7

Is it possible to prevent users to bypass a certificate warning showed in their browser, and if so, how?

Assuming we have no control on the remote server, and total control on the client computer.

The question relates to the Chrome web browser.

user9203881
  • 73
  • 4
  • Use a browser that allowed that level of control to prevent user bypass. and I found GPO settings when I used the google search term "prevent users to bypass a certificate warning showed in their browser" – schroeder Aug 31 '22 at 16:30
  • @schroeder Chrome is used. Do you know which browsers allow that level of control? If Chrome can be configured through a GPO then this is the solution to work on for me. – user9203881 Aug 31 '22 at 16:38
  • If you can only use Chrome, then that would have been a crucial detail to include, Else, like the online guides explain, you can use Edge. – schroeder Aug 31 '22 at 16:43
  • You're right, I should have included the browser used. Edge can be a last resort solution but it would require some more work to migrate. – user9203881 Aug 31 '22 at 16:53
  • Just to mention: Every single case of a certificate warning I have encountered in my life was legit: Self-signed certificates or accidentally expired ones, or mis-configured server names not covered by an existing certificate. Of course I'm usually in a benign environment (nobody is targeting me or the websites I visit). But my feeling is that such a policy (in normal environments) mostly prevents users from working around genuine mistakes. – Peter - Reinstate Monica Sep 01 '22 at 10:14
  • This seems to be an **XY problem**... – user21820 Sep 01 '22 at 19:53

1 Answers1

11

You can use Chrome's Enterprise Management System to set these policies. On Windows, these are typically rolled out via GPO. On MacOS and Linux, there are other mechanisms, that can be found on the page I linked.

There are two relevant settings for you: SSLErrorOverrideAllowed and SSLErrorOverrideAllowedForOrigins.

SSLErrorOverrideAllowed can be set either to 1 (enabled, default) or 0 (disabled). When disabled, users are no longer able to bypass warnings (unless they can edit their registry).

SSLErrorOverrideAllowedForOrigins allows you to specify specific origins, for which users would be allowed or disallowed to override errors, instead of just enabling or disabling this functionality in general.

These also work for other webkit-based browsers, such as Chromium and Edge. There may be an equivalent in Firefox too, but I don't have any experience with Enterprise-managed Firefox.

MechMK1
  • 1,814
  • 4
  • 21
  • 30
  • 4
    For completeness, the Firefox equivalent lives under [`DisableSecurityBypass`](https://github.com/mozilla/policy-templates/blob/master/README.md#disablesecuritybypass) and provides the two policies `InvalidCertificate` and `SafeBrowsing`. `InvalidCertificate` is the relevant one here. – Bob Sep 01 '22 at 01:32
  • This is exactly the way to configure end-user machines to not allow TLS error override, but of course this is for IT admins. For the interested reader, the corollary is that this obviously won't work for the admin of a public TLS server (ie a web site), since you aren't the admin of your visitors' computers. Websites that wish to prevent users from overriding TLS errors should send [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) headers, but this only works after a user has already made a successful request to your site in the past, and relies on the browser remembering. – josh3736 Sep 01 '22 at 01:35
  • 1
    @Josh Interesting, I wasn't aware of that part of the protocol, but you're right: [12.1 no user recourse](https://www.rfc-editor.org/rfc/rfc6797#section-12.1). – Voo Sep 01 '22 at 07:58
  • True enforcement is hard though: Users can simply use a different browser (e.g. one they bring on their USB stick; sure, you may try to plug that hole as well). – Peter - Reinstate Monica Sep 01 '22 at 09:09
  • @Peter-ReinstateMonica even easier in firefox, a new profile – Chris H Sep 01 '22 at 10:09
  • @Voo Yes, you're right. I assumed that it was a corporate environment and that by "users", he referred to "employees of our company". HSTS is indeed the way to go. But even that can be bypassed in Chrome by typing `thisisunsafe` into the error page. – MechMK1 Sep 01 '22 at 10:18
  • @Peter-ReinstateMonica You cannot truly enforce it. For instance, Webkit-based browsers allow you to type `thisisunsafe` on the error page to ignore the warning, even in situations where no user recourse should be possible (e.g. the host uses HSTS). Even on very hardened hosts (executable whitelists, no USB access, etc.), determined users will likely be able to find a way to bypass this restriction. But it's still useful to set this, to prevent a large part of users from acting unsafely. – MechMK1 Sep 01 '22 at 10:21
  • @MechMK1 Oh your answer's exactly what I'd do too. I was just surprised that the HSTS standard actually explicitly specified that the user has no recourse in this situation. I usually expect there a way for the user to override such exceptions (which I guess Chrome allows contrary to the specification). Makes sense though for the vast, vast majority of users. People shouldn't ignore invalid certificates. – Voo Sep 01 '22 at 11:03
  • @Voo It's not just Chrome - Chromium, Edge and other webkit browsers do it as well. This behavior is intended for debugging purposes, but tech mags have portrayed this as "a neat way to bypass pesky errors", which is...not what it's meant to do. – MechMK1 Sep 01 '22 at 11:47