Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Bypass Chromes SSL/certificate blockades Apps
There's something with Chrome (and Firefox as well) that has driven me crazy for some years: when browsing the web via a proxy server while at work I can't access some pages via the HTTPS-protocol.

Chrome and Firefox are showing error messages like this one and this one (sorry, both are in German). Safari just shows a blank page and I'm not able to open that specific web site although I'm sure that this site is not going to harm my computer or myself. For example this problem appears when I try to access my router at home or some other sites having problematic certificates - but they play fine when I'm at home.

Finally I found a solution for the problem.

Unfortunately there's neither a visible setting to set Chrome to warn me but allow the warning to be ignored, nor is that one in about:flags. But you can start Chrome with the flag --ignore-certificate-errors. That's not very comfortable but it works (last tested with Chrome 34).

Assuming Google Chrome is in your Applications folder, go to the Terminal and type following command:

/Applications/Google Chrome.app/Contents/MacOS/Google Chrome --ignore-certificate-errors &> /dev/null

That will open Chrome as usual but lets you browse any HTTPS site that has a problematic certificate and was blocked before.

I wouldn't do online banking this way; there I would be encouraged when Chrome tells me that there's something wrong with the site.

Maybe not many people will need this hint. I guess this problems only exist in rare circumstances with some proxy servers between your computer and the Internet.

[crarko adds: Yes, this probably is a rare case, although I've seen a lot of weird behavior out of Chrome lately. At first glance this sounded like a firewall/proxy config where the submitter worked, but that must not be where the proxy server is. I assume this only works for the specific session you launch using the command, but I'd make sure before using it. I don't use a proxy so I could not properly test this.]
    •    
  • Currently 1.05 / 5
  You rated: 1 / 5 (104 votes cast)
 
[8,738 views]  

Bypass Chromes SSL/certificate blockades | 4 comments | Create New Account
Click here to return to the 'Bypass Chromes SSL/certificate blockades' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Bypass Chromes SSL/certificate blockades
Authored by: gboudrea on Jun 13, '14 09:17:46AM

This must be the worst possible hint ever!

"Oh, someone/something down the line between me and some secure website is replacing the site's real SSL certificate with his own. I don't know who or why, but here's how I'll just bypass all the warnings I should receive, and browse in the most insecure way possible. Oh, and hey, you should try it too, if you ever get the same invalid SSL certificate as me, because obviously, making the warning message go away is the right way to fix this issue. Don't try to find the source of the problem..."

*sigh*

Unless you understand how SSL certificates work, you understand why you are receiving these warnings, and can verify that the invalid certificates you're receiving are the right ones, you should never EVER use the --ignore-certificate-errors command-line option. And even then, you should not use it to browse any other websites than the ones you control the SSL certificates of.

Further reading: chromium: Add more security-relevant flags to the bad flags infobar
In particular:
#6 jln@chromium.org
There are indeed a lot of flags that would reduce or annihilate Chrome's security. These flags should not be used by non developers. [...]


[ Reply to This | # ]

Bypass Chromes SSL/certificate blockades
Authored by: leichter on Jun 14, '14 07:05:23AM
I'm with gboudrea on this 100%. This hint describes a way to effectively disable certificate security in Chrome. It's a bad idea to do at all, but beyond that ... it's pretty much guaranteed that you're eventually going to forget you started Chrome with this option and start using it even when you didn't intend to.

There is a better approach, but it requires understanding how SSL and these SSL interceptors work. When you connect to a site using https, it sends you its certificate, which attests that the site really is who it claims to be. Why should you believe that attestation? The certificate is signed by a Certificate Authority (CA). Why do you trust the CA? Your browser or OS comes with a collection of "known, trusted CA's"; if the CA that signed the certificate is not on that list, your browser rejects it. (Think of the certificate as your passport; you can show it to prove you are who you claim. People accept a passport because they are issued by trustworthy governments and are hard to forge. And, yes, just as with certificates and CA's, all of this is "to the degree you are willing to trust".)

CA's sign their own approvals and such - "trusting a CA" means that your browser has an independent copy of that CA's own signing certificate (it knows what that country's passports are supposed to look like). It's those CA certificates that make up the list of "known, trusted CA's".

The way an interceptor works is that it terminates your connection, manufactures a certificate for the site you were trying to go to, acting as a CA (with its own certificate) signs it, and then if your browser accepts it, forwards messages back and forth for you over its own connection to the site you are interested in. Your Chrome, however, will never have heard of the CA the interceptor - what's this country of Transpacifica you claim to be from? - and will reject the certificate.

The reason your coworkers and you don't run into this on employer-provided computers is that your IT organization added the interceptor's CA to the list of trusted CA's before it gave you your work machine. If you want your personal machine to also trust their interceptor, you can do the same. This is a slightly complicated operation and I won't try to go into the details here. For one thing, there's more than one store of such CA's. OSX maintains one that's used by Safari, I think Firefox, and many other tools (like Mail and many third-party products) that use SSL on OSX. Chrome, however, maintains its own store.

---
-- Jerry



[ Reply to This | # ]
Bypass Chromes SSL/certificate blockades
Authored by: emale on Jun 22, '14 01:25:18PM

As said: Happens in rare cases because of our proxy and I don't suggest doing home banking that way!

Nevertheless: That's the only way to access some sites and I definitely hate the way Chrome want's to act as a guardian for me. It can tell me that the connection is untrusted and then I can decide if I want to go further. But blocking access e.g. to my home's router drives me crazy.



[ Reply to This | # ]
DON'T DO THIS!
Authored by: Jaaap on Jun 27, '14 10:03:09AM

If you ignore certificate errors then you might as well not use SSL at all because any man-in-the-middle can craft a fake SSL certificate and your browser will accept it.
Not just for that 1 site you couldn't visit, but for all sites (including your bank).

If you know what you are doing, you might use a self-signed cert for access to devices only you use.



[ Reply to This | # ]