Google-chrome – How to export settings from chrome://net-internals/#hsts

google-chrome

I recently found that in:

chrome://net-internals/#hsts

I could add domains, and from that point, I can only view the domains through HTTPS! This is similar to the HTTPSEverywhere add-on for Firefox, but without the need for any add-ons!

I have two questions regarding this:

How can I export/import the settings? (The domains that can be only visited via HTTPS)
If the given domain has an invalid cert then how can I still visit it via HTTPS?

Best Answer

First part (where is it stored?)

Here is a partial answer based on my investigation: HSTS information is stored in JSON format in $PROFILE/TransportSecurity, where $PROFILE is wherever Chrome stores such things on your system.

(This is with Chromium version 34.0.1847.116 (Developer Build 260972) Ubuntu 13.10.)

This file appears to cache information on every site you've visited using HTTPS; you can easily identify the ones for which you've enabled specific public key fingerprints via chrome://net-internals/#hsts by looking for non-empty dynamic_spki_hashes.

Unfortunately, the keys of the JSON object are totally opaque (at least to me): they are 32-byte binary strings encoded in base64. Here's an example:

   "xxxx 32 byte base64 encoded string xxxx=": {
      "dynamic_spki_hashes": [ "sha1/oMSnRgDtpy3AvsuajLYHyljudF4=" ],
      "dynamic_spki_hashes_expiry": 1496120402.263232,
      "expiry": 1441256424.39423,
      "mode": "force-https",
      "pkp_include_subdomains": true,
      "pkp_observed": 1409720402.26327,
      "static_spki_hashes": [  ],
      "sts_include_subdomains": true,
      "sts_observed": 1409720424.39423
   },

I'm not sure how to save these TransportSecurity files to copy them to another computer or another profile. I did try copying the whole TransportSecurity file to a new profile directory; however, when starting Chrome with that profile it did not appear to recognize the HSTS information in the TransportSecurity file.

Perhaps someone with greater understand of Chrome internals can help us understand how to not only view but also transfer this information.

Second part (invalid certs)

I think the intent of HSTS is to make it all-but-impossible to override the browser's warning and visit a site with an invalid cert.

That said, if you have some specific really good reason to accept a certificate that Chrome doesn't like, I expect you could override it by adding the public key fingerprint of that cert using chrome://net-internals/#hsts.

Related Solutions

Google-chrome – Chrome complains about HSTS

returns a giant red padlock with a NET::ERR_CERT_DATE_INVALID response

TLS (HTTPS) certificates are valid for a specific time, usually for 1-3 years starting with the moment they were issued. The error message is saying that the website's certificate is not valid for the current date according to your computer's clock.

When that happens for many websites at once & across two different browsers, it's usually because your computer's clock has no clue about what the current date is. E.g. it's possible that it was accidentally set to year 2014, or an old CMOS battery caused it to reset to year 2001.

Check time.is for the current time. (Chrome used to detect such clock misadjustments and show a much clearer error message, but apparently that doesn't always work.)

Google-chrome – How to ignore self-signed certificate error: net::ERR_CERT_AUTHORITY_INVALID with Chrome

This seemed to work:

Download rootsupd.exe
Extract the files using the command rootsupd.exe /c /t:C:\temp\extroot

From C:\temp\extroot, run the following four commands (from an elevated command prompt):

updroots.exe authroots.sst
updroots.exe updroots.sst
updroots.exe -l roots.sst
updroots.exe -d delroots.sst