We’ve run into trouble recently loading sites lacking SSL (Secure Socket Layer) encryption on our workstations. The issue has been happening using both Google Chrome and Mozilla Firefox. Researching why this was occurring led me to some possible fixes I will address below.
In a nutshell, if you can access a website that starts with https:// then that site should have SSL. Sites that generate an error using https:// and will access fine that start with http:// are sites that do not have SSL installed.
Why do we need SSL?
What SSL actually does is ensure that you have reached the website that you think you have. That is especially important if you are going to use your credit card online. SSL is employed on most online shopping sites and in all banking sites.
The only time SSL might not be critical may be in the case of, let’s say, what I’d call a brochure site. That’s a site that just shares some information about a topic and never asks users to enter any information of any huge importance. Such sites may, for instance, ask for your name and email address for a mail list signup or something of that nature. Such information is fairly innocuous and doesn’t rise to the level of entering your credit card information or social security number and so on.
Note: ALL sites that CharlesWorks builds and hosts on our local Peterborough, NH Linux servers come with FREE SSL, valued between ($49-$250 per year) INCLUDED in your monthly web hosting fee!
Further investigation led me to suspect the issues were related to what are called HSTS (HTTP Strict Transport Security) settings in Chrome and Firefox. HSTS is a web security policy mechanism. It forces web browsers to interact with websites using only secure HTTPS connections (which means never HTTP). HSTS is designed to help prevent protocol downgrade attacks and cookie hijacking. The intimate workings of the protocol is beyond the scope of this article. My goal here is to show you a possible fix.
Dealing with your HSTS Settings
Note that these instructions are mainly useful for developers who were testing HSTS and now need to delete the settings. For a website you do not control, deleting your browser’s local HSTS settings will not help if the website is still serving an HSTS header as your browser will simply save the settings again on each visit/refresh.
If you have determined the error is due to cached HSTS settings, follow the following instructions may resolve the error. They did for me.
How to Delete HSTS Settings in Chrome
In Chrome you may get an error that tells you to reload the page or that the site can’t provide a secure connection. The error is most probably HSTS-related. The following worked for me:
In Chrome Navigate to
chrome://net-internals/#hsts
You should see Chrome’s user interface for managing your local HSTS settings. Remember, these settings are only on your local machine.
- To confirm the domain’s HSTS settings in Chrome, type the hostname (domain name) into the Query Domain section at the bottom of the page. Then click the Query button. If the Query box returns Found with settings information similar to those shown below, that domain’s HSTS settings are saved in your browser. I used google.com in my example here but you will want to use the domain you are having trouble with (that’s being forced to https://):
Note: this search is very precise. Use just the exact hostname (and/or domain), like www.example.com or example.com, without a protocol (no https:// or http://) or path (the / character after a domain showing which file of folder contained the target material).
- Now type that same hostname (or domain name) into the Delete domain security policies section near the bottom of the page and click the Delete button.
- You should clear your browser’s cache. I usually use CCleaner to accomplish this. If you don’t usually do this, you can check my How to clear your computer’s DNS cache article for some help. I had no luck just using the F5 key with my Windows 10 workstation. I had to clear my browser immediately after deleting the domains giving me trouble before the https:// page I was having trouble viewing would work.
Hopefully at this point your browser will no longer force an HTTPS connection for that site.
Note: depending on the HSTS settings the site yields, you might need to enter the subdomain. For example, the HSTS settings for staging.example.com may be different than example.com, so you may need to repeat the steps.
How to Delete HSTS Settings in Firefox
In Firefox the error page might read something like: “This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.”
There are two different methods for deleting Mozilla Firefox’s HSTS settings. The first might work in most cases – but I’ve also included a manual option I found if needed:
- Close all open tabs in Firefox.
- Open the full History window with the keyboard shortcut Ctrl + Shift + H (Cmd + Shift + H on a Mac system). Use this window or the sidebar for the options to be available.
- Find the site you want to delete the HSTS settings for. You can search for the site at the upper right if needed.
- Right-click the site from the list of items and click Forget About This Site. This should clear the HSTS settings (and other cache data) for that domain.
- Now you should clear your browser’s cache. I usually use CCleaner to accomplish this. If you don’t usually do this, you can check my How to clear your computer’s DNS cache article for some help. I had no luck just using the F5 key with my Windows 10 workstation. I had to do this before the https:// page I was having trouble viewing would work.
- Restart Firefox and visit the site. You should now be able to visit the site over HTTP/broken HTTPS.If these instructions did not work, you can try the following manual method:
A Manual Method for Firefox
You can try the following method if the above steps do not work.
Locating your Firefox profile folder through your operating system’s file explorer. You can find this folder in Firefox by navigating to:
about:support
About halfway down the page, in the Application Basics section, you’ll see the Profile Folder. Click Open Folder.
Now close Firefox so that the browser does not overwrite any settings we are about to change.
In your Profile folder find and open the file SiteSecurityServiceState.txt file. This is where the cached HSTS and HPKP (Key Pinning, a separate HTTPS mechanism) settings are stored for domains you’ve visited. It may appear very disorganized.
Look for the domain with the HSTS settings you want to clear. Delete it from the folder. Each entry begins with a domain name. Delete the entirety of the entry from the beginning of the desired domain name to the next listed domain. As an alternative, you can rename the existing file from a .txt to a .bak (in order to save the existing file, just in case) and allow Firefox to create an entirely new file on next start up.
Here is an example of a simple HSTS listing:
www.example.com:HSTS 0 17312 1527362896190,1,0
As mentioned, the formatting for this file can be messy. Below is a sample from my profile. Each domain’s settings are shown in a unique color to make separation clear. In this case, part of the settings for the previous domain appear the beginning in red:
1527363079029,1,0www.example.com:HSTS 0 17312 1527362896190,1,0charlesworks.com:HPKP 0 17312 1492419083217,1,1,8dNiZsueNZmysf3pTkXxDgOzLkjKvI+Nza0ACF5IDwg=X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=V+J+7lHvE6X0pqGKVqLtxuvk+0f+xowyr3obtq8tbSw=9lBW+k9EF6yyG9413/fPiHhQy5Ok4UI5sBpBTuOaa/U=ipMu2Xu72A086/35thucbjLfrPaSjuw4HIjSWsxqkb8=+5JdLySIa9rS6xJM+2KHN9CatGKln78GjnDpf4WmI3g=MWfCxyqG2b5RBmYFQuLllhQvYZ3mjZghXTRn9BL9q10= api.google.com:HSTS 0 17312 1327362835393,1,1
How to Delete HSTS Settings in Internet Explorer
To make the changes for Internet Explorer you need to get into your Registry Editor.
- To open Registry Editor on your PC, open Run box and type regedit and hit Enter.
- Now, browse the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
- On the Edit menu, browse to New and click on Key. Type FEATURE_DISABLE_HSTS and press Enter.
- Click on FEATURE_DISABLE_HSTS.
- Again, on Edit menu, click on New and click on DWORD value.
- Type iexplore.exe for the value.
- Browse the Edit menu and click Modify. In the Value data box, type 1 and click Ok to save the changes.
- Browse the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\
- On the Edit menu, click on New and click Key.
- Now type FEATURE_DISABLE_HSTS and hit Enter.
- Click on FEATURE_DISABLE_HSTS.
- On the Edit menu, browse New and click on DWORD value then enter iexplore.exe.
- Again, Click on Edit menu and click Modify.
- You need to enter value in Value data box, type 1 and hit Ok.
- Exit from Registry Editor.
Note: Values for the iexplore.exe subkey are 0 and 1. A value of 1 inactivates the feature, and 0 activates the feature.