Firefox HSTS bypass

August 10, 2024

2024   ·   firefox   open source   security

HSTS is a mechanism to force browsers to use HTTPS instead of HTTP to connect to a site. The intention being that an attacker cannot replace it with an insecure version.

However, it might be desirable to undo this enforcement for valid and safe reasons, e.g., during web development and testing. In my case, I needed to override the protection after disabling “Automatically redirect HTTP connection to HTTPS for DSM desktop” in my Synology NAS settings.

While other browsers (Chrome/Edge) provide a way to power users to bypass HSTS for a site, Firefox insists not offering any means to do so due to “No User Recourse” from the HSTS RFC. Yet, the “solutions” presented by Mozilla employees still allow users to do just that, while also deleting other data and being significantly less secure than just bypassing for a single site…

Non-solutions

There are a few supposed solutions online, however, I consider each one a non-solution:

  1. The official solution is to find the site in Firefox History and select “Forget this site” for it.

    This is a non-solution because it deletes all data related to the site, not just its HSTS state.

  2. Editing SiteSecurityServiceState.txt to remove the HSTS entry for a specific site.

    While this only deletes the HSTS state, this is a non-solution because it no longer works: recent versions of Firefox use a proprietary binary file SiteSecurityServiceState.bin instead.

  3. Deleting SiteSecurityServiceState.bin to remove HSTS entries for all sites.

    This is a non-solution because it deletes HSTS data related to other unrelated sites and unnecessarily giving up security provided by HSTS. It’s the most insane “solution” of them all.

The solution

  1. Find your Firefox profile path. You can do this as follows:

    1. Navigate to the “URL” about:profiles.
    2. Find your profile from the list. This is likely the one with “This is the profile in use and it cannot be deleted.” under it.
    3. Copy the “Root Directory” or click “Open Directory” after it.

  2. Close Firefox.

  3. Back up the SiteSecurityServiceState.bin file in your Firefox profile path. For example, copying it as SiteSecurityServiceState.bin.bak. This is in case the binary file somehow ends up corrupted when modifying it in the next step.

  4. Open the SiteSecurityServiceState.bin file in a hex editor. I used GHex on Linux.

  5. Use the hex editor’s “Find” feature to find the desired site’s domain from the file.

  6. Change the Unix timestamp in milliseconds (like 1723280965123) after it (there are many NUL/zero bytes in between) with one in the past. I changed it to 1696969696969.

    The file seems to have a similar format to the old SiteSecurityServiceState.txt file, but since it’s in a proprietary binary format, it’s not as simple as deleting a line from it. So the safest way is to just change the HSTS expiry timestamp in-place.

  7. Save the file in the hex editor.

  8. Open Firefox.