The other day, I was conducting a penetration test of a client’s software and ran into the following errors:
The certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)
I use the popular Burp Suite application to conduct penetration tests. Burp acts as an intercepting proxy, sitting in-between my browser and the customer’s remote website, intercepting requests and responses, allowing me to tamper with them. Burp allows you to conduct, in effect, man-in-the-middle attacks against yourself.
Unfortunately for us, our client had HTTP Strict Transport Security (“HSTS”) turned on, stopping me in my tracks.
When your browser encounters an untrusted X509 certificate, the default response is to warn the user but to grant the option of proceeding anyway. While this is good from a usability standpoint, this does not make for great security. Setting the HSTS header, along with requiring subsequent connections to the site to use SSL, denies the user the option to easily establish such an exception. This is the right way to go security-wise, but I needed a way of getting around this.
Although there are several possibilities, there is a straightforward and easy way to handle this in Chrome. Chrome has a command line switch — “ignore-certificate-errors” — the use of which is officially discouraged, but got me over the hump.
Let’s make this clear — you don’t want to use this when you run into cert errors during casual browsing, but if you’re pentesting, have at it.
Here’s how to call chrome using the switch from the three most popular platforms:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors
/Applications/Google Chrome.app/Contents/MacOS/Google Chrome --ignore-certificate-errors
Linux (-user-data-dir switch also needed if running as root):
/usr/bin/chromium -user-data-dir %U --ignore-certificate-errors