Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: How do I disable HSTS in Firefox ESR?

20 Oct 2016   #1

Windows 7 Home Premium, 64-bit
How do I disable HSTS in Firefox ESR?

I have Firefox ESR 45.4.0 running on a laptop with Windows 7 Enterprise.

Since installing security updates two days ago, Firefox has been unable to access certain sites, mostly notably Google and YouTube. It complains that the connection is insecure and gives an SEC_ERROR_UNKNOWN_ISSUER error code. There is no option to add an exception. I can still access those websites normally using Internet Explorer.

From what I gather, this is due to HSTS enforcement. I've tried several workarounds, none of which have helped:
  1. Disabled the "Query OCSP responder servers to confirm the current validity of certificates" option
  2. Disabled HSTS by creating a variable test.currentTimeOffsetSeconds with a value of 11491200
  3. Disabled TLS by changing security.tls.version.min to 0
  4. Refreshed Firefox
  5. Imported updated certificates provided by my company
  6. Changed the system time to a date before the issue started occurring (only worked for one site)

I'm sure the solution is very simple, but I can't figure it out for the life of me. Anyone know what I'm doing wrong?

For the record, the problem only occurs when I'm connected to our corporate network. There are no issues if I use any other Wi-Fi connection.

My System SpecsSystem Spec
20 Oct 2016   #2

Windows 7 Ultimate x64

Quote   Quote: Originally Posted by ixfd64 View Post
[*]Imported updated certificates provided by my company

Installing a certificate from your company is a common trick to spy on secure connections. Basically it lures the browser into thinking that the company is to be trusted when only the real server should be. This allow the company to view (and modify) every internet activity you do, without the browser warning, effectively removing all the benefits from HTTPS. So, your employer can now know what sites do you google for, what videos you watch, and yes, he can steal your bank password too.

Without this certificate, you'll get warnings from the browser informing of the phishing attack, and you can cancel before going further. And from legitimate sites, all your activity will effectively be secured and unreadable by anyone.

A few references on how bad it really is will come in handy:
certificate authority - Is it possible for corporation to intercept and decrypt SSL/TLS traffic? - Information Security Stack Exchange
tls - How bad it is to install another company's root certificate to your server? - Information Security Stack Exchange
tls - If your company/university requires you to install root certificates what protects you from man in the middle attacks? - Information Security Stack Exchange

As for the actual question, the warning is a legitimate risk discovered and should never be ignored. Disabling SSL/TLS will just prevent using sites that use them. HSTS rules that warnings cannot be ignored, as security is of importance, so I don't know if it can be disabled.
But really, you don't want to ignore this problem, as your "secure" connection is being attacked, accept the warnings and leave those sites now, and if the company is tampering with the internet access, find another access point for a safe one.
My System SpecsSystem Spec
20 Oct 2016   #3

Windows 7 Home Premium, 64-bit

Thanks for the warning; I've cleared out the certificates for now.

The strange thing is that the issue is only affecting this one computer. I suppose I could try uninstalling the updates, but our company policy says that we should always have the latest security patches. I'll probably ask the IT folks and see if they have any solutions.
My System SpecsSystem Spec

20 Oct 2016   #4

Windows 7 Ultimate x64

No idea why, but it's likely that others have spying certificates already installed (making the browsers trust someone the shouldn't), but this one has a problem with such a certificate and making the problem evident. Just a guess, I have no elements to know for sure.

I have my doubts on "the IT guys". For one, they are likely the ones that created the problem of putting spying certificates and proxies out there
Even though they act on orders from someone else, asking your attacker is a bit....... dubious (lacking a better word).
My System SpecsSystem Spec
21 Oct 2016   #5

OEM Windows 7 Ult (x64) SP1

Hi, @ixfd64:

I mean no disrespect to you or to @Alejandro85, but making unauthorized changes to a device owned and/or managed by your company probably violates some of the company's security policies and procedures. Attempts to bypass those policies and procedures could land you in hot water.
In some companies, it would be grounds for disciplinary action or even termination.

My System SpecsSystem Spec

 How do I disable HSTS in Firefox ESR?

Thread Tools

Similar help and support threads
Thread Forum
how to disable Firefox grouping
as the topic says how can i disable this grouping feature of firefox and for Ineternet Explorer as well ? any tips folks appreciate the help
Browsers & Mail
Firefox - Disable New Tab Animation
How to Disable "New Tab" Animation in Mozilla Firefox This tutorial will show you how to customize and adjust the orange bar in the left hand corner of Mozilla Firefox. Requirements: Mozilla Firefox v. 4 (and above)
Firefox Favicons - Disable
How to Disable Favicons in Mozilla Firefox This tutorial will show you how to disable Favicons in Mozilla Firefox. This is the Favicon to Seven Forums ,so with this tutorial you'll be able to remove it from tab This can be done in just minute,so...
Disable ClearType in Firefox ONLY?
Hi There ... I'm Using Firefox 3.6 on Windows 7 ... There is Any Way To Disable "Clear type" in Firefox Only ? Thanks
Browsers & Mail

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 13:29.
Twitter Facebook Google+