Chrome's SSL Bypass Cheatcode
43 comments
·July 17, 2025Y_Y
If I want to load some unencrypted data my browser better fucking let me do it. I don't mind if I have to give a secret handshake, but I have no sympathy for lusers who type "thisisunsafe" and then make it someone else's problem when their expectations of "safety" are violated.
AnthonyMouse
We started off with SSL/TLS being used for payments systems and logins where its absence is very important to not ignore. Then we said we should use it for everything, which is good, but now it's showing up in different contexts.
If it says the certificate for your bank is expired, you need to stop. If it says the certificate for the 10 year old public blog post that was linked by a 5 year old Reddit post as describing the solution to your problem, that should not matter, and you just want to read the non-secret contents of whatever is on that page regardless of whether the site's maintainer turned on HTTP to HTTPS redirects and then neglected to renew the certificate.
And people understand this, and people are rightfully going to devise workarounds for the second case, and it's ridiculous to expect them to not.
seanwilson
> We started off with SSL/TLS being used for payments systems and logins ... If it says the certificate for your bank is expired, you need to stop. If it says the certificate for the 10 year old public blog post that was linked by a 5 year old Reddit post as describing the solution to your problem, that should not matter
Non-HTTPS pages can be tampered with to inject any content into them e.g. into a blog post page, you could inject a login form ("sign in via Google to unlock this post"), a donation payment form ("donate for more content like this!"), or malware installers ("your browser is out of date, click to update" banner).
I think pushing to protect non-tech savvy users makes sense here. I see even a lot of developers not understanding risks like the above, so it's a losing battle thinking non-techy users can be educated about it and be cautious enough.
snickerdoodle12
> Non-HTTPS pages can be tampered with to inject any content into them e.g. into a blog post page, you could inject a login form ("sign in via Google to unlock this post"), a donation payment form ("donate for more content like this!"), or malware installers.
Who cares? The blog author could be malicious. The blog might have been sold 5 years ago and now hosts malicious content.
Stop trying to nanny people, it's unbecoming.
Dylan16807
> If it says the certificate for your bank is expired, you need to stop.
No I don't. At least not if it's recent. A certificate that expired in the last month is roughly equal in safety to a certificate that's valid for another month or two.
Expiration is a backup safety measure and the risk is mostly based on how long it's been since the certificate was issued.
Unless any banks are going around leaking keys right after they expire for some weird reason?
yarekt
Err what? That certificate may well have been leaked, but because it expired the bank doesn’t not consider it an issue, no need to revoke it.
Certificate validity is binary. either it all is, or it isn’t. this included “not before”
tptacek
The browser does not know what the web page is, and attacks on genuinely sensitive websites like banks wildly outnumber attacks on 10-year-old public blog posts. Browsers are doing exactly the right thing here.
AnthonyMouse
The certificate error on the 10 year old blog post isn't an attack, it's an old site that still exists but isn't actively maintained, which happens all the time.
alt187
To be fair, you can click Advanced > Continue to something or other to bypass the SSL warning.
I think.
molticrystal
For several types of certificate and ssl issues(HSTS , blacklisted/revoked certificates) that option is hidden and thus unavailble. Chrome can be a stickler, which is understandable as the majority of its users are not prepared to deal with the possible downsides of going to an untrusted page.
So this is where the "cheat code" comes in handy:
https://subdomain.preloaded-hsts.badssl.com/
https://pinning-test.badssl.com/
Then there are those which have no "cheat code" bypass, so you'd have to use some other method:
mrkramer
I remember reading some blog post that badly configured SSL certificate will cause something like 90% of people bouncing off the website because they are scared of the big red Chrome warning. SSL certificate is actually an important UX factor.
toast0
If your browser has information that the site enabled HSTS, the continue option isn't available ... that's what you need the cheat code for.
anonymousiam
100%!
TLS is fragile, and working around it is often necessary. Certs can expire or be revoked (anywhere in the chain) and the renewal process can be bugged. The time on the client (required for confirmation of certificate validity window) could be wrong (either accidentally or deliberately).
Requiring TLS on an inter-LAN connection is mostly useless, and impossible if no Internet gateway is available.
sgjohnson
> Requiring TLS on an inter-LAN connection is mostly useless, and impossible if no Internet gateway is available.
what do you mean?
