Wasnt there always a button like “open anyway”?
That’s an HSTS error and not an invalid cert error. You can still ignore invalid cert errors, but HSTS errors per spec should provide no user recourse.
If you need to access that site via HTTP, presumably there’s a way to clear your HSTS cache, but idk how off the top of my head.
Maybe also an explanation of HSTS: A webpage can enable HSTS, which means that if your browser successfully connects over HTTPS once, then your browser will remember for a time specified by the webpage, e.g. two years, that it can connect to this webpage via HTTPS and will not allow connecting to it via HTTP. Usually, you will couple that with the HTTP webpage redirecting to HTTPS.
The problem that this solves, is that someone could hook into that initial HTTP connection (before it redirects to HTTPS) to redirect you to a faked version of that page, to steal your credentials (a.k.a. phishing).
When the connection is immediately established via HTTPS, such a man-in-the-middle attack is not anymore possible.Now, there is still that very first time, when your browser has never connected to a given webpage to find out about the HSTS information. To prevent that from being attackable, there is a HSTS preload list that gets shipped with browsers, which webpage owners can apply for.
All in all, solid stuff. We’re doing actual security now.
But yeah, it is rather invasive. When the certificate is invalid, you simply cannot connect to a given webpage anymore without jumping through extra annoying hoops (because the assumption is that then someone is running a MitM attack).deleted by creator
