Chrome Browser Crypto Bypass

If you’ve ever done any testing using Chrome (or other browsers, but I’m looking at Chrome specifically for this post), it’s likely you’ve run into issues with encrypted communications (HTTPS).

In the past, when Chrome runs into something it considers unsafe (for example, a mismatched name on the certificate, or cipher suites it doesn’t like), you’d get an error message with a button on it that you could click. After clicking the button, you would see an explanation of why Chrome thinks things are wonky and unsafe, but there would be a link that would allow you to continue on to the site if you really wanted to.

That behavior has recently changed. Now, when Google thinks the connection is unsafe, it just flat out refuses to let you proceed. I think the theory behind this is that preventing unaware folks from putting themselves into danger seems like a good idea. The problem is, there is now no way for folks that know what they are doing to access content that they may wish to (as shown in the screenshot below).

I’m a big fan of allowing free choice (philosophically, politically, and certainly technically). As such, I hate it when I am not given a choice to do something I want to do, because somewhere someone decided they knew better.

This particular problem comes up frequently in app dev and pen testing. Often, in either of these scenarios, accessing a site that does not have the ideal security set is desired (for example, when intercepting traffic between the browser and the server to debug a problem, or to perform security testing).

It turns out, there’s a (very un-obvious) way to get around this error message. Here’s how to do it:

  1. Open the browser, and go to the URL you’re trying to access
  2. When you get the error message, simply click in the page body somewhere
  3. Type the following: thisisunsafe
  4. The page will now load

This has been a lifesaver for me, while testing, so I figured I’d share (and document it) here.