> Requiring TLS on an inter-LAN connection is mostly useless
there are many ways to intercept inter-LAN traffic, and:
> and impossible if no Internet gateway is available.
DNS validation? Run your own CA and trust it in your intranet?
neurostimulant
They would change the code once it got popular enough so I bookmarked the source code to figure out the current code: https://chromium.googlesource.com/chromium/src/+/refs/heads/...
sigio
I've been using this a lot (when testing), but I wish firefox/mozilla had something equivalent, because with HSTS domains, it's hard to bypass cert issues in firefox.
zzo38computer
In Firefox, I used a hex editor to modify the files so that it does not recognize the headers to set HSTS, and then I changed the file permissions so that the HSTS file cannot be modified, and then I disabled the HSTS preload list.
pupppet
Hey Chrome, give us a cheat code to permanently hide the close buttons on tabs.
tech234a
I've found this useful periodically on desktop but I wonder how/if it would work on mobile if you don't have a physical keyboard attached.
eugenekolo
It's possible they changed it from "thisisunsafe" to the b64 version to avoid automatic scanners finding "unsafe" keyword usage.
_def
I wonder if this is for quicker testing that happens recurringly (either automated or a poor soul doing it manually) where letting the phrase type by script is just easier than doing the 2 mouse clicks
pyrolistical
Is this easier for screen readers to bypass?
almostgotcaught
Jesus Christ thank god for this! Recently libgen ceased to be accessible because of this and I couldn't figure out any way to disable (on Firefox as well!). Bless you.
miloignis
For Firefox, I can normally click Advanced -> Accept Risk and Continue, which I think is about the perfect amount of friction.
chatmasta
Well hopefully the blog doesn’t get too much visibility or they’ll change the string again :)
Sounds like the right place to look is the chromium commit log…
molticrystal
If an explicit keypress sequence becomes unavailable or changes, the script appears to call certificateErrorPageController.proceed(). So here is a bookmarklet that replicates this, add it to the URL field of a bookmark and click the bookmark to run it:
javascript:(function(){if(window.certificateErrorPageController)window.certificateErrorPageController.proceed();})();
giingyui
Hey at least Chrome lets you can bypass SSL errors. Firefox makes it impossible to bypass SSL errors if the site uses HSTS. So much for the browser for power users.
jeroenhd
Firefox sticks to the spec, Chrome makes you type out base64 manually to ignore the spec.
The TLS errors that aren't unbypassible by specification (i.e. HSTS, see https://datatracker.ietf.org/doc/html/rfc6797) can be bypassed on Firefox just fine. It's only the ones where the spec says bypassing the error shouldn't be possible where Firefox takes a hard stance.
Chrome had to alter their bypass string several times because vendors documented the override rather than fixing their insecure crapware. It makes total sense to me that Firefox does the same.
Dylan16807
Being a user agent is more important than any spec.
sugarpimpdorsey
My installation of Firefox defaults to plain HTTP when I type a URL into the address bar. No amount of about:config fiddling seems to turn it off.
It is rubbish software, the developers routinely ignore fixing actual bugs in favor of new features, and I wish we had a better alternative that wasn't married to Google.
giingyui
Software should do what I want it to, not stick to a spec.
zzo38computer
I agree that it should do what you entered. However, it would make sense for the default settings to match the specification, unless the specification is no good (which, in the case of HSTS (and many other things in WWW), I do think the specification is no good).
giancarlostoro
Ah yes, software should leak everyone else's credentials to me because I want it to, forget keeping their information safe and secure, forget the GDRP.
wasmperson
An example for anyone who hasn't seen this before:
It really is unsafe though, even beyond what many who generally understand the web may realize. There are various ways (from caches to more obscure ones) in which loading a web site insecurely once, even if you aren't logged in at that time, can affect you much later when you think you are safe.
If you ever do this, use a separate browser profile or incognito window. Don't use this just to e.g. get to a captive portal (use example.com or neverssl.com for that).
You only need the "cheat code" if the site is using HSTS, which suggests it's the production web site of something that has a reason to try to be secure. If you're in a separate dev envrionment (different origin), you probably won't have HSTS set.
For local development or browser-to-local-app communication, localhost counts as a secure origin even without HTTPS.