website is using HSTS which is HTTP Strict Transport Security. It’s a security implementation and there’s nothing wrong with HSTS, it’s just that the browser may have detected a change in the site URL (such as if the certificate was renewed and perhaps having a problem) or may be simply wrong about it’s concern here, and thus Chrome is trying to protect the user from foul play by blocking all access, like it or not.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

It is annoying when this happens, especially when we know the site is safe and valid. I prefer to be given the option to proceed with a “Hey, we warned you” notification, but in this case you’re at a dead stop when you see this page.

Fortunately, there is a fix beyond using an alternative browser, which is cumbersome and time-consuming.

Before I describe the fix, I should warn you that you should ONLY apply it if you are 100% certain the site is safe. If you’re getting this error with a site you’re visiting for the first time, especially a public-facing website, I’d advise caution. You never want to implement a “fix” that endangers your security for the sake of convenience. 

The site you are trying to reach should be related to business purposes for the scope of this article; I cannot vouch for any recreational or personal-based websites you may encounter featuring this issue, and don’t recommend this fix for those URLs.

In a “first time visit” scenario I would recommend visiting the site from a different browser but not sharing any personal or confidential information and see if there is an announcement about the problem or contact the site owner to ask about the source of the issue. You may be the only one seeing this error due to a local Chrome problem, so in that case it’s probably safe to proceed with the fix.

In this example, I know docs.fedoraproject.org is safe and reliable, and since I only use it to access information—never to share personal or confidential details—it is appropriate to proceed.

In Chrome, access this URL for internal housekeeping:

chrome://net-internals/#hsts

You will see a screen similar to the following:

This is a page to configure how Chrome interacts with HSTS and the related sites. In this case something has gone wrong with the domain security policy related to docs.fedoraproject.org. Perhaps there was a change on their side, perhaps a change in the Chrome configuration, maybe a Windows update munged something, or it could be just a generic bug that struck here, but you can clear the roadblock and proceed by entering your target URL in the Domain: field under “Delete Domain Security Policies.” 

Click Delete, then access the site once more. As you can see below, the operation was a complete success!

Best of the Week Newsletter

Our editors highlight the TechRepublic articles, downloads, and galleries that you cannot miss to stay current on the latest IT news, innovations, and tips.
Fridays

Sign up today

Also see