How do I disable HSTS in Firefox ESR?

[ixfd64]

I have Firefox ESR 45.4.0 running on a laptop with Windows 7 Enterprise.

Since installing security updates two days ago, Firefox has been unable to access certain sites, mostly notably Google and YouTube. It complains that the connection is insecure and gives an SEC_ERROR_UNKNOWN_ISSUER error code. There is no option to add an exception. I can still access those websites normally using Internet Explorer.

From what I gather, this is due to HSTS enforcement. I've tried several workarounds, none of which have helped:

1. Disabled the "Query OCSP responder servers to confirm the current validity of certificates" option
2. Disabled HSTS by creating a variable test.currentTimeOffsetSeconds with a value of 11491200
3. Disabled TLS by changing security.tls.version.min to 0
4. Refreshed Firefox
5. Imported updated certificates provided by my company
6. Changed the system time to a date before the issue started occurring (only worked for one site)

I'm sure the solution is very simple, but I can't figure it out for the life of me. Anyone know what I'm doing wrong?

For the record, the problem only occurs when I'm connected to our corporate network. There are no issues if I use any other Wi-Fi connection.

 

[Alejandro85]

[*]Imported updated certificates provided by my company

NEVER, EVER DO THAT!

Installing a certificate from your company is a common trick to spy on secure connections. Basically it lures the browser into thinking that the company is to be trusted when only the real server should be. This allow the company to view (and modify) every internet activity you do, without the browser warning, effectively removing all the benefits from HTTPS. So, your employer can now know what sites do you google for, what videos you watch, and yes, he can steal your bank password too.

Without this certificate, you'll get warnings from the browser informing of the phishing attack, and you can cancel before going further. And from legitimate sites, all your activity will effectively be secured and unreadable by anyone.

A few references on how bad it really is will come in handy:
certificate authority - Is it possible for corporation to intercept and decrypt SSL/TLS traffic? - Information Security Stack Exchange
tls - How bad it is to install another company's root certificate to your server? - Information Security Stack Exchange
tls - If your company/university requires you to install root certificates what protects you from man in the middle attacks? - Information Security Stack Exchange

As for the actual question, the warning is a legitimate risk discovered and should never be ignored. Disabling SSL/TLS will just prevent using sites that use them. HSTS rules that warnings cannot be ignored, as security is of importance, so I don't know if it can be disabled.
But really, you don't want to ignore this problem, as your "secure" connection is being attacked, accept the warnings and leave those sites now, and if the company is tampering with the internet access, find another access point for a safe one.

 

[ixfd64]

Thanks for the warning; I've cleared out the certificates for now.

The strange thing is that the issue is only affecting this one computer. I suppose I could try uninstalling the updates, but our company policy says that we should always have the latest security patches. I'll probably ask the IT folks and see if they have any solutions.

 

[Alejandro85]

No idea why, but it's likely that others have spying certificates already installed (making the browsers trust someone the shouldn't), but this one has a problem with such a certificate and making the problem evident. Just a guess, I have no elements to know for sure.

I have my doubts on "the IT guys". For one, they are likely the ones that created the problem of putting spying certificates and proxies out there
Even though they act on orders from someone else, asking your attacker is a bit....... dubious (lacking a better word).

 

[MoxieMomma]

Hi, @ixfd64:

I mean no disrespect to you or to @Alejandro85, but making unauthorized changes to a device owned and/or managed by your company probably violates some of the company's security policies and procedures. Attempts to bypass those policies and procedures could land you in hot water.
In some companies, it would be grounds for disciplinary action or even termination.

MM